Slashdot Mirror
Consumer Database Company Hacked
fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)
Bash script for FP whores
At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?
Roving Web-Teleoperated Robot
Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?
Just wondering how all of this may play out...
Nice sentiment, but painfully naive -- there is no such thing as an 'opt-out' anymore. Every bit of personal information that private or public interests can gather on you is fair game, and the market for such information will probably only grow as interactive media increasingly replace broadcast channels over the next few decades.
Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.
Somebody inside the organisation has to have access to the data, otherwise why bother storing it.
Can I interest you in a write only drive array?
It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".
They gather data from all sources...warranty registration cards, state drivers licenses, Change of Address (Postal)...heck, one of my projects involved cutting the binders off phone books, running them through an optical scanner, and parsing and storing in a data base. They use algorithms to find the 'correct' data on all individuals possible. They use this to 'clean' other company's data. They do sell mailing lists...they even clean and manage the data for the credit bureaus. So...no, they do not house trivial data.
If TIA needed a source for data ready...I'd recommend Acxiom, if someone hasn't already thought of it.
Was a nice place to work for..but, being a privacy person...it did conflict with what I believe in in many cases.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........