Consumer Database Company Hacked Again

x-guru writes "CNN is reporting on the indictment of a Florida man on 144 identity theft charges including fraud, money-laundering, and obstruction of justice. Approximately 8.2 GB of data was stolen from Acxiom Corp, a company responsible for the storage of vast amounts of personal, financial and corporate data. It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation." Acxiom was hacked last year as well.

disclosure

of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public. after all, it is our information they're "losing"

Re:disclosure

[JPelorat]

Doesn't the Sarbanes-Oxley law require disclosure?

Re:disclosure

It is not our information, it is information about us.

Acxiom own it and sell it to whmoever will pay for it. The only news here is that somebody didn't pay.

Re:disclosure

[astellar]

I'm sure they never want to disclose this event to pulic, but journalists some times very crafty. Acxiom just unable to hide its problem.

Re:disclosure

[Fulcrum+of+Evil]

It is not our information, it is information about us.

Depends on where you live. In most sensible countries, information about me is owned by me.

Re:disclosure

[MemRaven]

And in order to work with anyone, you always sign over the rights for them to aggregate it in this way anyway. So in theory you own your data, in order to do anything at all in society you have to relinquish your rights to the data which you own.

Re:disclosure

[higginsm2000]

I think you are confused.

In the UK with the Data Protection Act, you have a right to access any data held on any computer system that relates to you, and correct it if it is wrong, but the data does not belong to you IIRC. In fact Acxiom run a very similar operation (data for cash) in the UK too. So what "sensible countries" are you referring to?

And seriously, I can't see how it could be otherwise. If a store collects data on you via a loyalty scheme, you are suggesting that that data belongs to you? The argument for that is very flimsy, but I would love to hear it...

Re:disclosure

[higginsm2000]

So my point is that most "sensible countries" give you the right to access data about you (and file a complaint/correction if it is wrong), but that does not extend to ownership of the data.

Re:disclosure

[paintballluvr]

...when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public...

I work in a financial institution in California. We do. We have to report it to out entire membership and the autorities. I believe it may be a federal law for financial institutions. Infact a local competitor had a laptop stolen from their site with all their members personal info and had to release it. It hurt them pretty bad.

Re:disclosure

[robochan]

...when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public...

Perhaps when "we the people" take back our government from its corporate masters.

Re:disclosure

[bechthros]

Which is why we should start trademarking our SSN's. Then they're ours, right?

Re:disclosure

[isn't+my+name]

I work in a financial institution in California. We do.

My understanding of the California law is that it applies not just to financial institutions but to all companies storing personal information on California residents. NOTE: Not all California companies, but all companies storing information on California residents.

The CNN article says Acxiom, headquartered in Little Rock and Conway, Arkansas, stores and processes millions of bits of data on behalf of a wide range of clients that include IBM, GE, Microsoft and many major credit card companies., so if there are any California consumers who think they may have used a credit card or done business with GE, Microsoft or IBM, they might want to look up the law and see if they can sue since Acxiom has not contacted them.

Re:disclosure

So you can view the data stored about you and ensure it's totally accurate.

I'm sure the person breaking into the system and stealing personal data about you really appreciates the gesture.

What?

[windside]

It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation.

It might just be the early morning talking, but could someone explain how employee cooperation implies an inside job? Maybe I need more coffee.

Re:What?

They are the ones that decided to use IIS as their webserver, so it's an inside job.

Re:What?

[irokitt]

"agreed to cooperate with the investigation."

"Well, yeah, I guess letting my brother's cousin's roommate have the access codes to our server was a bad idea. Seriously though, I thought he was just hosting games of Quake III."

Re:What?

[panda]

Actually, the articel does NOT say that 6 Acxiom employees agreed to cooperate with the investigation. It says 6 employees of the "the company." Since Snipermail was the previous company mentioned, I took it to mean that 6 employees of Snipermail were cooperating with the investigation.

At any rate, it never said 6 employees of Acxiom, so it is open to interpretation and poorly written. I think someone needs to clarify that point.

Re:What?

[spurdy]

Yes, it was 6 employees of Snipermail, not Acxiom, who were cooperating. That was made clear in the article that appeared this morning in the Arkansas Democrat-Gazette.

Re:What?

[squeezer_jackson]

You are correct sir. Take if from me... I KNOW!!! I saw my name on that indictment and I don't work for Axciom!

$7 million?

[Gentoo+Fan]

Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million.

Where exactly is $7 million coming from? Is there data worth about a million a gig?

Re:$7 million?

Where exactly is $7 million coming from? Is there data worth about a million a gig?

Wow, I must have billions of dollars worth of pr0n then!

Re:$7 million?

[RealityMogul]

How many customer records could be stored in 1 GB?

How much would it cost just to inform all those people (assuming that they will)? And then when everyone updates their records, how much will it cost to rebuild/update the database with the new info?

Just playing devil's advocate here.

Re:$7 million?

[gid]

I'd be willing to wager the 7 million is just an arbirarily large enough number so the feds will investigate their case. If they say they only lost a grand, then there would probably be no investigation.

Re:$7 million?

[LiquidCoooled]

ONLY 7 million!

Thank god the RIAA isnt involved with the cleanup.

(82000000 * ($250,000 * ([DriveSpeed] * Cos([WindDirection]))

This issue of losses is mute really, because as with illicit file sharing, the original data still exists.

This data sharing may result in customers going elsewhere, and so may effect FUTURE revenue stream, but their account certainly hasn't taken a dip just yet.
(Contrast with bank robbery)

Re:$7 million?

[wo1verin3]

Lets say each customer record was 100k, which is stretching it if it includes plain text of their name/address/credit history/social insurance or whatever.

Thats 10 thousand people. Now... 8.2GB works out to about 82000 people. They would have to hire staff to contact customers, to recieve calls, the cost of the phone lines, etc, etc, etc. It gets pretty pricey.

Re:$7 million?

You're a moron.

i was an intern with Acxiom at one time. A lot of computing power and programming goes into creating the data products they provide. It's some mysql database with 1000 rows - it's a little more serious than that. And it's not just the large amounts of data, it's the work and programming that gleans useful product from that data. Think before you speak, son.

Re:$7 million?

I'd probably pay $7million for Billy No-Gates' bank & security details - thats gotta be worth far more than $7mill and would only be a few kb!

Re:$7 million?

[Kenja]

"Where exactly is $7 million coming from? Is there data worth about a million a gig?"

Um... Solid gold hard disks?

Re:$7 million?

They're using some really really old hard-drives to store those 8.2gigabytes...

Re:$7 million?

Thankfully, it was in Microsoft Word format, so only three people were compromised, despite the >8GB of data.

Re:$7 million?

[magefile]

You have access to multi-terabytes of storage? That in itself is worth quite a bit. Not billions of dollars, but still a nice sum.

Re:$7 million?

[JT+Snortbuckle+JrIII]

Only $billions? N00b!

Re:$7 million?

[perlchild]

Wouldn't the reputation of the companies that the customers that information was about require some form of insurance/bond to cover their own loss of reputation over this? Of course, you missed the 114 "identities" compromised part of the post, and concentrated on the gigabytes.

If the data can support identity theft, that means people can use it to forge identities, and commit identity and credit fraud. That's why the number is high, not, the amount of data. It's how sensitive(and eventually useful to a criminal) that makes the data's value.

Re:$7 million?

[Secrity]

The problem is that the company that "lost" the data isn't out the $7M, it is the people whose identities will be stolen who will be out the money and will be hassled, in some cases, to death.

Re:$7 million?

[Mr+Smidge]

theft of approximately 8.2 gigabytes of data

I thought it was done remotely? How did they manage to physically remove the data from Acxiom?

Oh, so they don't mean steal, or theft. They mean unlawful copying. Right. Should have said.

</pedant>

Re:$7 million?

Real Britney Spears hardcore videos would EASILY be worth a million a gig.

Re:$7 million?

$10K will get you multi-terabytes of storage.

Re:$7 million?

[muggsy]

Strange isn't it? $7million, especially since Acxiom expects the first hacker to reimburse them 5.8 million and a large part of that was to secure their computers. I guess they want to double dip and have both hackers pay to secure the same computers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Links within a chain

[Evil+Schmoo]

This is the great myth of the InterWeb security policies of most corporations -- you're only as safe as the weakest link in the chain. IBM, GE, et al, are probably among the most secure commercial sites available, and yet their customers still get nailed by third-party lapses.

Anyone want to take a gander on when Equifax, Experian, and TransUnion get busted for going through some minor service provider?

Re:Links within a chain

Anyone want to take a gander on when Equifax, Experian, and TransUnion get busted for going through some minor service provider?

why would anyone want to?

their data is the most innacurate on the planet. Most everyone knows that credit reporting angencies have the lowest quality and most error-filled databases on the planet.

a good data-thief knows that a credit report is useless as it's full of errors.

dont believe me? do a search for credit report errors. it's been on CNN, NBC, and NPR for years about how worthless a credit report is. and the scary part is that banks and lenders RELY on it's innacurate data. (oh and you can pay to have it cleaned.. Yes you can, there are companies that do it, and you can too...)

The only way to keep private data private...

[MartinG]

... is to not store it all in one place.

Centralised databases of sensitive data are evil.

Re:The only way to keep private data private...

[recursiv]

This is still not safe from a skilled social engineer.

Re:The only way to keep private data private...

[LiquidCoooled]

Bosses like to send mailshots and group customers by location and store their bank details and other kinds of crap that would make everyones life a living hell.

Imagine having to call directory enquiries for EVERY person you want to contact.

Think of your phone contacts list, could you do without it?

If every customer database only held absolute minimum fields, then nobody would get any work done.
minimal db: [Name,Tel]

today:
"Hi, this is so and so from your bank, i am going to send you your bank statement, can i have your address please."

next day:
"Hi, this is so and so from your bank again, i am going to send you your overdraft agreement, can i have your address please."

day after:
"Hi, this is so and so from your bank yet again, i am going to send you your overdraft acceptance, can i have your address please." ....

But by the same token, you are kind of right.

What SHOULD be restricted is table/db level access to sensitive data.
Full authenticatation, complete logging and one at a time retrieval (one lookup per 10seconds for banking info etc).

However, its so much simpler to setup and populate a raw database than to impliment the things I have just suggested.

(ponder_to_self: could this time delay be done at the DB table level in mySql or similar? a param to slow down record access?)

Re:The only way to keep private data private...

OH ya, and it's still not save from a meteor stike either, get over it. They shouldn't hire morons that give away data.

Re:The only way to keep private data private...

[recursiv]

I agree about the employment of morons, but non-morons are also vulnerable to social engineering. If you don't believe me, I suggest you read 'The Art of Deception' by Kevin Mitnick. All types of people are susceptible to some con, but some are more vulnerable than others.

Re:The only way to keep private data private...

[LiquidCoooled]

I've been thinking about this whilst driving home.

Encrypting the backend file would be fine and I would reccomend that anyway.

Doesn't Kerberos handle timed access tokens?

Just tie up the data lookup functions with the LAN where they are stored, lookup functions are only meaningful then if they are performed onsite (Kerberos server is not publically accessible).

That way, you frankly don't care if they get at the raw files, and only those with genuine tokens can decrypt the data within.

Heck, you could even link up excessive queries with a great big siren and lights, but that might be a bridge too far for most peoples "simple" customer databases.

It is issues and problems like this that allowing Encrypted delayed lookup tables inside the database by default would help.

At the DB level, no changes to an application are required, asking for a query that returns 400,000 detailed customer records will take 4,000,000 seconds to return the data.

I think I have convinced myself to look into the feasibilty of this.

Re:The only way to keep private data private...

[kris_lang]

Amen. I fear for the sanctity of our medical records and the sanity of our medical providers (oh so politically correct HMO way of being weaselly about whether you'll actually be seen by a doctor, a nurse, a nurse practitioner, or a physician's assistant: we employ 1984-speak and we equate all four thus, thus it is so) once the wacky concept of CENTRALIZING all of our health records ever takes place. Does President Bush's New Mandate Give HHS Authority to Link Everyone's Medical Records to a National Computerized System? at
www.forhealthfreedom.org/Publications/Privacy/Lo si ngPrivacy.html

If they can't fix the debacle at the Veteran's Administration Hospitals transitioning from MUMPS-based transaction and cost accounting to the COREFLS system, why should we expect the government to be any good at doing this on a country-wide wholesale populace scale?

Re:The only way to keep private data private...

[perlchild]

better application design might be a better idea than the delay you mention. Just because the information is grouped together, doesn't mean it should be accessible in a single screen. Nor are 114 home addresses enough to commit identity theft crimes.

There is a lot to be said about restricting confidential, identifying information(such as that sufficient to personify you) to the company you signed a contract with. My reasoning is simple:
your contract is with so and so firm, you know they have your information, and you can ask them about their security procedures.

If they subcontract it(not the hire a consultant to build a storage infrastructure in-house, but actually house it on servers under the control of another company), then they can't tell you how the data about you is stored(because some of those methods are proprietary to the outsourcer). Can you get a copy of the contract's security provisions that they take on behalf of your identity? We aren't talking about whether or not you like so and so sports star here, we are talking about enough info to make you apply for a credit card without your knowledge. That identifying data HAS to belong to you, because it's part of your identity.

While collecting trivia about my shopping preferences can certainly fall under copyright law as compiling information, how can information that allows you to impersonate me, belong to you? The information is sufficiently personal to me, that a third party acting in good faith checks those informations, and expects you to be me.

Re:The only way to keep private data private...

[flosofl]

Here's how we work (VERY basic).

We have a DEK (Database Encyption Key) that we use encrypt fields in a table with sensitive information. 3DES for industry compliance, but the problems arises - how can you store the key so stuff can be encrypted/decrypted on the fly?

Well, we also have a KEK (Key Encryption Key) which encrypts the DEK. The encrypted DEK is stored in that database's table. The KEK is embedded into the system which unencrypt/decrypt the DEK. Typically this is a some sort of hardware module (with formidable physical security features - for instance if you try to physically remove the system from the rack without the correct physical keys it will wipe itself)

There are several hardware modules out there that will do this. Atalla comes to mind. Very, very fast (we also use them for ATMs) because that is all they do. They store a master key and encrypt/decrypt other keys against that.

Encyption is not a panacea. You need very rigid controls for the plain text keys - entered in halves by different Security Officers, stored in seperate safes, etc. You also need very strong authentication to define who can even access the database (SecureID, Vasco, etc..). You can even base what gets decrypted based on authentication (multiple DEKs). I'm not even taking into account network level security (that's where kerberos comes in).

The above is combersome and time consuming and at times difficult to implement. You need to do a Risk Assessment. How much is my data worth? How much would a loss cost me (real dollars, revenue, reputation)? The more its worth, the more effort needs to be taken to safeguard. At the very least, you should have an enterprise-wide policy with graduating levels based on the sesitivity of what you need to protect.

Ulitmately, nothing is completely protected, but you can make it extremely expensive for the unauthorized to retreive the data (computing costs exceed the benefit)

Re:The only way to keep private data private...

[LiquidCoooled]

I just tried to write up some additional thoughts about this whole data access problem, and I keep finding myself back at throttled/restricted access.

To answer your query, the access token grants access to the lookup function, but does not perform the decryption.

The encryption job could be passed to the File system itself, and let the big boss logon to the machine after every power cycle. A nice long complex logistically impractical to crack kind of password.

Barring hackable exploits in the system, the physical data files would not even be shared (\\domain-ds\c$), leaving the thief with needing physical access to the machine.

Even with access, cracking the password would be difficult.

If it becomes an issue of physical theft then the security precautions already in use for valuables should be applied.

Stripping away ALL this side of the security, allowing 1 user 1 lookup every few minutes means that instead of 8GB of data being copied, at most ~100 bank accounts can be linked by a determined individual. Unlike direct network file access, this guy would plainly not be performing his duties if he wasted his access tokens stealing account numbers leaving his real job unfinished.

The whole point of this was to find a simple way to prevent misuse of our private data. The encryption thing has gotten in the way, but could be handled respectably.

There is no way to completely restrict access to any information, but nothing stops us from erecting simple roadblocks and diversions along the way :)

(Single insignificant checkbox on a field of a database marking itself as throttled access would be enough for me.)

Lack of Security

[millahtime]

This is where the lack of security is undershot. Secuity is always talked about with the consumer pc, windows and ie. If you want to get personal data hack the server. Forget the pc. I don't hear much about these area being convered. Banks and the Military seem to have security covered but there are a lot of orginizations with a lot of personal data with not near enough security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

This begs the question.,,

[penginkun]

What is happening to the morons who leave this kind of information sitting around on an easily cracked server? Are they getting fines? Jail time? 40 lashes with a wet noodle? What?

Maybe if these network admins were PUNISHED SEVERELY for their negligence they'd start being more careful.

At the very least this kind of information should be stored on encrypted filesystems. Better still, the files themselves should be triple-des'd and then PGP'd for good measure.

Re:This begs the question.,,

[Jane_Dozey]

What if it was an inside job? Some idiot with access could well steal the data and sell it. SHould the SysAdmins get punished when their system WAS secured but the employees were corrupt?
What about the time the data isn't encrypted? It's useless if no-one ever reads it. At some point the data will be in plain text and then it doesn't really matter how much encryption you have, it still gets compromised.

However, I think the storage companies involved with id theft (or any private data) should get fined (and prosecuted if it's shown that they DID NOT take the correct steps to secure the data).
Liability is a great way of motivating better security.

Re:This begs the question.,,

This comment about encryption is just plain stupid. Encryption protects data when the computer is NOT running. In the case of a large company database, the system is on all the time, the encryption keys are loaded in the RAM, and the FS is mounted and accessible to anyone because it's what this machine is meant for : serving data. Encryption won't help.

Re:This begs the question.,,

[sdjunky]

And what if there aren't enough Network Admins to do the necessary work because of IT Budget cuts?

And what if the Network Admin isn't appropriately trained because the company won't pay for training and the pay they offer won't enticed skilled admins.

Assuming negligence of the Network Admin doesn't take into consideration the shades of grey that are often involved.

People should be responsible for poor security but the "climate" that leads to it should also be considered.

Re:This begs the question.,,

Yeah, get the network admin. Let's forget about
the management that wouldn't let him bring down the server to do the updates, or chose poorly written software applications because of TCO or ROI or some other bullsh*t, or made him leave ports open on the firewall so they could stream there earnings conference calls for stocks in their portfolio.

Yes, I have seen my share of stupid/lazy admins but let's get the facts before we assume that the network admin(s) were at fault.

Re:This begs the question.,,

What is happening to the morons who leave this kind of information sitting around on an easily cracked server?

And what if a woman is wearing a short skirt that's easily removed? Shouldn't she be convicted of inciting rape?

Yeah, there are fucked up network admins. There are also networking depts that are understaffed, undertrained, and over supervised. Ever see some of the dumbass decisions a PHB can make when tasked with determining network security requirements? Half of them think they "know better" than their technical employees with respect to security policy and implementation.

And yes, this is from somebody in the field.

Re:This begs the question.,,

[Hiro+Antagonist]

Don't punish the admins; punish the managers that give those admins a shoestring budget and no help.

Re:This begs the question.,,

[penginkun]

Clearly any sysadmin that sloppy SHOULD face punishment. His task is to make it as difficult to abuse the system. If he walks away and leaves the root account logged in to the console, well, that's just fscking sloppy and negligent.

If he's done his job and the data is still stolen, well, that's another matter.

But it does no good to argue "What ifs" here when we've got an actual situation. Did the sysadmin of the cracked system do everything he/she/it could to prevent this situation?

Someone else mentioned budget cuts. Again, what's the point of arguing what ifs? If my job is to make sure a system is secure, I'm going to do whatever I have to do to make sure it's secure, up to and including unplugging it from the network if I have to.

And why the hell is this stuff laying around on TCP/IP networks anyway? I know it's cheap and easy, but if this data is worth $7 million dollars (say it in the Dr Evil voice for full effect) then surely it's worth safeguarding by requiring access through a different type of networking.

Re:This begs the question.,,

[penginkun]

Well, gee. Let's see. The woman gets raped. Does the sysadmin? No? Who does...let's see...oh yeah, it's the people whose data is stolen! You're RESPONSIBLE FOR SECURING THE DATA! You're not the victim. You're the idiot who walked away and left the keys in the ignition.

Let me be clear: you're paid to do a job. You do that job to the best of your abilities. Period. Don't blame management for your shortcomings. If you can't handle it, say so and let someone else try.

Re:This begs the question.,,

> Well, gee. Let's see. The woman gets raped. Does
> the sysadmin? No? Who does...let's see...oh yeah,
> it's the people whose data is stolen! You're
> RESPONSIBLE FOR SECURING THE DATA! You're not the
> victim. You're the idiot who walked away and left
> the keys in the ignition.

Okay I've read all these responses as to how the sysadmin should be liable. I am sorry, but do you want to drive up IT costs to help even more outsourcing??? Sure, lets put personal liability in. I for one wont take a 30k job where I will get sued because I either made a mistake, someone else did, or its managements fault because MANAGEMENT IS STUPID (remember that in this industry that is almost always the case). Yes if you are say a doctor things are different for numerous reasons. If identity theft is such a problem why wont we hold companies accountable for publishing false information on our credit reports? Until that starts happening people's credit will continue to be screwed, while the credit card companies and other financial institutions are making a TON of money off your inaccurate credit rating.

Of course captialism sucks alltogether but theres nothing we can do to change that anytime soon.

Individual liability isn't the answer! It is the company's responsibility, and holding an individual liable for such reasons is ethically and morally wrong. It also goes against the whole foundation as to why a company is setup in the first place!

mens rea...yes.....actual theft though???

What the crap? Did the theft actually occur or was he indicted on CONSPIRACY to steal the data?

and I quote...."A Florida man was indicted Wednesday in an alleged scheme to steal vast amounts of personal information, and the Justice Department said it might be the largest illegal invasion and theft of personal data to date"

Use of the word scheme leads me to believe this is a conspiracy crime and that no actual theft occured. Anyone else want to weigh in on that?

It's also extremely well-worth noting...

[The+Ultimate+Fartkno]

...that the man (scum-sucking dirtbag duck-raper, actually) indicted, Scott Levine, is the owner of Snipermail - a spamhouse located in (get ready for a shock!) Florida. Is anyone surprised that a spammer (connected to Eddie Marin, btw) has moved on to massive identity theft? Don't you just wonder what he was planning on using all that data for?

How about a quick game of Hangman, kids. "Here's hoping he gets time in a federal _____-__-__-___-___ prison!" (Commence flames from more enlightened readers in 3... 2... 1...)

Re:It's also extremely well-worth noting...

You got it: rape, including prison rape, is not a joking matter.

Re:It's also extremely well-worth noting...

[Mattintosh]

Ah, but it is. We don't like rape, especially prison rape. But we do wish it upon our worst enemies.

Re:It's also extremely well-worth noting...

[slavefishy]

All your identity are belong to us? No that doesn't fit, nevermind.

Would be better.....

if they used a wide-open, everyone-can-see security that only Linux can provide...

Feel safe with RMS and ESR.

-discuss and explain

Case in point

[Lord+Grey]

Approximately 8.2 GB of data was stolen from Acxiom Corp...

This is yet another example of why it would be a terrible idea to institute a national ID card. The people backing the card, when faced with the concept of someone stealing the contents of the database that would support the card, invariably insist that "it couldn't happen -- we'll secure it real well."

Beyond the fact that a national ID card wouldn't provide any additional security, putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.

From the CNN article:

"We will aggressively pursue those who steal private information from computer networks and make it clear that there are serious consequences for such crimes," [Assistant Attorney General Christopher Wray] said.

Oh, good. That will surely stop it from happening.

Re:Case in point

[dave420]

You already have at least one national ID card - your drivers license. Two, if you have a passport. It's already happened.

Re:Case in point

[null-loop]

I assume we're talking UK here, because I don't have either, and I'm not required to have either. The issue is when we have a system that it's impossible to opt-out from.

Re:Case in point

[hiryuu]

You already have at least one national ID card - your drivers license. Two, if you have a passport. It's already happened.

Last time I checked, a drivers license was only required if, say, you wanted to drive a car. Likewise, a passport is far from being a mandatory piece of documentation. When people describe a national ID card as a "bad thing," they're generally referring to the concept of a nationally-standardized ID document that you must be issued and that you must keep on your person at all times, under force of law. My understanding only, of course...

Re:Case in point

[cpghost]

National ID cards are used everywhere in the world, except the US. Yet people are no more nor less safe because of this.

It's not the national ID that's a problem. This database is probably the best secured in a country. Even if it got broken into, there's nothing interesting there: just your name, photograph, address (perhaps a trail of addresses), and perhaps some biometric identification (if the photograph is not enough) just in case you lost your ID card and needed a new one.

It is the whole bunch of small, amateurish or corporate databases, where you submit your data that are much more vulnerable: utilities, phone company, bank, driver licenses, health insurance, employer or school,...

Private investigators usually don't bother to query a national ID registry; that's way too dangerous and usually heavily punished. They gather informations about you at the weakest link; through direct observation, but also by shopping with all those small databases (yes, it's not always legal, but as long as you don't get caught, so what?).

If you have concerns about the privacy of your data, you'll have a hard time avoiding each and every company out there. It's already too late to turn back time. All your data are belong to us!

Re:Case in point

[MemRaven]

Well, not in the usual sense of a national ID card.

First, my driver's license is issued by a state (in my case California). And I don't actually have to have one, because I might not be licensed to drive.

Second, even in cases where I need identification, my identification card is issued by a state as well (also California).

Also, the major differences between those two things and what most people think of as a "national ID card" is that I actually am never required to present them to government officials when going about my day-to-day business. I use my driver's license to prove my identity to private (and public, truth be told) entities, but those entities only use the information as a biometric check: am I who I say I am? They don't connect information to me based on my driver's license number, only use it as a biometric holder. My passport is only used when I travel.

If you lived somewhere that actually does have a national ID card (like Spain IIRC) you'd find that you effectively need that card for everything. It's a combination ID card, social security card, passport (when travelling w/i the EU in Spain you don't need a passport, just your ID card), health insurance card, etc.

Re:Case in point

[MemRaven]

Well, definitely not every country, since although being a US citizen I reside in the United Kingdom, and there's no national ID card there. Big Brother Blunkett wants to introduce one, but it's not gone far yet.

And to be honest, I almost wish they would. There's nothing except a driver's license (which not nearly as many people have as in America) and a passport (which more people have than in America, but are still not widespread) which has any type of biometric information and is state issued, and as a result proving my identity is a total PITA all over the place. Usually I have to show my passport, show some documentation proving that I live at my address (like utility statements), and answer some security questions just to prove my identity. What a pain!

But I just wanted to point out that your gross exaggeration is a case of hyperbole. And it's wrong.

Re:Case in point

[archen]

Yeah, that's what I thought but it's not so. I went to Canada for the weekend and came back across the border. So they start asking me questions. One question was "Where were you born?". For me that was New Zealand. Guess what? A drivers licence only proves you can DRIVE. It doesn't say anything about your actual ID or that you are a citizen.

Funny thing was, that this was the only time I forgot my passport. So I spent 4 hours at the border waiting for extremely bored looking office workers to finish interrogating some poor old Polish couple before finally talking to me and deciding I was safe. I knew I should have kept my National Guard ID when I went inactive...

So yeah, a passport is really the only national ID you have, but who actually carries it around?

Re:Case in point

[TyrranzzX]

Or, heaven forbid, I were to, oh, I don't know, hrm, assemble massive databases of information and make the available via P2P or sell them on the street via CD's?

AFAIK, there is no law forbiding that in the US.

Re:Case in point

[cpghost]

Well, definitely not every country, since although being a US citizen I reside in the United Kingdom, and there's no national ID card there. Big Brother Blunkett wants to introduce one, but it's not gone far yet.

Yes, you have a point here. Please add the United Kingdom to the tiny list of countries that don't have national ID cards (yet). I'll use more careful wording next time. Sorry.

Usually I have to show my passport, show some documentation proving that I live at my address (like utility statements),

I know that too. It's a pain in the neck, because your current address is normally not recorded in your passport. Unless you happen to live long enough in a country, so that you can obtain a new passport with your new address in it.

But I just wanted to point out that your gross exaggeration is a case of hyperbole. And it's wrong.

Why would it be wrong? Just because I was too lazy to list every exception to the rule?

As you've pointed out yourself: a single point of contact for your ID would have been preferable. I'd prefer NOT to be dependent upon some random companies (bills), just to prove that I'm indeed myself. A nice nationwide (worldwide?) database that associates my ID with a unique set of biometric data would actually protect me from accidentally loosing my identity. With a central database, all I have to do is to show up at a registration desk, look into an eye-scanner and presto, I get a new ID card. That's definitely more convenient than, say, gathering utility bills, and a whole lot of other documents that may as well have been lost/stolen/destroyed...

There's a drawback to a nation-wide ID database too. You have to be very careful what data is stored there. States usually have a giant appetite for additional private data: "Why not add XYZ to the ID database? It would prevent ABC." Unless the population resists such attempts, a whole lot of informations will be stored about you in one central location. Then it won't be such a good idea anymore.

Re:Case in point

[diamondsw]

Okay, someone explain this to me then. What's wrong with a national identity card that does *not* link back to a huge central database? Why not just have a card that standardizes the information on the card, where it's located, etc. And a magnetic strip with the same information on it - no more, no less. What exactly is wrong with that? We all (just about) have drivers' licenses, why not standardize them (and the state driving laws, for that matter)?

Details...

Remember last year when Acxiom had some "minor" security issues? It was slashdotted, here and here. Their nightmare is far from over. Just yesterday a 144-count indictment was slapped to Scott Levine, 45, of Boca Raton, Fla.-based Snipermail.com Inc. Levine was charged with conspiracy, unauthorized access of a protected computer, access device fraud, money laundering and obstruction of justice, according to the indictment. Did I mention he accussed of stealing about 8.2 gigs worth of data at the same time Daniel Baas was stealing gigs of data? Baas has already been conviced.

THIS WAS NOT AN INSIDE JOB. Two people from different parts of the country were "hacking" Acxiom at the same time, using the same vulnerability. Neither of them even knew each other. Acxiom's security was a flaming turd.

Search all the Daniel Baas articles and you will find he cracked a password file they had in a public directory on the ftp server. This guy did the same thing. Acxiom should be shutdown for their stupidity.

Re:Details...

But this was. I'm glad the people at Acxiom have more integrity than this police force.

"Power tends to corrupt, and absolute power corrupts absolutely." - Lord Acton.

Comment removed

[account_deleted]

Comment removed based on user account deletion

you guys can relax

http://www.acxiom.com/default.aspx?ID=1671&Country _Code=USA

Ya see? Privacy is their TOP concern!!

Trustworthy Computing anyone?

Law

The first "acxiom" of security: "Protect your data"

Re:dumb ass

It was a windows server dumbass. It had a crackable password file on it...ie. SAM file.

Try cracking a Unix or Linux password file with LC!

Get your facts straight!

It wasn't Acxiom employees that agreed to cooperate it was Snipermail employees. Man, people can't get facts straigh.

"Snipermail employees have cut deals and aided federal investigators, prosecutors said.

Also named in the indictment are Levine's brother-in-law Magdiel Castro; longtime business associate Jeffrey Richman, who operates Florida corporation RichMedia Inc.; systems administrator Jeffrey Burstein; Melvin Donald Atkinson, a computer analyst; Marcos Cavalcante, a graphic designer; and William F. Clinton, a computer specialist."

Levine will, of course...

...use the Slashdot defense, claim that it was copyright infringement and not theft since they still had access to the data, pay $3500 to the RIAA and walk.

The case will later be overturned when it's discovered that the database was never in fact copyrighted, and his conviction will be dismissed.

Who the hell...

Works for these companies? They're probably running Windows. This guy probably didn't even need to "hack in." I've worked in IT since '94 (since I was old enough to work, basically) and I've noticed a resistance by management to go with something that seems so "esoteric" to a non-IT person. That would be Linux, FreeBSD, etc. I mean, obviously we're all techies here, and these news stories probably strike you the same way they strike me. Like DieBold and their MS-Access database. Who the hell... Two things we need to work on:

1. Removing the 'esoteric' nature of open source. Right now it's greek to most people.
2. Become an expert in the Microsoft technologies, and then always recommend against them. (So they take you seriously, since all they know is "MCSE," MCDBA")
3. Routinely discredit your coworkers who know only the Good Word of Microsoft. Also, ask for a decent raise when you routinely save your company thousands of dollars and prevent the headache of MS--Remind them when that big bad Outlook virus hits most of the world. "No sir, we're not affected."

Just my two meandering thoughts...

Re:Who the hell...

uh, call me a troll but it looks like you can't count, that's three things not two.

Re:Who the hell...

I used to work at Acxiom (not for any of the divisions involved) and I can tell you that your assumption (re Windows) is wrong. They run everything from Sun Enterprise, DEC (ne Compaq, ne HP)Alpha, Intel, IBM Mainframes, etc. Oracle, Red Brick, SQL Server, etc...

When I was there we were just starting to look at Linux (several years ago).

Re:Who the hell...

I attended a training class last year and there was an Axciom employee present. He indicated they used Sun equipment that was attached to multiple EMC Symmetrix and DMX 's. They run Oracle databes software also.

Re:Who the hell...

[TigerDragon]

They run 5 different UNIX flavors including Linux. They also run Windows. You shouldn't jump to conclusions just because they got hacked that they run Windows only and are a company full of MS babies. Their customers are diverse and big name corporations. I've seen their UNIX server room (interviewed for a UNIX sysadmin position there) and they've got a couple of floors of one building dedicated to the UNIX servers alone. I agree that many corporations need to take the steps you outlined, but Acxiom isn't one of them... they've already gone that route thanks.

Re:Who the hell...

Holy Crap. I saw '94 and I thought to myself, that's not that long ago. Until I realized that it's been 10 years.

"10 YEARS MAN! TEN YEARS!"

what the hell happened to all the time?

Re:Who the hell...

what the hell happened to all the time?

Probably a lot of unemployment.

Re:Who the hell...

This was all part of the original story, just new indictments not a second hack

Re:Who the hell...

Hi. Acxiom has multiple thousands of dual-cpu servers running Linux, 2.8 Ghz Xeons I believe, from several hardware vendors. They have several hundred SMP servers running Tru64, Solaris, HP/UX, and AIX; certainly many thousands of UNIX(tm) CPUs total. There are several deisel generators the size of tour busses to back up power to the server rooms. To say that they are "probably running Windows" shows that you have absolutely no clue as to the amount of data they move around.
And yes, most of the desktops are running Windows, because it's a good desktop operating system, and being compatible with customer systems is important... but it's not very good at data processing.
Some very bright people work for Acxiom, and also some not-so-bright people. Probably not unlike where you work. Acxiom has people who contribute to open source projects as well. Oh, and they read Slashdot too, and sometimes post AC :)

Investigation

[G.+Waters]

Investigator: May I acx you a few questions?
Employee: Well... uhh... iom...

Re:so they have to steal that much to get prosecut

I also have a friend to whom this has happened. She tried to get help from the police and the FBI, to no avail. This identity theif is STILL at large, and STILL opens accounts with my friend's social security number, and my friend even has the theif's current living address (or at least the address to which the thief had her new cell phone mailed)....but the authorities will do nothing.

Every other year my friend has to go through the bad-credit repair process...and getting rid of all her old credit cards hasn't helped a bit. But at least she gets plenty of advertisements for products and services she has used before!

inside or outside

either way, that comany makes it easy to do. Useful info on a MS system exposed to the net. Oh yeah.

Why not me?

[scowling]

Some days I wish someone would take my identity.

Re:Why not me?

[pinkocommie]

So thats why I've been getting so many Welfare checks lately :-D

Re:Why not me?

[Phleg]

Actually, we had all the information we needed to do so, but then we realized that nobody wants to be you.

The 6 insiders are NOT from Acxiom

[Tex+Bravado]

the cooperating employees are at snipermail,
according to the CNN article.

"Vast amounts"

[shoppa]

8.2 Gbytes is pretty puny by modern standards. It's a couple of DVD-ROM's.

That said, it's enough (if compressed data) to have the Social Security number of all US Citizens, or all their credit card numbers, etc.

Re:"Vast amounts"

[cpghost]

Right. If every personal record is, say, 256 bytes or so, that's still an awful lot of very sensitive data.

Spammers exchange lists of verified e-mail addresses every day. Those files don't have to be that big, yet they cause a lot of trouble anyway!

Re:"Vast amounts"

Acxiom has petabytes of data on you and everyone else in this country. Its really quite frightening. I was offered a job there earlier this year, but declined for idealogical reasons.

They also do things with their Oracle databases that not even Oracle understands. Its an technically amazing place, however evil it is.

Re:"Vast amounts"

[laigle]

First off, 8.2 gigs is a LOT of simple data. We're talking about databases here, not mp3s. A few kbytes can give you everything you need to steal someone's identity and more. We're talking about hundreds of thousands or even a few million entries.

Second, what can you really do with 50 million social security/credit card/name/address matches that you can't do with 1 million? It's not likely this data was stolen just for spam, much larger databases are readily available for that purpose. Even the largest, most nefarious criminal organization would be set for years with a million verified identities to misuse. Even if you could only net a few hundred dollars from each identity theft, that's a LOT of money. And at a certain point the scale of the data overrides your ability to exploit it anyways.

Re:"Vast amounts"

I concur. A typical ID record is less than 400B.

If you like long division:
8804682956B / 400B = 2201170 records

fh

Re:"Vast amounts"

Without giving away anything identifiable (since I'm under an NDA, this post has been AC-ed), I work with Acxiom more than I would care to, given my opinion on their business (but hey, it pays the bills)... but here's what I will say about the parent and grandparent posts:

1. Depending on exactly what type of data he stole, your 400B estimate may be two orders of magnitude too small. Most likely, its closer to one order of magntitude off.

2. 8.2G is *NOT* alot of data. Its alot of data, but its not that much compared to what Acxiom has. They process TBs of data on a SLOW DAY.

right, very important

[tuxette]

"The protection of personal information stored on our nation's computer systems is critical to public trust in those networks and to the health of our economy," said Assistant Attorney General Christopher Wray at a news conference in Washington.

You hear these dumbasses saying it again and again, how important it is to protect personal information, blah, blah, blah. Yet they are reluctant to create laws that protect personal information, as those in Europe.

If the protection of personal information were truly important, data protection laws at the national level would already be in place by now. The reality is that businesses don't feel it's important (unless they get caught in a situation like this one). And they pay lawmakers large sums of money to keep it that way.

Re:right, very important

[YrWrstNtmr]

Yet they are reluctant to create laws that protect personal information, as those in Europe.

Laws, such as those in Europe, would not, cannot prevent such incidents. They can only penalize the criminals after your data is out in the wild.

After all...there are laws (with very, very tough penalties) against murder, right?

Re:right, very important

[tuxette]

At least in Norway, part of the law involves securing the perosonal data once it comes into the hands of the data controller. So while it may not prevent hackers from trying, it says that the data controller has to establish and maintain the measures required to keep data safe from such attacks.

Take a look at sections 13 and 14. There are also special rules to the law that specifically touch on information security, but I don't have a link in English.

Re:right, very important

[gorbachev]

The laws in Europe would prevent Acxiom from ever doing what they're doing.

This company, according to reports elsewhere, knows everything about you, and sells that information to anyone it can. Credit card numbers, spending habits, SSN, current and past addresses, everything.

There is no reason to steal the data when you can just buy it, then resell it over and over and over and over again.

No wonder identity theft is such a big problem. Nobody freaking takes privacy seriously in this country.

Re:right, very important

[Metzli]

Umm, not necessarily. I know that they're in the UK. That's most likely not the only country in Europe where they have an office. Germany comes to mind too, if memory serves.

Re:right, very important

[YrWrstNtmr]

Right. But that only serves to outline the law to those who would follow it. I applaud those laws and wish we had more of that here, but a criminal, especially an insider, who wants all those db rows will get around them.

As is oft quoted here on /., "If I can see it or hear it, I can copy it."

Re:$7 million? - READ THIS

http://www.usdoj.gov/usao/ohs/Press/12-18-03.htm

That's Daniel Baas' conviction. They claimed 5.8 Million in his case in damages.

"Baas faces a maximum penalty of five years in prison, a fine of $250,000 or twice the amount of gain or loss, and three years of supervised release."

This for 1 count. This new guy has a buttload of indictments and will be wishing he got Daniel's penalty.

Article text for those that don't RTFA

[Scrab]

WASHINGTON (CNN) -- A Florida man was indicted Wednesday in an alleged scheme to steal vast amounts of personal information, and the Justice Department said it might be the largest illegal invasion and theft of personal data to date.

The 144-count indictment against Scott Levine, 45, also includes charges of conspiracy, fraud, money laundering and obstruction of justice, according to the Justice Department.

Levine's alleged target was Acxiom Corp., one of the world's largest companies managing personal, financial and corporate data, federal authorities said.

Levine is accused of stealing vast amounts of personal information from the company via the Internet.

Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million.

"The protection of personal information stored on our nation's computer systems is critical to public trust in those networks and to the health of our economy," said Assistant Attorney General Christopher Wray at a news conference in Washington.

"We will aggressively pursue those who steal private information from computer networks and make it clear that there are serious consequences for such crimes," he said.

Levine, a resident of Boca Raton, Florida, is described in the indictment as "the controlling force" in Snipermail.com Inc., a Florida corporation engaged in distributing advertisements via the Internet on behalf of advertisers and brokers.

Acxiom, headquartered in Little Rock and Conway, Arkansas, stores and processes millions of bits of data on behalf of a wide range of clients that include IBM, GE, Microsoft and many major credit card companies.

The invasions from Snipermail were discovered during another investigation of another intrusion at Acxiom last year, authorities said.

The FBI's regional computer forensics laboratory in Dallas, Texas, and computer forensic experts from the FBI and the Secret Service were unleashed on the cyber intruders.

The indictment alleges that Levine and others at the company attempted to hide computers from investigators.

Six employees at the company agreed to cooperate with the investigation, authorities said.

Spying is Spying

[ObsessiveMathsFreak]

If I compile data on someone, their purchases, habits, income and other records, I'm stalking/spying on them.

If I'm a company compiling 8GB or such data on hundreds of thousands of people, I'm doing market research.

If I'm a single individual who gains access without consent to such a companies data, itself usually obtained without consent, I'm a snooping crook/terrorist/cracker/pervert/thief who gets thrown in jail.

RFID. Credit Cards. Social Security. How come I can't aquire such data, yet amoralistic multinationals can. Does the fact that I don't want such information in the hands of anyone at all even count? Tinfoil hat or no, no-one likes being snooped upon. Data rape is data rape no matter how drunk someone was on free handouts.

Re:Spying is Spying

[Nutrimentia]

I metamoderated on this comment and thought that it was really good, so I posted this followup too. This sentiment needs a wider following and national attention.

Mod Up informative

[Nurseman]

It is not our information, it is information about us.

Mr AC is 100% Informative, this is data freely available to anyone who will pay. Does Slashdot need to report every employee theft story ?

Re:Mod Up informative

Does Slashdot need to report every employee theft story ?

Yes, yes they do. It allows them to ignore the fact that a House Committee passed something called Family Movie Act. Look into it.

Re:Mod Up informative

[Opie812]

I stole a pen from work yesterday.

Re:Mod Up informative

[yerfatma]

Take stuff from work. It's the best way to feel better about your job

I never knew...

[Embedded+Geek]

144 identity theft charges... 8.2 GB of data

Golly! That's 56 MB of data per person! Not only is Big Brother watching, but apparently he's aparently paying closer attention than I am.

Re:I never knew...

[Compulawyer]

Not really ... all the data/person was hand-written on 8 1/2" X 11" paper then optically scanned to TIFF images at 1600 DPI. That means about 3/4 of a sheet per person.

Re:I never knew...

[Embedded+Geek]

Good point. Actually, I had expected "but those charges were for more than one victim..." kind of replies. 'Good to see a thought out response instead.

Thanks

Re:I never knew...

[Compulawyer]

It was a thought-out reply, but also a joke. I guess thought-out jokes just aren't funny. Then again, yours may have been a sarcastic joke, but I didn't notice the text included between the

<sarcasm> and </sarcasm>

tags. Oh well.

Re:I never knew...

[Embedded+Geek]

I got lazy - I'll do the tags next time.

Mea culpa.

how to get the attournet general to follow through

[millahtime]

if you want to get the attourney general to follow through then someone just has to steal his identity. I'm sure that will lead to some nice prossecutions.

The solution: Translucent database

[richieb]

See this book on translucent databases. The data in such database is useless to all, except those who actually own the data. So, in this case, the stolen data would not be useful to anyone.

Re:The solution: Translucent database

Credit card, social security numbers and full demographics wouldn't be useful? BULLSHIT

Re:The solution: Translucent database

Not if they are encrypted. DUMBSHIT.

Re:The solution: Translucent database

Oooh, an encrypted database!!! That's a new idea after all...

Just one more layer of security to defeat if done ineptly, nothing more...

Re:The solution: Translucent database

[richieb]

Oooh, an encrypted database!!! That's a new idea after all...

It's bit more clever than that. Read the book.

The main idea is that only you will be able to open up all your data, and anyone else who sees it (even an insider) will find it useless.

Should we describe the site as hacked ...

[burgburgburg]

if there are six employees making 8.2 GB of backup tapes/CDs/DVDs/floppies and passing them on for envelopes of cash? Convincing insiders to criminally conspire with you for money doesn't even qualify as social engineering.

Re:Should we describe the site as hacked ...

[Mysticalfruit]

I'd like to know what this 8.2gigs of data was.

Considering these places have hundred of terabytes worth of data on people, 8.2Gigs of it would seem like a grain of sand on the beach.

However, I suppose that some crafty SQL could cull that down to the bare minimum data needed for a credit card app.

"Hacked" ?

[Quixote]

How long have you been working (the term used loosely here) at Slashdot, Michael?

This wasn't a "hack". It was an inside job: a contractor using a company-provided username/password to access data that he should not have had access to, but did because of lax policies on the part of the company (Acxiom).

This is not a "hack". It is theft. Plain and simple.

Data Protection

[PacketScan]

Beside Fully Disclosing when data is lost / compromised, Companies that show they can not protect such data should not have said data. Plain an Simple.. I'm tired of the the fact that companies don't care about security. The would rather say how much they lost so they get the tax write off. -I pour over ever log every day looking for oddities. If companies would spend the time on security things like this could be prevented. and the other fact. How did they get 8.2gb out of the place? Was is disk was it through the Internet. If someone was trying to send that much data out of my office be damned sure i would have caught that. By the way i haven't been infected with a virus in over 4 years. Think that is a coincidence? no it's called proactive defense and if you don't practice it you will get hit eventually.

the way, the truth, the light

[millahtime]

The only way to keep private data private is to memorize all the info, burn the paper its on, delete is and format the hard drives it was on and always remember to wear your tin foil hat.

Obligatory Slashdot joke

[Weaselmancer]

Overheard at NASA's image server:

"Houston, we have a problem..."

two words

[www.sorehands.com]

Punch cards!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Privacy is our top concern? Whatever

[gorbachev]

Acxiom is a f***ing joke.

They keep their most valuable business assets on a FTP server connected to the public Internet. Privacy sure is their top concern...

Furthermore Acxiom's business IS to ignore people's privacy. They sell YOUR information to whoever pays enough for it.

They also e-pend and allow their customers to spam you.

I hope the next person to hack into Acxiom cracks in real good and deletes not only the data on the FTP site, but all backups as well.

Proletariat of the world, unite to kill Acxiom

Re:disclosure, "when will we have laws ?"

[nusratt]

"of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public"

can you be bothered to contact your legislators, or consumersunion.org, or epic.org?

Too cheap to pay for good security?

[sfprairie]

The speculation is on /. seems to be that the weak security is because of M$ products and lazy/ incompetent IT people. I wonder if that is really to cause, or maybe its because the Company is too cheap to hire good IT, or its too cheap to allow IT to do what it wants? I wonder how often the cause of poor security is not because the IT people don't know what to do, but because the higher-ups will not allow IT to spend the time/ money/ resources necessary. Security does not contribute to profitability, so a company probably does not want to spend on it unless they are forced to. Just my two cents.

Re:Too cheap to pay for good security?

[TigerDragon]

They are not a Microsoft only shop. They run 5 different flavors of UNIX as well.

They've recently layed off a lot of people and are restructuring / rehiring after the big internal shift. This may have something to do with the poor security. They're still hiring for security positions last I checked and DO take the security of their data seriously. I just don't think they have the manpower as of yet to lock down the systems that aren't (but should have been) locked down already.

Re:Too cheap to pay for good security?

[PacketScan]

nine times out of ten. I was told no you can't take a user off the network if there machine is infected.. They need to work. ( well yea so do the other 3000 employees. ) management needs a wake up call across the board. in any event that user was taken off the network swiftly.

MS SQL, ASP and stupid programmers

[fionbio]

There's pretty simple explanation why stealing data is so easy... Go to www.google.com. Type

order inurl:asp?id

. You'll see a lot of pages related to online stores that are based on ASP and get some ID from Request(...). Now follow one of the links, then replace a number after id with '. What you will see?

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quote before the character string ' AND HostID = 319'.

/../responseRedirect.asp, line 10

What does this mean? This means that site was made by a not-so-good Visual Basic programmer, who learned this "wonderful" language and now thinks that he can do server-side code. Implications? Most likely, ALL DATA FROM DB CAN BE STOLEN. All you need is MSDE and a bit of programming. SQL Server is flexible enough to allow theft of all data via this "small" SQL Injection hole.

So, the main problem is Microsoft, and, of course, stupid programmers. They mostly use ASP, and now they are slowly migrating to ASP.NET (aspx). Also, there are PHP guys who use include($page) without any filtering, but it's somewhat less common. SQL injection is also less dangerous for PHP+MySQL sites, as MySQL is less "flexible".

Sadly, I don't know what can be done to solve this... Microsoft will continue to exist, and stupid programmers, in most cases, have bugs in their DNA - so education won't help...

Re:MS SQL, ASP and stupid programmers

[execute85]

Note that this same problem exists in JSP, PHP, CGI or any other web prog system where stupid programmers build db queries as Strings. This isn't unique to ASP or M$ and pretty much every API has a way of programatically building queries and dml.

Re:MS SQL, ASP and stupid programmers

[DaddyDonMynack]

That's why this stupid VB programmer uses error trapping and does not pass ids in the querystring!

Re:MS SQL, ASP and stupid programmers

[mborland]

That's why this stupid VB programmer uses error trapping and does not pass ids in the querystring!

Well...sorry, I'm in a nitpicky mood...but how do you pass params from one page to another (usually you have to pass some sort of ID)? e.g. if you click to see article ID #123, that gets passed somehow...(whether it's POST or GET doesn't matter).

In other words, it's not so much 'don't pass ids in the querystring' as much as:

• Check parameters on the server for proper type (integer, double, string...)
• Abstract database access through methods that ensure proper types are used (e.g. to construct parameterized statements, or other strongly-typed access to data, not just raw SQL)
• If access to the resource is limited by ID (e.g. I can read #123 but someone else can't) then both strong session management and server-side validation of the request (checking to make sure that mborland should have access to article #123) are required.

If you do that, it's perfectly fine to pass ids through the querystring/POST parameters.

Re:MS SQL, ASP and stupid programmers

[mborland]

Good post, I know people have been talking about SQL Injection for a while but I still see it all over the place.

Most likely, ALL DATA FROM DB CAN BE STOLEN

Worse yet, with such extended stored procedures as xp_cmdshell() (in MS SQL Server) you can execute code right on the server. You can launch island-hopping attacks this way (get beyond the DMZ and into the internal network, to launch further in). FYI xp_cmdshell() is only available to some logins, such as 'sa', but I see many people with their production sites running as sa.

Other databases and serving environments are just as vulnerable to general SQL injection unless you do strong typing at the parameter retrieval (ASP/JSP/PHP) and data query level (MSSQL/Postgres,etc.). However most DBs don't have as scary a function as xp_cmdshell().

The sad thing is that all environments have really good mechanisms for locking down this access, and NONE of them affect performance in any significant way. Generally I check values at each tier for validity, and when appropriate, for authority as well...in terms of speed, these checks do not generally affect performance and keep your code safer as well as better structured.

Re:MS SQL, ASP and stupid programmers

[fionbio]

For sites that don't run as sa, the most bad thing is OPENROWSET that allows one to send results to a remote SQL server. There's a good paper on that topic.

To avoid SQL injection possibility, the most intuitive way is using placeholders. In ASP.NET (ADO.NET) code written using command.Parameters.Add(...) etc. looks better than

"select * from users where userid='" + userid + "' and password='" + password + "'"

but people still tend to use the latter construct. So, one often can use

' or ''='

as an admin password.

Re:MS SQL, ASP and stupid programmers

[fionbio]

The problem is that M$ breeds stupid programmers... It tries hard to make complex stuff look easy, while it would be better to introduce some minimum IQ requirements for writing server-side code.

Re:MS SQL, ASP and stupid programmers

[execute85]

Yeah, they'll get right onto that after slashdot introduces the minimum IQ requirements for posting.

Re:MS SQL, ASP and stupid programmers

[chiph]

Like others have said, it's not just limited to MS technologies.

That being said, in the VB forums I visit, about once a week some genius tells someone to "just double up the quotes and then it'll work". Arrrg!

Chip H.

Re:MS SQL, ASP and stupid programmers

[mborland]

To avoid SQL injection possibility, the most intuitive way is using placeholders. In ASP.NET (ADO.NET) code written using command.Parameters.Add(...) etc. looks better than [example]

Yep, placeholders/parameterized queries (usually putting a literal '?' in the SQL) has worked best for me visually and security-wise. What I like about it from a strong typing perspective is that when using placeholders, you're actually using two different systems of checking the parameter at the same time. e.g. in Java, PreparedStatement.setInt() [setDouble...] force the correct data type within Java, and generally the database's statement evaluator (or driver) also performs checks on the parameter. Having two independent checks on the parameter type is better than none, or even one (in case, for instance, the database's placeholder implementation is really just a poor string substitution...which some are).

I have never looked at OPENROWSET. Sounds nasty.

Other problems in the past have also been with basic overflow problems within the database itself, such as bad functions that could be abused to execute code on the server. That could be a problem with many databases, if function implementation is poor. I think that most databases are more up to snuff, but custom functions (esp. those written in C or other low-level languages, not so much in the DB's native scripting language) can be a source for problems.

There's an old saying in Tennessee...

[SCHecklerX]

...I know it's in Texas, maybe in Tennessee - that says:

hack me once, shame on ... shame on you.

hack me...can't get hacked again!

--g.w. bush

Headline is wrong

[YU+Nicks+NE+Way]

(Ob disc. I have family that works for Axciom.)

The headline isn't right; there is no second break-in. This is a different crowd of people involved in the same breakin that was discussed earlier. The previous arrest was of the guy who actually broke into the FTP server; this is the arrest of a spammer who used that data.

Re:Headline is wrong

Bzzzzz....wrong. I know for a fact jack. Two seperate people were downloading data from the FTP server in question. The people even at Acxiom are being lied to by their bosses to cover up the blundar. Ask them to check the logs where they WILL see two DIFFERENT IPs downloaded the publically available password file. The first downloaded by Daniel Baas, the second by Scott Levine.

Take that shit to the bank!

Uplink Headlines

[Remillard]

I swear, reading Slashdot is starting to sound like those scrolling news blurbs in Uplink.

...
Company X reports that N gigs of customer information were stolen by an unidentified hacker.

...
Company Y reports that N gigs of project data was deleted by an unidentified hacker.

...
etc., etc., etc.

Oh No!

[Jonsey]

Oh crap! Data stolen?

Wait, only 8.2Gig?

Oh, nevermind then, they can't have gotten the index of my porn collection.

:: wanders off whistling ::

That would explain

[JohnnyGTO]

the order for six gallons of peanut butter and a latex suit.

Common practice

[execute85]

I worked at a large public records aggregator company that sold access over the internet and it was shocking how poorly secured the data was (possibly still is). There were many programmers who had copies of the db at home (each db included millions of SSNs, DOBs, etc). I hear they've cracked down and tried to make it more secure, but last time I checked it was still wide open.

Re:Common practice

[chamblah]

But if the data is public records, any/everyone has access to it regardless.

Re:Common practice

[execute85]

The key is aggregation. Plus there are public records and publicly available records. For example, credit headers are publicly available and were all over the place at my former employer.

Axciom collects these same records and puts them together into a usable database.

Re:so they have to steal that much to get prosecut

[infinite9]

Oh ya, and my friend's credit was STILL bad 2 years later from that stuff, even though all parties knew what had happened.


This is because the Fair Isaac credit score has nothing to do with how good a customer you are. It's a measure of how likely a creditor is to make money from you. This is why if you keep paying your loans off after only a few months, you get a bad score. This is also why the reporting agencies were so reluctant to tell people how the score is calculated. If you're an identity theft victim, you're a bad risk for the creditor because they can't be sure you're really you. They're more likely to lose money from whoever is presenting your indentifying information. Works as designed.

This is yet another reason why credit card companies are scams. They're loan sharks, nothing more. Credit card companies in the US need heavy regulation. It will never happen though.

As usual, Slashdot doesn't RFTA - here are facts

[GPLDAN]

The people that cooperating are not from Acxiom. They are from snipermail. This scumbag Scott Levine and his half-brother, Miguel Castro (Jesus, you can't make these names up, truth is stranger than fiction) created a directed marketing "opt-in" scheme to sell email addresses. They hired a sysadmin by the name of William Clinton (ok, now this is getting positively 'Office Space' like. I'm suprised they didn't have Michael Bolton working there as well.) and good 'ol Billy found that Acxiom ran an unsecured FTP site, which you could CD to /etc and get the password file. He grabbed it and ran crack on it. He decoded 40% of the passwords. They started looging in with those usernames & passwords.

They weren't clever enough to grab root and cover their tracks or overwrite logfiles, though. These toads remind me of Chris Cooper in Adaptation. Schemin Florida bums without too much upstairs.

Acxiom hired a security firm to run an audit regarding the PREVIOUS break-in, and the team found that these morons were stealing reams of credit card data with the logins from companies like Microsoft and others. They were then selling the credit card numbers on the black market, mostly overseas.

This whole sordid tale is laid out in the court documents, which are online and make for a great read. This Scott Levine reminds me of Scott Peterson, in sort of that creepy stupid way, where you know he did it just by the smirk on his face.

Anyhow, these guys are going to federal pound-you-in-the-ass prison, and hopefully Bill Clinton will cooperate and get off since I doubt with a name like that, he would fare too well in prison.

Acxiom's Stocks

[trifakir]

Is this new? If I was trading Acxiom stocks and reading the story (which seems to be announced by Reuters), I would rush to sell my positions in Acxiom. Additionally I would get some put options. AFAIU their records are not very clean, as well, but it seems that this is not reflected in their stock price.

As a matter of fact they are doing quite well. I wonder, how such news reflect in the price of company, the earnings of which depend very much on trust and security. Or are the market players so stupid that they do not see the threat. Then, Acxiom is overpriced - go sell!

Re:so they have to steal that much to get prosecut

This is yet another reason why credit card companies are scams. They're loan sharks, nothing more. Credit card companies in the US need heavy regulation. It will never happen though.

Its the tool of choice for keeping Freeloaders poor and the Hardworking rich, which is The American Way. The rub comes when the middle-class tries to use them to finance a better way of life and something goes wrong with their plan --then they get cast into the pile of Freeloaders and have to work themselves into an early grave to get out of it.

Not theft

[jfengel]

As many slashdot readers will be sure to point out, this isn't theft. Like music pulled off Kazaa, Acxiom still has the original data, and their use of it is not diminished by this guy having a copy.

Re:Not theft

yah, keep stealing your music pal, and telling yourself you're not a thief, based on some lame semantics argument.

Re:Not theft

[NeoRete]

However in this situation, there is money lost as this information facilitates identity theft and bogus credit card charges. Last time I checked, there was no direct money lost for each song that was downloaded via Kazaa.

Re:Not theft

[jfengel]

In other words, as long as the guy was pulling the personal data for his own edification, not for any profit, it would be all right?

Of course there is a difference between "stealing music" (which is deliberately made public, just not _too_ public) and "stealing data" (which is more or less private, modulo the fact that Acxiom themselves are kind of sleazy even having it).

My little troll was just to point out what I consider to be a hypocritical, but frequent, argument in other threads, that "stealing music" isn't stealing because your copy isn't diminished. There may be reasons why copyright infringement is a different violation from physical property theft, but nobody ever seemed to correct those in this thread who referred to this as "theft of data".

Re:Not theft

[evilWurst]

This is far closer to theft than filesharing. "Identity theft" is properly named... you lose the clean use of your identity if your identity is stolen. (normal case: trashed credit rating. worst case: criminal record in your name)

Re:Calls from Axciom and Experian

[symbolic]

Whenever any of these companies call to verify information, I put them on hold and take care of any possible task that might be more important (which is just about anything). By the time I get back to their call, they've always hung up. Bummer.

Goofiest mod ever.

[Weaselmancer]

Seriously. Offtopic? I tried to load the images thinking that if anyone could handle a Slashdotting, it'd be NASA. But guess what? The page loads, but the images do not. NASA is currently...Slashdotted.

Maybe it's not teh funnae, so by all means don't mod me funny. But it's on topic, especially if you want to see the images rather than read about how great they are. Informative if you agree, and redundant if you're sick of Slashdot jokes, but offtopic doesn't apply.

Remember, this is the problem meta mod is supposed to fix. Mod wisely folks.

Re:Goofiest mod ever.

[Nos.]

I'm just wondering if you've realized yet, that both your posts here are offtopic, because this isn't the article on the Apollo pics!

Not that uncommon

[kingjosh]

Many companies store sensitive data like this. A huge database of medical records in Cheyenne is ran by an admin who turned off VPN because of security concerns and then went to office-wide wireless. The problem is hubris among those who think they know everything but are too lazy to keep up on things.

What will happen when something huge gets compromised? Why don't we have the CHOICE whether or not our data is handled by a bunch of incompetent admins? When I go to the doctor I should be able to assume my records are NOT winding up on a phucking wireless network!

punish what is really responsible

[zogger]

Better idea. If a company gets cracked say three times, then make it the same deal individuals get in our society, most places three felonies, you get a huge jail time, as a career rerecidivist criminal and societal lamer. If a corporation gets busted for malfeasance or gets cracked three times,any combination, then they should get the same, which in their cases would be loss of incorporation priveleges, and to HECK with the stock holders, it's a gamble, they need to have that drilled in daily it appears. Stockholders only appear to be interested in profits as well, there's a large lack of interest in honesty and efficiency with them in general terms. Make these companies lose their corporate charter, stock holders go bust, end of story, maybe correct business decisions will sink in beyond this quarters profits. These people want a capitalist solution, here's one, you aren't guaranteed profits, you are only guranteed a chance to be honest and effective. Not just effective, not just honest, both. either one you fail it, then you fail it. If you are bogus and ineffective, the government, which is supposed to be "we the people", who GRANTS the charters, gets to take them away. There is no automatic guaranteed "right" to incorporation anyplace, it's a privelege granted by the people. This removal of bogus corporations doesn't happen near enough from my POV. Corporations, if you look back in history were granted to both benefit the corporation (and the humans connected to it) as to profits, and also to be of a general public benefit. Unlike the pure lie you see repeated by corporate apologists who keep claiming corporations are "only" for making money. They love to say that, but it's not true, they just wish it was and act like it was, and for too long it has been that way in practice, but it's well past time to go back and revisit the realities of a granted incorporation. If they fail to make a profit they eventually go under,that part still exists with "the market place", but we have lost and forgotten about the other deal, if they fail to be of public benefit. They should be dissolved, and getting hacked multiple times and having innocent peoples data compromised should go right up the responsibility chain to whichever corporation is responsible, along with the humans involved, who should then be prohibited to serve in any official capacity inside a corporation for x-amount of years, a significant long time..

I'd like to see it anyway, get that "responsibile for your actions" deal back into common knowledge and practice.

Re:punish what is really responsible

Please kill yourself now before you come up with anymore stupid ideas.

Re:punish what is really responsible

[zogger]

Let me guess, your corporation is guilty of criminal behavior, and it's because of what you personaly did.... because you worship money, nothing else is as important as money....
Sorry you got sucked in. Just remember, it's never too late to change.

Anyway, lookup the history of corporations in the US, and read what was said about them way way back. You will find I am correct.

Employment . . .

[Dausha]

Last Summer, after the *first* hack job occurred at Acxiom, my wife went to interview as software developer for Acxiom, here in Conway, Arkansas. The job she had at the time was for a local post-secondary-based non-profit organization. At the non-profit, all public servers had telnet *only* installed, and they routinely logged in remotely as root (not that it matters). There was no SSH. Okay, so public servers on a college LAN means?

With that context, what bothered her about her Acxiom interview was the lack of concern about security among her interviewers, and her impression that security at her former job was tighter than at Acxiom! Needless to say, she kept looking. She thought the job at that company was a train wreck waiting to happen. Seems she was right.

Look for the same thing this November

[copponex]

When the votes are all in one place, and someone has enough money, your votes are available for purchase because someone, somewhere, is a superuser who can't be trusted.

Re:so they have to steal that much to get prosecut

[enforcer999]

Part of the problem is that ID theft is the largest growing consumer fraud in the country. Investigators and prosecutors can not keep up with it. ID theft is now 42% of all reported consumer fraud. Over 200,000 people filed complaints with the FTC last year and the FTC estimates that as many as 9.9 million people were victims of ID theft last year. Yikes!

I knew the first guy to do this.

And he's sitting in jail right now. Was an old friend of mine from the local Cincinnati computer scene. It sucks he's sitting in jail right now, but I'm hoping that it will teach companies like Acxiom a lesson. He really didn't even do much hacking, just pulled the passwd file, which was accessible from FTP, big mistake... If anything I hope this encourages Acxiom to take better security precautions. After all they do probably have information about each and every one of us, and our families etc.

Re:I knew the first guy to do this.

I know Dan too. He's been in jail since last Aug. He pleded guilty in Dec. and should have been sentenced in Feb. but the judge was in the hospital. Seems like he's going to serve his whole sentence in the Hamilton County Justice Center.

A Few Notes on Acxiom. Opt Out Now!

[CritterNYC]

Acxiom is certainly not an example of a very good company. Aside from the fact that they were hacked... twice... and had all their data stolen... twice, they are also an unethical marketing company. They purposely ignore opt-out requests from people who want to get out of their lists. In short, their privacy policies suck.

Get out of all of their databases ASAP:
(877) 774-2094
optout@acxiom.com

Family Movie Act

[Jeremy+Erwin]

If only the right of the consumer to add hardcore content to movies was recognized... Unfortunately, the act is written in such a way as to only free up censors.
The report of the the registrar of copyrights is interesting, inasmuch as she asserts the existence of moral rights, deploring a recent Supreme Court decision, Dastar Corp. v. Twentieth Century Fox Film Corp., which ruled that the Lanham Act does not prevent the unaccredited copying of an uncopyrighted work.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:so they have to steal that much to get prosecut

[lawpoop]

Actually, I think it's not a bad thing. I was reading somewhere that allowing the credit card companies to do loan sharking has cut off major funding for the mafia. Eveyone gets in trouble sometimes, and in the old days, mom and pop used to go to Guido.

At least credit card companies don't break your legs. Between them and the mafia, I would choose to support the cc industry.

Opt-Out

[supersmike]

you're only as safe as the weakest link in the chain

I'm going to opt-out from all of the databases I can think of. With any luck, they'll honor the request. You can start by sending an opt-out request to optoutUS@acxiom.com. (Hopefully they won't spam me). Next up: The Direct Marketers' Association.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Size?

[mr100percent]

Wouldn't the sheer size of dats stolen indicate it was an inside job? 8.2GB doesn't just get downloaded off the server through the internet.

Re:Size?

[geekoid]

maybe the sysadmin should of used the root directory as the 'My Shared Files' folder for Kazaa...

Perhaps instead of prosecuting mp3 thieves

[Travoltus]

the Feds should go all out after identity thieves..

oh wait, that would help the people of America and not the corporations...

Re:A Few Notes on Acxiom. Opt Out Now!

[/dev/trash]

You say they ignore requests to opt-out but yet encourage people to opt-out.

Regarding your comment.

Swiftian in its alacrity.

What's the matter, Col. Sandurz...

[penginkun]

...CHICKEN? Sure, it's easy to hide your identity when you take a swipe at someone, but it take balls to call me stupid to my face when I can see yours.

Piker.

I notice you don't have any constructive comments for what could be done to secure the data.

Heheh, something's fishy....

[LordPixie]

Weren't you tipped off that something might be wrong when your tin-foil hat anti-corperation post on the NASA thread also got modded as offtopic ? =)


--LordPixie

Ummm..

[tommck]

...They purposely ignore opt-out requests from people...

...

Get out of all of their databases ASAP:
(877) 774-2094
optout@acxiom.com

UHhh... If they ignore opt-outs... why are you trying to have us opt-out?

Just seeing if you can keep us busy? :)

How to punish Acxiom?

[John+Murdoch]

A number of people have posted comments suggesting that (PTP) the root of the problem here was Acxiom's shoddy security. And have then followed up by posting open-ended questions about "how can we secure the 'Net when bozos like these guys don't lock their doors?"

There's a simple solution.
And no, it does not involve jail time for dumb sysadmins (stupidity is not a crime). It is much simpler--it's called tort law. If you are injured by Acxiom's shoddy security practices, you have a legal claim against the parties responsible for your injury. So, for example, suppose that your credit card information was swiped--and it transpires that the data came from an Acxiom-maintained database of information from General Electric. You can sue both General Electric and Acxiom, claiming a financial loss, damage to your reputation, economic losses due to your now-shredded credit rating, etc.

Suing by yourself might be an exercise in frustration--but here's where contingent-fee litigation ("you only pay if we collect") works for the little guy: convince an attorney to pursue this as a class-action suit, and companies like General Electric will pay significant money to get out of the suit.

The result?
No--you're not going to get rich. You're probably not likely to get much beyond the actual cash loss you can prove. But you will dramatically raise the cost of outsourcing database maintenance to companies like Acxiom. And that's the only realistic way, IMHO, to solve this problem. Big companies have to learn that outsourcing the IT problem to the lowest bidder includes a substantial amount of risk--which, sooner or later, will cost them cash.

No the REAL Question...

[namespan]

What is happening to the morons who leave this kind of information sitting around on an easily cracked server? Are they getting fines? Jail time? 40 lashes with a wet noodle? What?

Because if not, dammit, I want to know where the torrent is!

What does Acxiom know and how to opt out

[Somegeek]

I called Acxiom's headquarters, 1.888.322.9466, then option 5 for their Consumer Hotline Menu. From it I found the following: (disclaimer: I may have misunderstood this information and/or be misrepresenting it. Please do not take this as the last word on this subject.)

Get a Report

From the Consumer Hotline Menu you may request a report showing what "non-public* (see data category 3 below) information that Acxiom has on file about you". This is option 6 from their Consumer Hotline Menu.

You will be asked to leave your name, address and phone number so that they may mail you an official form to request the report of the non-public information that Acxiom has on file about you. There will be a $5.00 fee for the report. (Press # at the end of the message, then # again to send the voice mail message.)

Opt Out

To 'Opt out' of having the information that they store about you sold to marketing companies, select option 5 from the Consumer Hotline Menu. You will asked to leave your name, address and phone number in order to be sent a form to request the opt out. There does not appear to be a fee. (Press # at the end of the message, then # again to send the voice mail message.)

Acxiom's Data Classification

Acxiom classifies consumer data into 4 categories: (this info came from option 2 on their Consumer Hotline Menu.)

1) 'public and publicly available information.'

Examples may include: property records, birth, death and marriage records, professional membership records.

Acxiom may own this type of information about you.

2) 'marketing info'

This is information that is collected about you at the time that you make a purchase.

Examples may include: name, address, phone number, etc.

Acxiom may own this type of information about you.

* 3) 'non-public information'

This is information that is collected about you from information that you submit for surveys, etc.

Examples may include: name, address, phone number, and any other information that you submit to a survey.

This is apparently the information that will be reported to you if you request the $5.00 report about what they know about you. As far as I can tell, this is the only category of information that will be reported to you, but I don't know for sure.

Acxiom may own this type of information about you.

4) 'private and confidential info'

Examples may include: info from your credit report, data about medial records, data about your salary or employment history.

Acxiom states that this information is regulated under the Fair Credit Report act and that "Acxiom DOES NOT OWN ANY INFORMATION IN THIS CATEGORY". (my capitalization).

I don't know if this means that they don't store any of this information, period, or if they are just weaseling out by saying that they don't 'own' it, but not saying if they store it for their own use or for their customers.

Disclaimer: This is information that I gleaned from listening to the information available on their voice mail consumer hotline, (1.888.322.9466, option 5), and I may have misunderstood it and/or be misrepresenting it. Please do not take this as the last word on this subject.

This Incident Happened Last Year!

[MythosTraecer]

I mentioned this to a friend of mine that works at Acxiom, and he told me if I had read the article completely (RTFAC?), I would have realized this incident happened last year, and the only news is that they want to press charges against the people involved now that the Justice Department has completed the investigation. There have not been any new break-ins, he says, and the company has beefed up security since then.

Re:This Incident Happened Last Year!

There have not been any new break-ins, he says, and the company has beefed up security since then.

Oh that's great - but maybe if Acxiom had better security to start with this wouldn't have even occured (not that there is any excuse for breaking passwords and taking info that doesn't belong to you). Come on, when the "master key" password is packer what do they expect to happen?

Whoa

[twiggy]

I just started working for a company that gets lots of marketing data from Axciom... (it's a financial institution)... I had never heard of them until a few weeks ago when I started my job here...

Any word on snipermail.com and any charges it may face if this guy is convicted? The article doesn't say jack about it.. any lawyer-ish folks out there have input?

FIIC?

[Doc+Ruby]

Some ambitious politician would make lots of points for passing a law resembling the FDIC (Federal Depositors Insurance Corporation) for personal information "memory banks". That would include audits for eligibility, including corporate insurance, ultimately backed by the federal or state government. These banks which lose info are bad for the economy, as inhibitions on eCommerce spread, as well as bad for the people personally affected. Government certification and underwriting would educate the consumers as well as protect the info. Until then, these memory banks have no strength for demands to disclose personal identity info.

Re:A Few Notes on Acxiom. Opt Out Now!

[2short]

Not that I disagree with your larger point, but this:

"had all their data stolen"

is no where close. 82 gig was stolen. That's peanuts. Acxiom has more data than God.

Bad news for you

[geekoid]

Most state REQUIRE that you have an ID card.
A driver license will do, but if you don't have a driver license you must get an ID card.

Re:Bad news for you

[hiryuu]

Most state REQUIRE that you have an ID card.

<nitpick>That's still not a standardized national ID card, which was the subject of this particular thread.</nitpick>

That said, I've lived in a few different states, and I haven't yet been made aware of state-issued ID cards being required in those states, nor had I heard of other states where such might be the case. I could see the prevalence of drivers licenses and state IDs in general making it something that's not often brought up, simply because of the ubiquitous nature of such things. And too, such ID documentation is required to take part in a number of aspects of routine life in the US o' A - like getting a job, opening a bank account, etc., so I could see practicality requiring one. But state law? That's news to me. A quick Google search didn't turn up anything for me - anyone able to point me toward any US state that requires their citizens to procure and carry state-issued ID?

Re:so they have to steal that much to get prosecut

[geekoid]

don't forget, even applying for a loan, or getting a credit check lowers your rating.

Re:A Few Notes on Acxiom. Opt Out Now!

[CritterNYC]

You say they ignore requests to opt-out but yet encourage people to opt-out.

Good point. How about: They ignore opt out requests from a large group of people that doesn't want to receive ANYTHING like this, forcing them to all opt-out individually, just to make it more difficult to remove yourself from the list.

stock price is their top concern

Anyone who tells you a public company's TOP concern isn't the stock pricec is LYING, pure and simple.

I have worked at Acxiom for many years. I just about busted a gut recently when I read an internal memo, after 5% of the workforce had unceremoniously been fired, that included the winning line to the effect of "you are our most valuable resource". Like hell I say; actions speak louder than words, and we're all deaf by now.

Since the FTP-server break-ins data security has been much better, so it is in fact a large concern, but only in as much as it affects the stock price. If the hacks had not been publicised and large customers threatened to pull their business, nothing would have changed.

You've led a trite and meaningless life....

[ManyLostPackets]

...And you're a very bad person

Why is this under the radar terrorism wise?

[warm+sushi]

Not that I buy all the FUD over terrorism. Mostly it's a load of nonsense. But how come the government has time to try to ban cell phone use, access to cell phone outages information, and other relatively obscure pointless data, but doesn't act when information that could assist with identity theft is stolen?

WTF?

Who the hell is prioritizing this crap?

Re:so they have to steal that much to get prosecut

[frankns]

Three years ago, my identity was stolen and the thief applied on-line for a credit card in my name. When the credit card company double-checked the application by calling me, he/she was blocked. With the help of the card people,I then did some investigating of my own.

The thief had submitted an e-mail address using my name. He got this e-mail address from a local company. So, using whois I got the name of the president and the sysadmin ... and called Chicago police ... my suburban police ... the FBI ... and the Treasury. In the end, I found out that the Treasury had jurisdiction ... and may still.

NO ONE was interested in pursuing the case. Because the theft was "only" for $5,000 it was below the prosecution limits set by the Illinois Attorney General's Office. And a kindly Treasury officer explained that they followed local guidelines and would not be prosecuting ... even though I could tell them where and who to call.

Note: we essentially HAD the criminal ... we had a street address where the card was to be delivered ... I was an officer of a local bank at the time ... and ... I offered to assist in an investigation by calling the sysadmin or the local company president. No one at local or federal level was remotely interested. (The conversation with the FBI was almost comic ... the agent was handing me xeroxed copies of newspaper articles on how to prevent identity theft while I was trying to hand him the crook. He saw it all as my responsibility.)

BTW -- the thief was using my AMEX credit card numbner to apply for "his" new card. Dumpster diving for card numbers at merchant locations is quite common in metro areas like Chicago.

Re:A Few Notes on Acxiom. Opt Out Now!

[psikic]

Um... make sure you read the press release again. It was only 8.2 gigs.... (and the data was encrypted)

Re:so they have to steal that much to get prosecut

[Ben+Hutchings]

Getting a credit check can lower your rating temporarily if the institution making the check says you're applying for credit (rather than, say, applying for a job or rental). If you're applying for a whole bunch of credit cards or loans at the same time, that suggests you may be trying to borrow rather more than you can afford (or at least than the banks think you can afford).