Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consumer Database Company Hacked

Posted by michael on from the new-SSNs-for-everyone dept.

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.

2 of 286 comments (clear)

  1. Acxiom vs. the government by jamie · · Score: 5, Informative
    Acxiom was the first company listed in Microsoft's November 1998 parade of members of their Online Privacy Alliance. The OPA's goal was to keep the feds away: "The alliance advocates industry self-regulation as the best way to ensure that consumers maintain control of their personal data online."

    Acxiom warned TRUSTe members in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.

    I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

  2. BBBOnline by Liquorman · · Score: 5, Informative
    Below I have posted the complete listing of requirements for approval from the BBBOnline (Better Business Bureau Online) page. Seems like it is pretty easy to meet the requirements as long as you pay the BBB! Also, it does not appear to have much to do with specifics of what a privacy statement should say, just that you simply must have one.

    General Conditions

    The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.

    The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.

    The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.

    A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.

    Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.