Slashdot Mirror
Consumer Database Company Hacked
fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)
Bash script for FP whores
Translation: The names of the directories weren't personal data...The files in the directories? well they had the SSN/DOB/Address etc. So, technically, some of the data was personal and some wasn't.
whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.
...
sometimes it's good to use the system
when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?
Roving Web-Teleoperated Robot
I setup AS/400 web solutions for my clients. They are ultimately secure because no hacker would know what to do if he broke into the system.
Conformity is the jailer of freedom and enemy of growth. -JFK
While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!
That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.
Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.
-
If you keep throwing chairs, one day you'll break windows....
Acxiom warned TRUSTe members in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.
I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.
So not a hacker then. Or a cracker either, to keep another section of the crowd happy.
This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.
Cheers,
Ian
Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?
Just wondering how all of this may play out...
The person had legitimate access to the system. I wouldn't call using your legitimate access to then, *GASP*, access that system, a hack.
About a year or so ago people started getting spam addressed to the wrong "John Smith". Some folks tracked the spam to Axciom. It appears that they'd started selling epending services for their clients.
Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.
Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.
But, hey, you can always opt-out...one client at a time...
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
Just a question about the terminology used in the headline there.
I'm no walking dictionary, but I thought the word "hack" (translated as "crack" to technical folks- I don't even want to open that can of worms)-suggested someone somehow getting access to something that they do not legitimately have access to.
--something witty
"Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers."
Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.
Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.
I can't say this surprises me much.
~Dalcius
Rome wasn't burnt in a day.
"I can say this about the data, much of it was nonsensitive information."
I can say this about this gun I'm pointing at you, much of it is innert material.
"with their freedom lost all virtue lose" - Milton
"Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.
At some point, at some level, there will be someone (or a group of people) with access to information who would not have a watchman over his shoulder -- how can you be sure you can trust them?
Pre-screening of employees and logging of all transactions is necessary, but some times you just can't deny someone access to something if it hinders their work significantly (e.g. the work they were hired for in the first place) and/or puts that work on your plate instead.
I'm not saying that this is good. I'm saying that, too, is real world.
Have EVDO, will travel.
General Conditions
The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.
The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.
The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.
A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.
Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.
Geez, even the submitters don't RTFA, do they? From the NYT:
The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?
"No, no, no. Don't tug on that. You never know what it might be attached to."
It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.
And why should this "amaze" you? At some level in any company there needs to be people who can do this. Your human resources department has a ton of information about you that they can pretty much look at whenever they want. Medical professionals are the same way. If you are an interesting case, do you honestly believe doctors/nurses will not talk about you? You are naive if you think that, despite laws (HIPPA) prohibiting such behavior.
You need to be able to trust these people and while there does need to be security and surveillance of people with access to sensitive information, you can't keep them completely away from it. This is especially true in a company (or government agency) whose business is based upon such information. It's also nearly impossible to prevent a knowledgeable insider from getting access to sensitive information, so I'm double confused why this should be surprising.
While it is unfortunate that it happened, the fact that it happened should "amaze" no one. Give enough people a chance to make money by breaking the law and guess what? Some of them will.
Nothing to see here. Move along...
So you're "amazed" that a database company has employees who have access to their database(s)? How excactly is it that Acxiom should do its job while preventing its employees from ever working with the data? Unless the description of the theft is inaccurate, this has nothing to do with hacking and is merely a misuse of priviledges. If the armored car driver steals the contents of the armored car, is it because the car wasn't secure enough?
If you would like to be a leader with a large following...drive slowly down a windy two-lane road
I used to work for a consulting group who managed websites for several big name companys, all of which took online orders. Part of my job was to code pages that analyzed the databases and presented an overview of sales statistics. I recall being suprised at the thousands of credit card numbers listed in the databse and how easily I could have taken them. There was no password protection except for the general login/password used for ALL our databases which most employees knew. Luckily im an ethical person but it would have been excedingly simple for anyone in the company to access the servers and take down credit card numbers, experation dates, names, addresses, and other personal information. Its realy scary when you think about it...
I know several developers there...I almost worked there myself actually. I've heard them mention on several occasions that they develop against production "real world" data simply because there is no test database large enough to test scaling and performance. I remember asking them if they could actually get consumer information on ME and they didn't act like it would be too difficult. Scary...
I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.
What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?
My job is so that I have access to all info on a credit card (Name of the person, date of expiration and full number), and even worst since the demand of the US governement (CAPS) on airline I have acess to the people their visa and their passport. Would it be possible to protect those data against me ? No way. I can acess the data at all level, and since I am the programmer , even if it is encrypted I can still acess it by putting a nice placed trap. Would I do it ? No way, I am honest. Is it possible for me to do it ? Yes.
You cannot protect yourself against all your employe, because at one point or another you have to to have some trust (at least at the facture time).So IMO this is a no new here, and I barely call that hacking. Rather insider stealing.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
He then had to play tic-tac-toe against a chicken, and decide if 'Eliza' passed the Turing test to actually acces the data.
Once it was fully printed on tractor feed paper, he then had to bribe a small child with Pokemon cards, and juggle three rolls of tape and sing 'You Are the Wind Beneath My Wings' in front of Ryan Seacrest in order to abscond with the wheelbarrel full of printouts.
I think we can all agree that security was not at issue here, it certainly had to be an inside job.
So not a hacker then. Or a cracker either, to keep another section of the crowd happy.
*sigh* You should know better than to trust the poster, headline, the commentary, or the summary of any story posted to Slashdot. I know it is odd, but this isn't a news site where "editors" verify things that are posted. As always, RTFA...
My beliefs do not require that you agree with them.
The reaction of the company in this case, not notifying potential targets, and not putting safeguards in place, suggests that their attitude is to wait and hope that the problem will go away. However, the biggest security hole (in terms of potential damage) in any system is the possibility of abuse by trusted insiders. This suggests that Axciom will have this problem again.
Oh, and some kind of link to an article would have been nice.
The Amazing Bread Nipple
Just spend the hours since waking with my bank, a fresh load of unauthorized cc activity as of this morning. It's a big bank, and it's brand new crapola, and I use the card only with reputable vendors. Joy. Not compromised my ass.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
We obviously need to push for similar requirements used to secure our medical information.
While some may argue that it will increase the cost of doing business, the leeches who profit from our personal info without our consent don't deserve our sympathy. There are many companies that buy and sell our personal info daily without our consent or knowledge.
Besides, having rules for security related to our personal info will create new jobs as existing systems are modified and business processes are reengineered. Perhaps even more jobs than HIPAA.
Perhaps an even better solution is to require our written consent before any company sells our personal info to another and the consent deemed non-transferable.
I have worked as a short term contractor at one of the "Big 3" credit agencies, and was responsible for adding code to the Mexico codebase that added credit "scoring" to the list of items tracked. It was a 3-month contract where I, coming in off the street, had basically root access to the worldwide databases of this particular credit agencies customer database. It was necessary for my testing that, after I ran my modifications on a test dataset, which I got to expose my changes to a development mirror of the actual database before checking the code into the build tree.
Thinking about it, there was really no way to deny me access to that database, for without the ability to test against live data, there would be no way to verify that my code would not cause someone else huge headaches if it did not work properly.
My point is this...as long as programmers exist they will HAVE to have access to sensitive customer data. It really come down to a typical employer-employee trust issue, and this problem as been with us since the development of merchant/consumer transactions. The idea that sensitive data can be protected in this day and age is as silly as thinking State secrets are safe.
never bring a twinkie to a food fight.
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
Whilst we have Bill Gates scream "secure computing", Palladium and other buzz word compliant clap trap as if it was some sort of magic silver bullet, the real issue has nothing to do with security of the software but the people who have access to it.
Read ANY security analysis and they will always tell you that the weakest link in the security chain is always the human operator.
This weaknes is either via two things, social engineering by an outside cracker or privilages being abused by an inside employee either for themselves (as this case) or for a third party, as the case 2 years ago in New Zealand when 3 public servants were found selling social welfare records to debt collecting agencies.
Unforunately in this day in age there is a sizable portion of people who have absolutely no integrity and as a result give the whole business a bad name.
Although this sort of thing DID happen years ago, it didn't happen on the large scale it does now because there was always a paper trail to follow vs the virtual electronic one which can be easily manipulated by those with the knowledge and desire to do so.
What has happened today/whenever was not only a lack of integrity by one person but a lack of safe guards in place from day one to ensure that this sort of this can't be repeated.
For example, the credit card number should not be available to anyone. The only things that should be allowed to happen is for it to be replaced or deleted. Since everything is done electronically, there is no need for anyone to see those numbers.
Another safe guard would be to install monitoring software onto all computers to track the interaction of the employee and the data and cameras (of decent visual quality) to monitor not only the user on the computer but their body behaviour so that if any tell-tale signs of dishonesty are detected such as taking notes and trying to secretly "hide" a document in their pocket then the employee should be questioned then and there.
Yes, this does sound like big brother, however, ultimately, until the minority realise that there behaviour is completely and utterly unacceptable, this sort of thing will repeat itself.
"The difference between pornography and erotica is the lighting" - Woody Allen
Credit Card information? That's nothing....
I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.
At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.
Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.
Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.
This is the world we live in. There is no privacy any more and nothing is ever truly secure.
People carry their wallets in their back pockets. People leave windows unlocked. People trust their neighbors. People think their data is secure.
A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.
This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.
First rule of database administration..
THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.
Second rule?
The people inputting the data cannot query the data.
Third rule?
The people who query the data, cannot modify the queries.
The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.
I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."
Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.
I'd be fucking sour on US 'techs', too.
What a mess. I wonder what their E&O insurance is going to look like after this little nightmare?
"I'd say 'Have a good time,' but arson is still illegal.
As a former employee at Acxiom (Conway offices), let me jump in here.
I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.
The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.
More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..
The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..
Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
1. A Trollbot may not be modded insigtful or, through inaction, allow another Trollbot to come to Insightful status
2. A Trollbot must obey orders given it by geeks except where such orders would conflict with the First Law
3. A Trollbot must protect its own existence as long as such protection does not conflict with the First or Second law.
Just a lazy, Karma-burnin' friday...
Acxiom employs an 11 Digit Universal Identification number for main ID in the Oracle database they employ. For the work of Database Administrators, which Acxiom understandably employs a great deal of, they have to have access to the entire database at large in order to process scripts to weed out duplicates, of which there is a great amount of. For instance, John Smith and John B. Smith, while the same person, may be recorded as two different people, so two mailings get sent out to this same address, costing a company that purchased this mailing list that could have been saved. And in terms of accounting procedures, the SQL access is logged to an extent, but with millions upon millions of transactions going on every minute, a pull of a hundred thousand records is insignificant.
The great wonders of a company based in Arkansas.
We have so much time, and so little to do - strike that! Reverse it. Tryn Mirell
There are plenty of laws governing these issues - and your main issue when using cash is making sure you get (and hold onto) your receipts!
Sure there are laws. But do you want to waste your time trying to get your cash back, or would you rather tell your bank/credit card company/whoever that the service/merchandise/whatever wasn't provided, have them refund you your money quickly and easily, and then let them go about squeezing blood from the stone?
Personally, I know which one I'd choose. I'll take the one that gets me my money back with a minimum of effort and time on my part, thank you very much.
It stated right in the policy that these issues were strictly between the purchaser and the merchant!
A good reason to not use American Express frankly. Because the traditional AmEx isn't a credit card. I don't recall the terminology for it, but basically AmEx doesn't give you a credit limit, percentage rate, etc. because you MUST pay the money back at the end of the cycle. The newer AmEx cards (like AmEx Blue) are traditional credit cards, but the older ones are not. As such they're not governed by the same rules that Mastercard, Visa, Discover, etc. are and don't have to offer the protections that credit cards do. Just because it's plastic doesn't mean it's a credit card. Remember that when you pull out the debit card too.
Oh, and what's the issue with the debit cards (no, you didn't ask this, but I suspect some people are)? Simple -- they're directly tied to your bank account. If a fraudulent charge is made on your card it can wipe out your entire bank account. Sure, they now have the same protections that credit cards have (as long as the Visa or MC logo is on them -- if they don't have the logo, refuse to accept one of these cards from your bank!), but there's a twist. The bank is allowed up to 30 days to investigate your dispute. If they wiped out your entire checking account, can you go 30 days without that money? What about if you had checks outstanding? Guess who's liable when those checks bounce? Not the bank. Some banks are starting to rectify this, but you're still better off using a real credit card -- as long as you pay off the balance in full every month.
...WE NEED MORE LAW.
In this case, the law should be to regulate how "consumer information" is stored, protected and regulated. The "Fair Credit Reporting Act" does many nice things for the consumer but clearly not enough with the constant threat of misuse of information.
First of all, I would like to see the use of social security numbers more tightly regulated in the form of requiring a business or individual to have a FEDERAL LICENSE to collect and use such information. We all know the SSNs are the primary key to all of the rest of the information collected on us. The law states that SSNs are only for the purpose of managing your social security account. Not for any other purpose. Law states that no other institution, private or public, can require that you disclose that information for any other purpose. That said, you can and are routinely required to disclose this information else you will be denied credit and/or many other factors of "modern life" in the USA. These abuses can be battled but I do not see a victory against this proliferous abuse.
But with more controls in place regulating the use of this information and PUNISHING those who do not handle it properly and by revoking a business license to use it and by criminally prosecuting individuals found responsible for illegally collecting this information, we can hope to contain the damage done to privacy in the U.S.
Identify fraud has been identified by various security agencies in the US as a threat to homeland security as it has been found that profits gained through "identity theft" are in fact funding terrorist organizations. Lax security does not only endanger individual credit or individual identities, but endangers the safety of the entire US public at large.
We can protect our country by requiring that those who do business by collecting our information do so in a safe way. If a data system is identified as unsafe (for example, a MS Access database) then that business function should be enjoined to halt activity until it can me migrated to a "safe" system that is deemed safe by the public agency that deems the system as being safe for holding this class of data.
This agency would be the equivalant of the FDA. Who knows what it would be called (there are a lot of creative minds out there who could create a clever acronym for a "Federal Privacy Agency"... so let's hear some ideas) but its function should be to police and regulate the use of private information. It should, however, be barred from collecting private information itself except where it is using such information as a way to conduct investigations.
Because technology has improved significantly in the past 30 years, I think new law should be in place to protect consumers from identity theft. We need regulation of WHO can legally collect information, HOW it can be used, WHO it can be sold to and how the clients can use it themselves. Within that usage criteria, how it is stored and maintained should be strictly regulated. We have laws that require food venders store and distribute food, so why not critical and vital information?
You have a new lifestyle magazine designed for the 30-40 year old programmer, making between $40k and $60k, and owning at least one ferret? Axciom will get you a list with most every one of those living in the geographical region you want.