Slashdot Mirror
Consumer Database Company Hacked
fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)
Bash script for FP whores
At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?
Roving Web-Teleoperated Robot
Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?
Just wondering how all of this may play out...
One of my first jobs was running some hot laser printers for a junk mailer. I believe we used lists from Acxiom. The most damage you could do with one of these lists would be to shill for publishers clearing house. No identity theft with this list. When you would check the test pages you would often find names that were clearly misspelled or total garbage. Wake me when it's a credit card/banking database.
sometimes it's good to use the system ...
even better, is there a way i can flood the system with fake data. multiple dobs and mothers maiden names associated with my ssn?
Five years ago, I was called in to do consulting for this company, Axciom. The company's database server was running what was essentially a glossy front-end to Microsoft Access. I explained to them that an open-source database would improve their system's security, functionality, and reliability.
Their response was the most shocking thing I have heard in 20 years as a computer user.
"Does it run in Windows?"
Of course it doesn't run on Windows!! Windows is a mine-field of security through obscurity. Because nobody -- not even a Microsoft engineer -- can do a thorough inspection of the source code, that means that 568 vulnerabilities have been discovered in the five years since I flipped off Mr. Neil Haiman, Axciom's chief of security. By comparison, Linux has had fewer than 40 vulnerabilities, all of which could have been fixed by upgrading to the newest packages. A quality distribution like Debian will upgrade all your software automatically.
Did Axciom do that? No, of course not. They stuck with MICRO$OFT WINBLOWS, and now they're paying for it.
Rot in hell, you SCO-loving bastards.
I'm not Seth Finkelstein. I still speak the truth.
It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.
And why should this "amaze" you? At some level in any company there needs to be people who can do this. Your human resources department has a ton of information about you that they can pretty much look at whenever they want. Medical professionals are the same way. If you are an interesting case, do you honestly believe doctors/nurses will not talk about you? You are naive if you think that, despite laws (HIPPA) prohibiting such behavior.
You need to be able to trust these people and while there does need to be security and surveillance of people with access to sensitive information, you can't keep them completely away from it. This is especially true in a company (or government agency) whose business is based upon such information. It's also nearly impossible to prevent a knowledgeable insider from getting access to sensitive information, so I'm double confused why this should be surprising.
While it is unfortunate that it happened, the fact that it happened should "amaze" no one. Give enough people a chance to make money by breaking the law and guess what? Some of them will.
Nothing to see here. Move along...
I used to work for a consulting group who managed websites for several big name companys, all of which took online orders. Part of my job was to code pages that analyzed the databases and presented an overview of sales statistics. I recall being suprised at the thousands of credit card numbers listed in the databse and how easily I could have taken them. There was no password protection except for the general login/password used for ALL our databases which most employees knew. Luckily im an ethical person but it would have been excedingly simple for anyone in the company to access the servers and take down credit card numbers, experation dates, names, addresses, and other personal information. Its realy scary when you think about it...
I know several developers there...I almost worked there myself actually. I've heard them mention on several occasions that they develop against production "real world" data simply because there is no test database large enough to test scaling and performance. I remember asking them if they could actually get consumer information on ME and they didn't act like it would be too difficult. Scary...
My job is so that I have access to all info on a credit card (Name of the person, date of expiration and full number), and even worst since the demand of the US governement (CAPS) on airline I have acess to the people their visa and their passport. Would it be possible to protect those data against me ? No way. I can acess the data at all level, and since I am the programmer , even if it is encrypted I can still acess it by putting a nice placed trap. Would I do it ? No way, I am honest. Is it possible for me to do it ? Yes.
You cannot protect yourself against all your employe, because at one point or another you have to to have some trust (at least at the facture time).So IMO this is a no new here, and I barely call that hacking. Rather insider stealing.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Nice sentiment, but painfully naive -- there is no such thing as an 'opt-out' anymore. Every bit of personal information that private or public interests can gather on you is fair game, and the market for such information will probably only grow as interactive media increasingly replace broadcast channels over the next few decades.
Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.
Somebody inside the organisation has to have access to the data, otherwise why bother storing it.
Can I interest you in a write only drive array?
It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".
Just spend the hours since waking with my bank, a fresh load of unauthorized cc activity as of this morning. It's a big bank, and it's brand new crapola, and I use the card only with reputable vendors. Joy. Not compromised my ass.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
What were they thinking when they set up that server? No client should be able to see any other client - it should look like they have the server to themselves.
The fact they're calling him a hacker instead of just a thief, is.
The news stories that do mention that he was insider with access to that info, bury it in paragraphs 3 or 4. Its not hacking, he had access. If a guy who you've give key's to safe walks out with the payroll, then he's a thief, but there's no breaking and entering.
I see too factors: media chique they love to use the word "hacker".
The company and companies in general want to minimize the fact that they were slack, so they use the words hacker to make people think it was the computer equivalent of a cat-burgler.
My guess is that they setup their db in a real slack way, and the ended up giving out more db access to more employess than they should have --not enough tiers of users.
Not hacking, because they messed up when they gave him that much access in the first place. The problem with that is, since most people don't really think about anything, more than just making sure that they're doing everything that everyone else is doing, that other companies won't learn either.
And you'd be surprised how techinical some people can be when its comes to "snooping". People, how never seem smart enough about computers to figure something out, suddenly have all kinds of extra capacity, if their motivation is snooping.
What a mess. I wonder what their E&O insurance is going to look like after this little nightmare?
"I'd say 'Have a good time,' but arson is still illegal.
It amazes me that people still think computers can be secured at all.
Computer security is exactly this: You pretend I am an idiot. I pretend I am an idiot. And we both pretend your computer is secure.
There hasn't been a system yet that hasn't been hacked. I don't mean that can't be hacked. I mean that hasn't been hacked.
If you want your data secure then turn off your computer; unplug it from the wall; burn it into a molten mess; then eradiate the remains.
Keyboards can be videotaped, networks can be sniffed, disks can be analyzed, people will be stupid, cpu-s emit RF, hell power LEDs on the front of your computer can be scanned and everything running through your box can be decoded from across the street!
Don't be amazed that the guy who has access to the disk drives, the operating console, the tape drives, and the patch panels can get at your data.
Crackers aren't cool. The cool people are the people who walk away from an open candy dish.
...WE NEED MORE LAW.
In this case, the law should be to regulate how "consumer information" is stored, protected and regulated. The "Fair Credit Reporting Act" does many nice things for the consumer but clearly not enough with the constant threat of misuse of information.
First of all, I would like to see the use of social security numbers more tightly regulated in the form of requiring a business or individual to have a FEDERAL LICENSE to collect and use such information. We all know the SSNs are the primary key to all of the rest of the information collected on us. The law states that SSNs are only for the purpose of managing your social security account. Not for any other purpose. Law states that no other institution, private or public, can require that you disclose that information for any other purpose. That said, you can and are routinely required to disclose this information else you will be denied credit and/or many other factors of "modern life" in the USA. These abuses can be battled but I do not see a victory against this proliferous abuse.
But with more controls in place regulating the use of this information and PUNISHING those who do not handle it properly and by revoking a business license to use it and by criminally prosecuting individuals found responsible for illegally collecting this information, we can hope to contain the damage done to privacy in the U.S.
Identify fraud has been identified by various security agencies in the US as a threat to homeland security as it has been found that profits gained through "identity theft" are in fact funding terrorist organizations. Lax security does not only endanger individual credit or individual identities, but endangers the safety of the entire US public at large.
We can protect our country by requiring that those who do business by collecting our information do so in a safe way. If a data system is identified as unsafe (for example, a MS Access database) then that business function should be enjoined to halt activity until it can me migrated to a "safe" system that is deemed safe by the public agency that deems the system as being safe for holding this class of data.
This agency would be the equivalant of the FDA. Who knows what it would be called (there are a lot of creative minds out there who could create a clever acronym for a "Federal Privacy Agency"... so let's hear some ideas) but its function should be to police and regulate the use of private information. It should, however, be barred from collecting private information itself except where it is using such information as a way to conduct investigations.
Because technology has improved significantly in the past 30 years, I think new law should be in place to protect consumers from identity theft. We need regulation of WHO can legally collect information, HOW it can be used, WHO it can be sold to and how the clients can use it themselves. Within that usage criteria, how it is stored and maintained should be strictly regulated. We have laws that require food venders store and distribute food, so why not critical and vital information?
They gather data from all sources...warranty registration cards, state drivers licenses, Change of Address (Postal)...heck, one of my projects involved cutting the binders off phone books, running them through an optical scanner, and parsing and storing in a data base. They use algorithms to find the 'correct' data on all individuals possible. They use this to 'clean' other company's data. They do sell mailing lists...they even clean and manage the data for the credit bureaus. So...no, they do not house trivial data.
If TIA needed a source for data ready...I'd recommend Acxiom, if someone hasn't already thought of it.
Was a nice place to work for..but, being a privacy person...it did conflict with what I believe in in many cases.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........