Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acxiom Hacking Details Made Public

Posted by michael on from the may-not-need-new-credit-cards-after-all dept.

pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."

11 of 142 comments (clear)

  1. details? by trmj · · Score: 2, Informative

    There aren't many details in this, it simply says that the hacker got in through an unsecured FTP server, was arrested, and they don't think he distributed the information.

    Where are the details again?

    --
    Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
  2. HACKER? by Anonymous Coward · · Score: 1, Informative

    Would you plese stop using "hacker" word when the proper word would be "cracker"!

    You should know it better, you're Slashdot!

    1. Re:HACKER? by alangmead · · Score: 2, Informative

      The term hacker was both used and misused long before anyone came up with the term cracker to be someone who breaks into computer systems. It was essentially an attempt to deflect the popular press away from the word hacker, and allow it to regain the former meaning of respect.

      It didn't work. The popular press hasn't let go of the word hacker to mean computer criminal. They haven't picked up on the term Cracker. Instead of trying to explain what hacker means , we need to what hacker and cracker mean and what differentiates them. Meanwhile, we are also trying to explain that we are speaking the same language, despite having different definitions for just about everything.

      I think we should give up on trying to people to use the term cracker to mean computer criminal. It already has an entirely different (although no less positive) meaning. We can't just play you stole our word, so we'll steal one of yours. The term cracker is evidence that jargon can't be forced, it has to spring up naturally.

      Now for why someone who reads slashdot submitted an article that uses the word hacker incorrectly. I have no explanation.

  3. Re:Question by rritterson · · Score: 4, Informative

    According to one of the the articles, he broke the encryption on the passwords used to login to the FTP server. I call that cracking, which would be labeled hacking in the general lexicon.

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  4. Disturbing by Bruha · · Score: 5, Informative

    This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.

    Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.

    Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.

    1. Re:Disturbing by YOU+LIKEWISE+FAIL+IT · · Score: 2, Informative

      FYI

      I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.

      Acxiom collate, clean and break down client data for client companies, as far as I know they don't actually use it themselves. If you're in Acxioms db's, chances are someone you bought something from decided they wanted a point and click marketing / bulk mailing / demographics breakdown tool ( "It's NAVIGABLE!" ) and sent them the corporate accounts.

      Bad news, your data might have been in that unsecured stream - address, name, purchasing history, phone #, other confidentials. Good news, your CC # is very unlikely to have been included, at least if our deployment is indicitative.

      I have to deal with these guys where I work, and they mostly seem like alright people ( if a bit nontechnical ). We would have just stuck with our existing systems for demographics, but Marketing somehow outflanked us with their request for a new IT toy. ;-)

      YLFI

      --
      One god, one market, one truth, one consumer.
  5. Re:ftp server? by jericho4.0 · · Score: 4, Informative
    Being afraid to run FTP for security reasons is valid on any platform. The list of breaches on various FTP servers is long.

    Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.

    --
    "A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
  6. FBI Informant by Anonymous Coward · · Score: 1, Informative

    For those of you who didn't read it...

    There's a part about a leet haxor d00d "Krakah Jak" who attended 2600 script kid meetings etc. but was actually a paid FBI informant.

    That was nifty.

  7. Re:Question by Vinson+Massif · · Score: 3, Informative

    "When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?"

    Not an admin, eh?

    Many _default_ non-anonymous ftp services on unix|unix-like systems that I have dealt (recently) with allow the ftp user the same access rights to the entire tree as their uid:gid is allowed. So, on a system w/o shadow passwords, cd /etc; get passwd; is all that's needed to get started. (grr ./ eats spaces...)

    BTW, shadow passwording has the achilles heel of file security. I have dealt with systems where the file security of these files had been comprimised to solve some silly need.

    --
    "Remember, any tool can be the right tool." -- Red Green
  8. Re:IT Malpractice Suit? by bourne · · Score: 2, Informative

    Isn't financial data required to be protected by something equivelent to HIPPA?

    HIPAA (Health Insurance Portability and Accountability Act) mostly revolves around (suprise) health related personal information. Financial organizations need to pay attention to it for their own employee's information, and for any health-related organizations they provide services for, but it's not the biggest IT driver for financial companies.

    The Gramm-Leach-Bliley Act of 1999 is more closely targeted on financial organizations. Also, the Office of the Comptroller of the Currency (OCC) issues a lot of regulations that financial institutions need to pay close attention to. Insofar as Acxiom acts (acxts?) as a third-party vendor for financial institutions, they are also expected to meet those regulations when dealing with financial customer data.

    If, as the first article states, "All of the information was encrypted," then they were probably not in violation of any of these rules or regulations. It sounds like all the guy did was pull encrypted files off a publicly accessible FTP dropoff point, probably after sniffing plaintext authentication credentials on the network. Stupid move by Acxiom, but not fatal; bad PR but no real impact.

  9. Re:Here I was hoping for real details... by enjo13 · · Score: 2, Informative

    I can answer part of this (I was an employee there a little over a year ago).

    The FTP server was likely one of the servers used to move data from Acxiom (who is simply a data processor) back to the client. So, the thing sits outside of the firewall. This was only done for customer data that was considered 'public record' or 'less sensitive' data. Which means that it's only the type of information that you can garner from various sources without to much trouble.

    The data was more than likely encrypted, and I doubt he actually broke the encryption on the data itself.

    As for how he got the actual passwords, your guess is as good as mine. Many of Acxioms customers keep internal lists of passwords in encrypted form on their servers (using one of the billion types of keychain software floating around). I can ALMOST guarantee that he didn't easily get the password file off of the FTP server itself.. instead he had access to this particular key file at his former employers shop and used that.

    --
    Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!