Slashdot Mirror
Consumer Database Company Hacked
fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.
...
sometimes it's good to use the system
when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!
That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.
Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.
-
If you keep throwing chairs, one day you'll break windows....
So not a hacker then. Or a cracker either, to keep another section of the crowd happy.
This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.
Cheers,
Ian
The person had legitimate access to the system. I wouldn't call using your legitimate access to then, *GASP*, access that system, a hack.
Just a question about the terminology used in the headline there.
I'm no walking dictionary, but I thought the word "hack" (translated as "crack" to technical folks- I don't even want to open that can of worms)-suggested someone somehow getting access to something that they do not legitimately have access to.
--something witty
"Acxiom is a Certified Participant in the BBBOnline Privacy Program. " Wow, but the BBB is
a totally useless organization. Why do people think they are worth anything? You pay to get their Plaque to hang on your wall. They do nothing else....
"Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers."
Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.
Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.
I can't say this surprises me much.
~Dalcius
Rome wasn't burnt in a day.
"Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.
At some point, at some level, there will be someone (or a group of people) with access to information who would not have a watchman over his shoulder -- how can you be sure you can trust them?
Pre-screening of employees and logging of all transactions is necessary, but some times you just can't deny someone access to something if it hinders their work significantly (e.g. the work they were hired for in the first place) and/or puts that work on your plate instead.
I'm not saying that this is good. I'm saying that, too, is real world.
Have EVDO, will travel.
Did they use nmap with a xmas tree scan then found a buffer overflow on a service which gave them root ? did they install a trojan that ripped root passwords as it traversed the internal network ? was it social engineering hack ? did they construct an asm or c exploit ? did they use zombies ?
or maybe they was actually allowed to see the data (dba,sysadmin,manager) and they just copied it to a cdrom
this gives us real hackers who spend hours/years poking and prodding systems to get root a bad name
A.C
{+_+}
Geez, even the submitters don't RTFA, do they? From the NYT:
The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?
"No, no, no. Don't tug on that. You never know what it might be attached to."
So you're "amazed" that a database company has employees who have access to their database(s)? How excactly is it that Acxiom should do its job while preventing its employees from ever working with the data? Unless the description of the theft is inaccurate, this has nothing to do with hacking and is merely a misuse of priviledges. If the armored car driver steals the contents of the armored car, is it because the car wasn't secure enough?
If you would like to be a leader with a large following...drive slowly down a windy two-lane road
> I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.
Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.
Sheesh, evil *and* a jerk. -- Jade
I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.
What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?
You're kidding right? If you hired me for a DBA job as an administrator then told me that administrators aren't allowed to look at the database that would be kinduv rediculous wouldn't it?
Let's rephrase this scenario.
Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like:
"It amazes me that that the Army would have such lax security as to allow a pilot to use such weapons at will."
Does that sound rediculous to anyone else? DBA's need to do their job. And if this was an inside job it didn't require any actual "hacking" so the title of this story and its deliver are quite misleading.
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
The reaction of the company in this case, not notifying potential targets, and not putting safeguards in place, suggests that their attitude is to wait and hope that the problem will go away. However, the biggest security hole (in terms of potential damage) in any system is the possibility of abuse by trusted insiders. This suggests that Axciom will have this problem again.
Oh, and some kind of link to an article would have been nice.
The Amazing Bread Nipple
We obviously need to push for similar requirements used to secure our medical information.
While some may argue that it will increase the cost of doing business, the leeches who profit from our personal info without our consent don't deserve our sympathy. There are many companies that buy and sell our personal info daily without our consent or knowledge.
Besides, having rules for security related to our personal info will create new jobs as existing systems are modified and business processes are reengineered. Perhaps even more jobs than HIPAA.
Perhaps an even better solution is to require our written consent before any company sells our personal info to another and the consent deemed non-transferable.
I have worked as a short term contractor at one of the "Big 3" credit agencies, and was responsible for adding code to the Mexico codebase that added credit "scoring" to the list of items tracked. It was a 3-month contract where I, coming in off the street, had basically root access to the worldwide databases of this particular credit agencies customer database. It was necessary for my testing that, after I ran my modifications on a test dataset, which I got to expose my changes to a development mirror of the actual database before checking the code into the build tree.
Thinking about it, there was really no way to deny me access to that database, for without the ability to test against live data, there would be no way to verify that my code would not cause someone else huge headaches if it did not work properly.
My point is this...as long as programmers exist they will HAVE to have access to sensitive customer data. It really come down to a typical employer-employee trust issue, and this problem as been with us since the development of merchant/consumer transactions. The idea that sensitive data can be protected in this day and age is as silly as thinking State secrets are safe.
never bring a twinkie to a food fight.
Unfortunately it doesn't quite work that way. I work for a world-wide 22-billion dollar per year corp. If you have access to /. logs you'll know which one, but it's a major one, a household name. If you live in the US, EU, or Asia chances are you've done business directly, or indirectly with this company.
I perform data manipulation and reporting for sales and pricing managers. I have full access to about 80% of all databases (there are a few databases that have data we have licenced from other companies, but all data my company owns I have access to). If I didn't have full access to the data I couldn't do my job.
It would not be a difficult thing to dump every bit of data I have access to into a portable format and walk out with it, except for the fact that it would be several terabytes worth of data. I have the technical sill, and I have the access.
At some point, companies must simply trust their employees. If that trust is misplaced, something like this (story) happens. Technilogical security measures cannot prevent an incident like this.
You remember the old Twilight Zone episode with Dick York where he gets telepathy and "hears" the old guy thinking about robing the bank? That's reality people. Some Joe does have access to all your money, all of your personal information. The fat guy that mumbles is the one that burns down the building. Why? Because Lambert took his Swingline stapler. That's why you have to go through an FBI check to get a job with any semi-major corp.
The problem if insider cracking is the most difficult to deal with, because it's simply a matter of trust.
Credit Card information? That's nothing....
I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.
At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.
Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.
Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.
This is the world we live in. There is no privacy any more and nothing is ever truly secure.
People carry their wallets in their back pockets. People leave windows unlocked. People trust their neighbors. People think their data is secure.
A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.
This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.
First rule of database administration..
THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.
Second rule?
The people inputting the data cannot query the data.
Third rule?
The people who query the data, cannot modify the queries.
The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.
I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."
Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.
I'd be fucking sour on US 'techs', too.
Since when does that matter?
You can have a pissing contest all damn day if you want to - no OS is infallible. It doesn't matter if you wrote the OS yourself - if nobody took the time to do basic security on it - not to mention physical security, it's immaterial.
Until security is taken seriously, this will happen regularly. The difference is - we heard about this one.
And Bill; so what? Small fish like your clients aren't attractive enough targets, THAT'S why you haven't been 'hacked'.
There are plenty of laws governing these issues - and your main issue when using cash is making sure you get (and hold onto) your receipts!
Sure there are laws. But do you want to waste your time trying to get your cash back, or would you rather tell your bank/credit card company/whoever that the service/merchandise/whatever wasn't provided, have them refund you your money quickly and easily, and then let them go about squeezing blood from the stone?
Personally, I know which one I'd choose. I'll take the one that gets me my money back with a minimum of effort and time on my part, thank you very much.
It stated right in the policy that these issues were strictly between the purchaser and the merchant!
A good reason to not use American Express frankly. Because the traditional AmEx isn't a credit card. I don't recall the terminology for it, but basically AmEx doesn't give you a credit limit, percentage rate, etc. because you MUST pay the money back at the end of the cycle. The newer AmEx cards (like AmEx Blue) are traditional credit cards, but the older ones are not. As such they're not governed by the same rules that Mastercard, Visa, Discover, etc. are and don't have to offer the protections that credit cards do. Just because it's plastic doesn't mean it's a credit card. Remember that when you pull out the debit card too.
Oh, and what's the issue with the debit cards (no, you didn't ask this, but I suspect some people are)? Simple -- they're directly tied to your bank account. If a fraudulent charge is made on your card it can wipe out your entire bank account. Sure, they now have the same protections that credit cards have (as long as the Visa or MC logo is on them -- if they don't have the logo, refuse to accept one of these cards from your bank!), but there's a twist. The bank is allowed up to 30 days to investigate your dispute. If they wiped out your entire checking account, can you go 30 days without that money? What about if you had checks outstanding? Guess who's liable when those checks bounce? Not the bank. Some banks are starting to rectify this, but you're still better off using a real credit card -- as long as you pay off the balance in full every month.