Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consumer Database Company Hacked

Posted by michael on from the new-SSNs-for-everyone dept.

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.

14 of 286 comments (clear)

  1. make sure you Opt Out by dlasley · · Score: 5, Insightful

    whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.

    sometimes it's good to use the system ...

    --
    when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
    1. Re:make sure you Opt Out by KillerHamster · · Score: 4, Insightful

      Of course you have no way of knowing whether "opting out" actually removes you from any database. Maybe they just set DO_NOT_CONTACT=1 and keep your data anyway. I guess it could offer legal protection though, and is a good idea.

  2. Legal responsibility by Doesn't_Comment_Code · · Score: 5, Insightful

    While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!

    That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.

    --

    Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
    1. Re:Legal responsibility by B'Trey · · Score: 4, Insightful

      Yes and no. If you have my data, it's your responsibility to keep it protected. That being said, no system is foolproof. Particularly, it's impossible to completely protect data from insiders - people who have legitimate access to the data but choose to abuse that access.

      The impossibility of absolute protection, however, doesn't relieve the company from responsibility. The company is responsible for taking all reasonable measures to protect my data. If they do not do so, they are (or at least should be) criminally negligent. If they do take reasonable precautions and a violation occurs anyway, they're at least responsible for notifying me that my information has been comprimised, identifying the vulnerability that led to the violation, and taking steps to ensure that it doesn't happen again.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    2. Re:Legal responsibility by Dalcius · · Score: 4, Insightful

      A few words that might mean something:

      1) Logging
      2) Audit
      3) Priviledges
      4) Accountability
      5) Background-check

      --
      ~Dalcius
      Rome wasn't burnt in a day.
    3. Re:Legal responsibility by PylonHead · · Score: 4, Insightful

      While your comment has a lot of merit, it is not really a response to the parent.

      It is as silly to call this hacking as it would be to call a bank manager's embezzlement, "safecracking".

      --
      # (/.);;
      - : float -> float -> float =
  3. Is this really newsworthy?? by jkrise · · Score: 4, Insightful

    Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.

    Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.

    -

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re: Is this really newsworthy?? by Black+Parrot · · Score: 4, Insightful


      > Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

      If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers. Who will of course ultimately pass the costs back to the customers.

      There's a lot of PR convenience for "losing" thefts this way, and spreading the costs out thinly. But the cost is still there, and it's real.

      --
      Sheesh, evil *and* a jerk. -- Jade
  4. Contradictory by mccalli · · Score: 5, Insightful
    ...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

    So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

    This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

    Cheers,
    Ian

  5. RTFA! by sessamoid · · Score: 4, Insightful
    From the story submission:

    The suspect, now in police custody, was an employee with legitimate access to the information.

    Geez, even the submitters don't RTFA, do they? From the NYT:

    Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

    The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?

    --
    "No, no, no. Don't tug on that. You never know what it might be attached to."
  6. Re: Acxiom vs. the government by Black+Parrot · · Score: 4, Insightful


    > I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

    Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.

    --
    Sheesh, evil *and* a jerk. -- Jade
  7. A silly writeup for a silly story by sammy+baby · · Score: 5, Insightful

    I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.

    What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?

  8. There is no privacy, so just be vigilant by stull13 · · Score: 5, Insightful

    Credit Card information? That's nothing....

    I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.

    At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.

    Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.

    Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.

    This is the world we live in. There is no privacy any more and nothing is ever truly secure.

  9. Easily amazed. By Slashdot. by Anonymous Coward · · Score: 5, Insightful

    First rule of database administration..

    THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.

    Second rule?

    The people inputting the data cannot query the data.

    Third rule?

    The people who query the data, cannot modify the queries.

    The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.

    I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."

    Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.

    I'd be fucking sour on US 'techs', too.