Slashdot Mirror
Consumer Database Company Hacked Again
x-guru writes "CNN is reporting on the indictment of a Florida man on 144 identity theft charges including fraud, money-laundering, and obstruction of justice. Approximately 8.2 GB of data was stolen from Acxiom Corp, a company responsible for the storage of vast amounts of personal, financial and corporate data. It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation." Acxiom was hacked last year as well.
of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public. after all, it is our information they're "losing"
It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation.
It might just be the early morning talking, but could someone explain how employee cooperation implies an inside job? Maybe I need more coffee.
...Whether my Maker is prepared for the great ordeal of meeting me is another matter.
Churchill
Comment removed based on user account deletion
Where exactly is $7 million coming from? Is there data worth about a million a gig?
Wow, I must have billions of dollars worth of pr0n then!
This is the great myth of the InterWeb security policies of most corporations -- you're only as safe as the weakest link in the chain. IBM, GE, et al, are probably among the most secure commercial sites available, and yet their customers still get nailed by third-party lapses.
Anyone want to take a gander on when Equifax, Experian, and TransUnion get busted for going through some minor service provider?
... is to not store it all in one place.
Centralised databases of sensitive data are evil.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
This is where the lack of security is undershot. Secuity is always talked about with the consumer pc, windows and ie. If you want to get personal data hack the server. Forget the pc. I don't hear much about these area being convered. Banks and the Military seem to have security covered but there are a lot of orginizations with a lot of personal data with not near enough security.
Evolution or ID?
What is happening to the morons who leave this kind of information sitting around on an easily cracked server? Are they getting fines? Jail time? 40 lashes with a wet noodle? What?
Maybe if these network admins were PUNISHED SEVERELY for their negligence they'd start being more careful.
At the very least this kind of information should be stored on encrypted filesystems. Better still, the files themselves should be triple-des'd and then PGP'd for good measure.
How many customer records could be stored in 1 GB?
How much would it cost just to inform all those people (assuming that they will)? And then when everyone updates their records, how much will it cost to rebuild/update the database with the new info?
Just playing devil's advocate here.
How about a quick game of Hangman, kids. "Here's hoping he gets time in a federal _____-__-__-___-___ prison!" (Commence flames from more enlightened readers in 3... 2... 1...)
Beyond the fact that a national ID card wouldn't provide any additional security, putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.
From the CNN article:
Oh, good. That will surely stop it from happening.THIS WAS NOT AN INSIDE JOB. Two people from different parts of the country were "hacking" Acxiom at the same time, using the same vulnerability. Neither of them even knew each other. Acxiom's security was a flaming turd.
Search all the Daniel Baas articles and you will find he cracked a password file they had in a public directory on the ftp server. This guy did the same thing. Acxiom should be shutdown for their stupidity.
It wasn't Acxiom employees that agreed to cooperate it was Snipermail employees. Man, people can't get facts straigh.
"Snipermail employees have cut deals and aided federal investigators, prosecutors said.
Also named in the indictment are Levine's brother-in-law Magdiel Castro; longtime business associate Jeffrey Richman, who operates Florida corporation RichMedia Inc.; systems administrator Jeffrey Burstein; Melvin Donald Atkinson, a computer analyst; Marcos Cavalcante, a graphic designer; and William F. Clinton, a computer specialist."
I'd be willing to wager the 7 million is just an arbirarily large enough number so the feds will investigate their case. If they say they only lost a grand, then there would probably be no investigation.
ONLY 7 million!
Thank god the RIAA isnt involved with the cleanup.
(82000000 * ($250,000 * ([DriveSpeed] * Cos([WindDirection]))
This issue of losses is mute really, because as with illicit file sharing, the original data still exists.
This data sharing may result in customers going elsewhere, and so may effect FUTURE revenue stream, but their account certainly hasn't taken a dip just yet.
(Contrast with bank robbery)
liqbase
Some days I wish someone would take my identity.
www.kitchengeek.com -- Nosh for
the cooperating employees are at snipermail,
according to the CNN article.
If I compile data on someone, their purchases, habits, income and other records, I'm stalking/spying on them.
If I'm a company compiling 8GB or such data on hundreds of thousands of people, I'm doing market research.
If I'm a single individual who gains access without consent to such a companies data, itself usually obtained without consent, I'm a snooping crook/terrorist/cracker/pervert/thief who gets thrown in jail.
RFID. Credit Cards. Social Security. How come I can't aquire such data, yet amoralistic multinationals can. Does the fact that I don't want such information in the hands of anyone at all even count? Tinfoil hat or no, no-one likes being snooped upon. Data rape is data rape no matter how drunk someone was on free handouts.
May the Maths Be with you!
...richie - It is a good day to code.
This wasn't a "hack". It was an inside job: a contractor using a company-provided username/password to access data that he should not have had access to, but did because of lax policies on the part of the company (Acxiom).
This is not a "hack". It is theft. Plain and simple.
"of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public"
can you be bothered to contact your legislators, or consumersunion.org, or epic.org?
I swear, reading Slashdot is starting to sound like those scrolling news blurbs in Uplink.
Company X reports that N gigs of customer information were stolen by an unidentified hacker.
Company Y reports that N gigs of project data was deleted by an unidentified hacker.
etc., etc., etc.
First off, 8.2 gigs is a LOT of simple data. We're talking about databases here, not mp3s. A few kbytes can give you everything you need to steal someone's identity and more. We're talking about hundreds of thousands or even a few million entries.
Second, what can you really do with 50 million social security/credit card/name/address matches that you can't do with 1 million? It's not likely this data was stolen just for spam, much larger databases are readily available for that purpose. Even the largest, most nefarious criminal organization would be set for years with a million verified identities to misuse. Even if you could only net a few hundred dollars from each identity theft, that's a LOT of money. And at a certain point the scale of the data overrides your ability to exploit it anyways.
Take a look at sections 13 and 14. There are also special rules to the law that specifically touch on information security, but I don't have a link in English.
People say I'm crazy, I got diamonds on the soles of my shoes...
Oh ya, and my friend's credit was STILL bad 2 years later from that stuff, even though all parties knew what had happened.
This is because the Fair Isaac credit score has nothing to do with how good a customer you are. It's a measure of how likely a creditor is to make money from you. This is why if you keep paying your loans off after only a few months, you get a bad score. This is also why the reporting agencies were so reluctant to tell people how the score is calculated. If you're an identity theft victim, you're a bad risk for the creditor because they can't be sure you're really you. They're more likely to lose money from whoever is presenting your indentifying information. Works as designed.
This is yet another reason why credit card companies are scams. They're loan sharks, nothing more. Credit card companies in the US need heavy regulation. It will never happen though.
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
The people that cooperating are not from Acxiom. They are from snipermail. This scumbag Scott Levine and his half-brother, Miguel Castro (Jesus, you can't make these names up, truth is stranger than fiction) created a directed marketing "opt-in" scheme to sell email addresses. They hired a sysadmin by the name of William Clinton (ok, now this is getting positively 'Office Space' like. I'm suprised they didn't have Michael Bolton working there as well.) and good 'ol Billy found that Acxiom ran an unsecured FTP site, which you could CD to /etc and get the password file. He grabbed it and ran crack on it. He decoded 40% of the passwords. They started looging in with those usernames & passwords.
They weren't clever enough to grab root and cover their tracks or overwrite logfiles, though. These toads remind me of Chris Cooper in Adaptation. Schemin Florida bums without too much upstairs.
Acxiom hired a security firm to run an audit regarding the PREVIOUS break-in, and the team found that these morons were stealing reams of credit card data with the logins from companies like Microsoft and others. They were then selling the credit card numbers on the black market, mostly overseas.
This whole sordid tale is laid out in the court documents, which are online and make for a great read. This Scott Levine reminds me of Scott Peterson, in sort of that creepy stupid way, where you know he did it just by the smirk on his face.
Anyhow, these guys are going to federal pound-you-in-the-ass prison, and hopefully Bill Clinton will cooperate and get off since I doubt with a name like that, he would fare too well in prison.
As many slashdot readers will be sure to point out, this isn't theft. Like music pulled off Kazaa, Acxiom still has the original data, and their use of it is not diminished by this guy having a copy.
Whenever any of these companies call to verify information, I put them on hold and take care of any possible task that might be more important (which is just about anything). By the time I get back to their call, they've always hung up. Bummer.
Better idea. If a company gets cracked say three times, then make it the same deal individuals get in our society, most places three felonies, you get a huge jail time, as a career rerecidivist criminal and societal lamer. If a corporation gets busted for malfeasance or gets cracked three times,any combination, then they should get the same, which in their cases would be loss of incorporation priveleges, and to HECK with the stock holders, it's a gamble, they need to have that drilled in daily it appears. Stockholders only appear to be interested in profits as well, there's a large lack of interest in honesty and efficiency with them in general terms. Make these companies lose their corporate charter, stock holders go bust, end of story, maybe correct business decisions will sink in beyond this quarters profits. These people want a capitalist solution, here's one, you aren't guaranteed profits, you are only guranteed a chance to be honest and effective. Not just effective, not just honest, both. either one you fail it, then you fail it. If you are bogus and ineffective, the government, which is supposed to be "we the people", who GRANTS the charters, gets to take them away. There is no automatic guaranteed "right" to incorporation anyplace, it's a privelege granted by the people. This removal of bogus corporations doesn't happen near enough from my POV. Corporations, if you look back in history were granted to both benefit the corporation (and the humans connected to it) as to profits, and also to be of a general public benefit. Unlike the pure lie you see repeated by corporate apologists who keep claiming corporations are "only" for making money. They love to say that, but it's not true, they just wish it was and act like it was, and for too long it has been that way in practice, but it's well past time to go back and revisit the realities of a granted incorporation. If they fail to make a profit they eventually go under,that part still exists with "the market place", but we have lost and forgotten about the other deal, if they fail to be of public benefit. They should be dissolved, and getting hacked multiple times and having innocent peoples data compromised should go right up the responsibility chain to whichever corporation is responsible, along with the humans involved, who should then be prohibited to serve in any official capacity inside a corporation for x-amount of years, a significant long time..
I'd like to see it anyway, get that "responsibile for your actions" deal back into common knowledge and practice.
I'm just wondering if you've realized yet, that both your posts here are offtopic, because this isn't the article on the Apollo pics!
Acxiom is certainly not an example of a very good company. Aside from the fact that they were hacked... twice... and had all their data stolen... twice, they are also an unethical marketing company. They purposely ignore opt-out requests from people who want to get out of their lists. In short, their privacy policies suck.
Get out of all of their databases ASAP:
(877) 774-2094
optout@acxiom.com
Portable versions of Firefox, GIMP, LibreOffice, etc