Consumer Database Company Hacked

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.

You're amazed by this?

[James+A.+A.+Joyce]

"The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will."

This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)

Re:You're amazed by this?

[dnoyeb]

What amazes me is this was not a hack, it was an inside 'job' if you can even call it a job. So please ./ drop the 'database hacked' tagline.

My CC was compromised at some point. I am unaware, but CapitalOne contacted me last year sometime and said they were sending new CCs out because something got compromised. Was fine with me, no hassle as they like to say.

But I also learned that a lost/stolen report showed up on my credit report. Unsure how this is viewed by creditors. I hope its just a note as to why the account was closed and not something that would ever look suspecious.

Re:You're amazed by this?

[akaina]

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

You're kidding right? If you hired me for a DBA job as an administrator then told me that administrators aren't allowed to look at the database that would be kinduv rediculous wouldn't it?

Let's rephrase this scenario.
Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like:
"It amazes me that that the Army would have such lax security as to allow a pilot to use such weapons at will."

Does that sound rediculous to anyone else? DBA's need to do their job. And if this was an inside job it didn't require any actual "hacking" so the title of this story and its deliver are quite misleading.

corporate speak

``The data on the servers was a wide variety of information, some of which was personal, some of which was not,'' Jennifer Barrett, the company's chief privacy officer

Translation: The names of the directories weren't personal data...The files in the directories? well they had the SSN/DOB/Address etc. So, technically, some of the data was personal and some wasn't.

make sure you Opt Out

[dlasley]

whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.

sometimes it's good to use the system ...

Re:make sure you Opt Out

[KillerHamster]

Of course you have no way of knowing whether "opting out" actually removes you from any database. Maybe they just set DO_NOT_CONTACT=1 and keep your data anyway. I guess it could offer legal protection though, and is a good idea.

Re:make sure you Opt Out

[baka_boy]

Nice sentiment, but painfully naive -- there is no such thing as an 'opt-out' anymore. Every bit of personal information that private or public interests can gather on you is fair game, and the market for such information will probably only grow as interactive media increasingly replace broadcast channels over the next few decades.

Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.

Re:make sure you Opt Out

[Zathrus]

Actually, it doesn't remove you from the database. At least not in any database I've ever seen or worked on.

What it does do is ensure that they won't send you marketing offers and that they won't sell your information to others for the same purpose. The latter is the important bit.

If you actually want them to remove your data from the system, then you better be prepared to cease doing business with them and any of their subsidiaries/partners. Which in the case of Axciom is a rather large portion of the US.

Insiders

[Hayzeus]

At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?

Legal responsibility

[Doesn't_Comment_Code]

While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!

That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.

Re:Legal responsibility

[gbjbaanb]

whatever makes you think it was a hacker - the employee had accss to the data, copied it off and took it away. No doubt he tried to sell it and was caught doing so.

Hacker? If I walk away with the sourcecode I'm writing for my current company, does that make me a hacker? of course not. If this guy (who could be the data protection officer for all we know) took away the data in his keeping, that doesn't make him a hacker either.

Similarly - all the posts about 'if you can't keep it secure you shouldn't have it' are stupid - with that argument, absolutely no-one should be able to keep the data... and therefore no-one should have a credit card.. and we should all go live in wigwams like nature intended, man.

Re:Legal responsibility

[Doesn't_Comment_Code]

all the posts about 'if you can't keep it secure you shouldn't have it' are stupid ... and therefore no-one should have a credit card

No they aren't stupid. It is a very different thing to have possession of your own private information, and to have possession of many other peoples' private information. I can and do protect my own credit card. But if a company is holding my private information, there is nothing I can do to keep it secure. Therefore I still say, don't keep my sensitive data on file if you aren't willing to or can't protect it.

Re:Legal responsibility

[B'Trey]

Yes and no. If you have my data, it's your responsibility to keep it protected. That being said, no system is foolproof. Particularly, it's impossible to completely protect data from insiders - people who have legitimate access to the data but choose to abuse that access.

The impossibility of absolute protection, however, doesn't relieve the company from responsibility. The company is responsible for taking all reasonable measures to protect my data. If they do not do so, they are (or at least should be) criminally negligent. If they do take reasonable precautions and a violation occurs anyway, they're at least responsible for notifying me that my information has been comprimised, identifying the vulnerability that led to the violation, and taking steps to ensure that it doesn't happen again.

Re:Legal responsibility

[minus9]

Somebody inside the organisation has to have access to the data, otherwise why bother storing it.

Can I interest you in a write only drive array?

It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".

Re:Legal responsibility

[Zathrus]

What, you think debit cards are cheaper?

They aren't. They're more expensive in fact -- they usually have a per transaction fee on top of the exact same percentage that the credit card takes. At the very least they're the exact same cost as credit cards with less consumer protection.

Cash gives you absolutely no protection against bad merchants or merchandise, while credit cards give you several protections and guarantees. Very few companies give cash discounts (and you cannot charge extra for using credit -- if you do, you'll lose your merchant account). Not to mention that credit cards are a helluva lot more convienent than cash for most transactions.

If you can't manage your finances, go ahead and use debit cards or cash. We can, and do, and getting 30-60 days of free float is nice, plus the various additional protections credit cards provide. In fact, I find it humorous that your advice is in direct opposition to the advice given by consumer advocates. Sorry, I'm not a retailer. I see no reason to offer them extra money. If they don't feel that credit cards are worth the costs, then they can decline to accept them. Of course, I may decline to use their services at that point -- and probably will if I need to pay more than $20 for whatever I'm buying.

Re:Legal responsibility

[Dalcius]

A few words that might mean something:

1) Logging
2) Audit
3) Priviledges
4) Accountability
5) Background-check

Re:Legal responsibility

[PylonHead]

While your comment has a lot of merit, it is not really a response to the parent.

It is as silly to call this hacking as it would be to call a bank manager's embezzlement, "safecracking".

Re:Legal responsibility

[cayenne8]

Yeah...I used to work at this place years back. It is SCARY what all they have there...at the time I was there..back in like '98, they claimed to have pretty good info on near 98% of the US...and were just starting to gather data on other countries too. They were even working on trying to develop a unique key to identify all people in the US...and could track you through your live..where you lived, salary, and any other stats about you that might be valuable to sell.

They gather data from all sources...warranty registration cards, state drivers licenses, Change of Address (Postal)...heck, one of my projects involved cutting the binders off phone books, running them through an optical scanner, and parsing and storing in a data base. They use algorithms to find the 'correct' data on all individuals possible. They use this to 'clean' other company's data. They do sell mailing lists...they even clean and manage the data for the credit bureaus. So...no, they do not house trivial data.

If TIA needed a source for data ready...I'd recommend Acxiom, if someone hasn't already thought of it.

Was a nice place to work for..but, being a privacy person...it did conflict with what I believe in in many cases.

Is this really newsworthy??

[jkrise]

Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.

Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.

-

Re:Is this really newsworthy??

[bourne]

Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all?

Yes, in that it illustrates one of the dangers of data mining; you can't always trust the mine companies or the miners they hire.

Insofar as that "danger" affects anyone whose personal information could end up at a provider like Acxiom, it is relevant to, say, 95% of the /. readership.

Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO.

There's this new thing called "Identity Theft" that kind of sucks to be a victim of. Maybe you've heard of it?

The same can't be said about Hotmail hacks or even Windows hacks.

*snort* Yeah, cause, you know, Junior's inane personal email is MUCH more important than his financial record.

Re: Is this really newsworthy??

[Black+Parrot]

> Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers. Who will of course ultimately pass the costs back to the customers.

There's a lot of PR convenience for "losing" thefts this way, and spreading the costs out thinly. But the cost is still there, and it's real.

Acxiom vs. the government

[jamie]

Acxiom was the first company listed in Microsoft's November 1998 parade of members of their Online Privacy Alliance. The OPA's goal was to keep the feds away: "The alliance advocates industry self-regulation as the best way to ensure that consumers maintain control of their personal data online."

Acxiom warned TRUSTe members in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.

I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

Re: Acxiom vs. the government

[Black+Parrot]

> I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.

Contradictory

[mccalli]

...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

Cheers,
Ian

Re:Contradictory

[pubjames]

This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad.

I don't think it is as simple as that. Just because it is an inside job doesn't means that the company does not have lax security.

I have worked on software systems for the management of transaction data for some major banks. Do you think they gave me access to their databases to do the work? No way Jose. They gave me access to duplicate systems with dummy data. Only a very few people had access to the 'real' data (even within the bank) and even then their access was strictly controlled - I mean they had to get permission to get physical access to terminals that could access the data, and they had to justify why, and all their actions were logged.

Anecdote - I once was working in a banks bomb-proof super-secure dataroom doing an install on one of their transaction processing systems. The install took a while and I was bored out of my mind. I was idly curious to see what was on the screen of one the many terminals in the room, so I touched the space key to active the monitor. About two minutes later the room was full of bank security guys asking what the hell I thought I was doing.

What about Calif. law requiring disclosure?

[mstockman]

Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?

Just wondering how all of this may play out...

I wouldn't call this a hack

[bwindle2]

The person had legitimate access to the system. I wouldn't call using your legitimate access to then, *GASP*, access that system, a hack.

Axciom - facilitating spam

[gorbachev]

About a year or so ago people started getting spam addressed to the wrong "John Smith". Some folks tracked the spam to Axciom. It appears that they'd started selling epending services for their clients.

Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.

Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.

But, hey, you can always opt-out...one client at a time...

Proletariat of the world, unite to kill spammers

What do you expect?

[Dalcius]

"Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers."

Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.

Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.

I can't say this surprises me much.

BBBOnline

[Liquorman]

Below I have posted the complete listing of requirements for approval from the BBBOnline (Better Business Bureau Online) page. Seems like it is pretty easy to meet the requirements as long as you pay the BBB! Also, it does not appear to have much to do with specifics of what a privacy statement should say, just that you simply must have one.

General Conditions

The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.

The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.

The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.

A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.

Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.

RTFA!

[sessamoid]

From the story submission:

The suspect, now in police custody, was an employee with legitimate access to the information.

Geez, even the submitters don't RTFA, do they? From the NYT:

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?

Easily Amazed

[jrsimmons]

So you're "amazed" that a database company has employees who have access to their database(s)? How excactly is it that Acxiom should do its job while preventing its employees from ever working with the data? Unless the description of the theft is inaccurate, this has nothing to do with hacking and is merely a misuse of priviledges. If the armored car driver steals the contents of the armored car, is it because the car wasn't secure enough?

A silly writeup for a silly story

[sammy+baby]

I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.

What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?

Company In Denial

[BreadsOfAFeather]

The reaction of the company in this case, not notifying potential targets, and not putting safeguards in place, suggests that their attitude is to wait and hope that the problem will go away. However, the biggest security hole (in terms of potential damage) in any system is the possibility of abuse by trusted insiders. This suggests that Axciom will have this problem again.

Oh, and some kind of link to an article would have been nice.

There is no privacy, so just be vigilant

[stull13]

Credit Card information? That's nothing....

I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.

At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.

Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.

Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.

This is the world we live in. There is no privacy any more and nothing is ever truly secure.

The real world

[TrippTDF]

People carry their wallets in their back pockets. People leave windows unlocked. People trust their neighbors. People think their data is secure.

A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.

This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.

Easily amazed. By Slashdot.

First rule of database administration..

THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.

Second rule?

The people inputting the data cannot query the data.

Third rule?

The people who query the data, cannot modify the queries.

The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.

I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."

Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.

I'd be fucking sour on US 'techs', too.

Former Acxiom Developer

[enjo13]

As a former employee at Acxiom (Conway offices), let me jump in here.

I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.

The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.

More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..

The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..