Slashdot Mirror
IT Pro Admits Stealing 8.4M Consumer Records
Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."
get caught
Given the number of these news lately, let us just assume that EVERYONE'S personal information has been compromised. The problem is that the only way to combat identity theft, is to have a way of positively identifying any person. The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information. So the question is this - what's worth more to us - financial safety, or privacy and anonymity.
Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.
In essence, the system is structured to benefit the lenders with little regard for the clients. (yeah, i know - big surprise).
Indeed
What if the Hokey Pokey really is what it's all about?
Receiving stolen property is a charge I'd like seeing brought against the direct marketers who bought or rented the list. This would be a good deterrent against shady data acquisition practices.
As a Fidelity customer, I'd like to have some say in exactly which prison this guy goes to; one of those cushy Country Club sort of places isn't what I have in mind...
Stupidity... has a habit of getting its way.
Fidelity is a very common name in financial services.
Fidelity is a common word in financial institution names.
This is fraud.
And because it is fraud, ANY system of identifying the person will be subject to abuse.
So don't worry about identifying the person. That's too difficult to secure. Instead, focus on validating/authenticating the transaction. That way the resources can more easily be focused.
They need to make an example of him. 10 years and $500,000... for 8.4 million people.
.001 percent, do what needs to be done. Otherwise, get used to it.
That is not a deterring punishment. Get a fucking rope. Tie it to his balls.
Send him to gitmo to join people who don't _HAVE_ identities any more.
When you catch the
This sort of abuse undermines our trust in financial systems, government, and society.
Fidelity - n. 1. Faithfulness to obligations, duties, or observances.
ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way
and this guy was a DBA? all jokes aside, we are talking about a baseline level of intelligence here
does not compute
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Interesting... so he got off lighter than he would have had he been caught torrenting a few blockbuster movies or a few CDs of music?
What does it say when a country values the property of its corporations more than the rights of its citizens? If they were to apply the same punishment standards to this case as they do to copyright, the guy would be in jail for life with at least a $5million fine.
Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.
Short of probing everyone's orifice as they leave the office. A company's biggest threat has always been inside corruption. The access given to employees is much more damaging than anything an outsider can do, and they can do it so much faster and without being detected. Unless you're auditing every single key stroke and action taken by every single employee and questioning the movement of every piece of data using some intelligent algorithms to pick up nefarious activity, it will be nearly impossible to stop this. You'd have to eliminate any type of "connection" between the employee and the data. It can be done, but it would be hella expensive.
Mark
is very ambiguous...case in point:
...you get the idea. and spare the offtopic mods, you were warned in the title.
thereasontobeadba
= there as onto be a dba
= the reason to bead ba
= the reason to be a dba
= there a son to bead ba
This sig contains repetition and redundancy.
Anyone know what the current market rate is for something like this? If he made a penny per record or so, that's around an easy $100,000.
UK beat USA in this race by having the identifications of 25 million of its residents stolen last month. Its only a matter of time for a US agency. I suspect the US is semi-protected by backward computer systems. Like who can read a nine-track tape anymore?
No head - no backstage.
For fuck's sake, if copying MP3s is not theft then surely copying financial or medical records is not theft. In either case, nothing is physically taken from the holder and the original data is left intact. Please, try to be consistent.
It's estimated that global organized crime reaps illegal profits of around $1 trillion per year.
That's one trillion dollars that you just can't make legally. Criminality does not favor the not so bright, the media favor the not so bright criminals, and you somehow confused their overexposition as a true representation of reality. And there's a saying that crime does not pay, which is propaganda: crime does pay, it pays a trillion dollars a year.
You can't take the sky from me...
The truest sign that this DBA was none too bright? He admitted it!
it is true that the only criminals we hear about are the dumb ones, leading to the supposition that you never hear about the smart ones, not because they don't exist, but because they are smart
;-)
but, having heard from you, i guess we can safely conclude which camp you lie in?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The game started when banks wanted to expand their range. The previous system was whether or not they know you and if they think you're a generally good person. It was a good system, but it required a lot of "humanity" to function. So to make things easier and more efficient, they decided to abuse the social security numbers being issued to individuals... a practice, I will remind anyone reading this, is actually ILLEGAL... or unlawful... whatever... there are explicitly defined rules against the use of SSNs for any purpose OTHER THAN social security use... but low and behold, it's now the "consumer ID tracking number." (And interestingly enough, if you give an incorrect number, you could ultimately me charged with attempted fraud. They go unpunished for breaking the rule abusing the SSN, and when you 'fight back' you can be fined, imprisoned or both!)
Now we have a "credit rating" system. It's flawed, abused and annoying, but for the banks and lenders, it's awesome. It makes their lives so much easier because now they don't have to "know you" at all! And for all this we receive WHAT in the way of benefit? Not a lot... perhaps the ability to move and take your good credit reputation with you, but that's about it. And here's the real cool part! The DANGER to you and your identity seems to become YOUR liability entirely. If you ever want to play the credit game, you have to convince them that someone else messed up your records. And all this from the institutionalized illegal behavior of abusing the social security number. The benefit is theirs, the burden is yours!
The benefits are theirs... the burden is yours. Think about what that means and how it came to be.
This is, in fact, rather like the US government and its national debt! You know, where the executive, legislative and judiciary get free medical and all other manner of benefits including a ridiculous retirement plan that gives full pay until you die in addition to the ever-present revolving door policies... they never need to worry about the trivial problems like we do... you know, the life-or-death matters... the stuff about food and shelter... being homeless... none of it. They get to legislate, sign statements, send teenagers off to die in battles and wars, kill people by the thousands, cause ill-will across the planet against ALL Americans (not just US leaders)... and who gets the bill for all of this while they ride pretty free to do anything they want without consequence? That's right! We the People.
And this is not a problem of "electing the wrong people." There are no "right people" for these jobs! If you had the same employment plan where you could do just about anything you like and suffer none of the consequences, it becomes pretty easy to accept... I know I'd probably fall into that trap of behavior too... it's human. (It has long been understood that corruption is a problem of opportunity and not so much a problem of bad character.)
(I know... I'm sounding rather communist/socialist. I don't actually go for that either. What I do advocate is a kind of fairness where the 'elected' have to suffer in the same crap that they create. They make the stew and we have to eat it. If THEY had to eat it with us, you can bet that it would be a lot more palatable.)
Why is it so easy for companies to get away with receiving and using stolen data? The gummint vigorously prosecutes people receiving stolen property, including stolen intellectual property. Why can you get fined $200,000 for copying an MP3, but you can get away with buying 2.8 million stolen customer data records?
-73, de n1ywb
www.n1ywb.com
Companies sell their info to direct marketers all the time. The only thing missing in this guy's case was the flyspeck-script in the contract saying they're going to do that.
In other words, he ripped himself off.
Laughter is the Spackle of the Soul.
A mailing list canary is a deliberately inserted entry with (usually) a false name but with real contact information. The contact data leads back to the security arm of the firm that compiled the list. The idea is that the canary sings every time the list is used, and this is but one mechanism to detect unauthorized access.
Maybe the DBA knew about the canary. With proper security, he shouldn't have. Or maybe the canary sang and that's how the guy got caught.
Why aren't the direct marketing companies getting sued?
I don't believe for a sec any of his customers thought the lists were acquired legitimately.
In Soviet Russia, I ruled you
"Fidelity National Information Services" spokesman commented that the organization is appalled at the scandalous nature of the reporting of this event. "After all, this is a very difficult time for our country and only criminals have something to hide."
Any guest worker system is indistinguishable from indentured servitude.
One example: The recent Duke University situation: http://www.upi.com/NewsTrack/Top_News/2007/12/05/hacker_may_have_stolen_duke_students_data/2789/
Another Example: I keenly remember learning from a high-level old-guard "Network Administrator" (over a few pitchers of free beer) about how a DB containing 30 year's worth of a 'Student Information' was dumped onto a HDD (and 'given' to a third party) after being "merged" into the "_______ Alumni Association" database. This admin, whom I trust, was a 20-year veteran at the school and he was present when the 'orders' were given to merge the data into the Alumni Association's DB. Apparently, the Alumni Association previously had access to the student DB, but privacy rules were put in place (or suddenly enforced) to cease this access and they were forced to develop their own separate DB. Ironically, they pilled strings to "seed" their own DB with a merge of the old one before an access restrictions were put in place. (In actuality, the full DB was actually copied to HDD and renamed for the "merge" on the new server.) This 'Student Information' database contained: enrollment data, full legal names, DOB, Addresses (past, present, and current), declared majors, graduation dates, high school GPA and locations, and their student loan status (weather Grants, Loans, GI Bill, Trust Funds, or cash from parents, etc.. paid for their schooling).
The scary part was that the 'new' Alumni Association DB was now outside control (and liability) of the School's Board of Reagents (who had tacitly granted (ordered) the student data to be merged into the Alumni Association's DB (WITHOUT needed legal confidentiality caveats). The Alumni Association's data was subsequently "sold" to the "First USA Bank" for around 10 million dollars in "donations" (and I am sure pay-offs, kickbacks, whatever etc..). The "_______ Alumni Association" (in the following year) purchased (from the state) A BLOCK'S worth of very close off-campus (privately-owned, mainly older, but still in good shape) rental housing (through state eminent domain condemnations) and they leveled it, moving or destroying the houses. A big shiny-new Alumni Association building went up there along with a couple smaller Official Campus buildings. (Obviously I am leaving off the name of the State-Funded University here.)
Within about a year following this database 'merge' (and sale), my parents, the tenants at my former addresses (as I discovered through forwarding my US Mail), and my unlisted phone numbers (this was pre do-not-call) began to get solicitations for "donations" and other "Alumni Association" beg-for-money-through-student-pride-style correspondence...
Interestingly, I ONLY gave these addresses to the School's Bursar's Office and the School's Enrollment Office. I also had new pre-approved offers for "First USA Bank" Credit Cards (and untold other unsolicited financial junk mail) and so did many of my peers... Coincidence?
I bet this happens all too often... there's just too much money involved for the unethical greedy side (of some people's) human nature to not profit by it. -Z
It copyright infringement of a song can bring statutory damages of $9000 per copy, should we not see at least an equivalent level of punishment for unauthorized duplication of consumer records? Maybe the american people can form a lobby group to ramrod this idea through Congress.
I am becoming gerund, destroyer of verbs.
AC is right. The FBI can't prosecute someone in East India who shuttles your money over to Al Qaeda. But the FBI sure can come nab you because they think it was you who did it.
A year's salary for a database admin in Bangalore = a cup of Java at Starbucks. Sleep tight.
--- Grow a pair, liberals... stop letting the Republicans bully you!
You raise the right question, but having "a way of positively identifying any person" is a bit of a shortcut.
Identification = Associating an identity with an individual, process, or request
Authentication = Verifying a claimed identity
Ok, so you are John Smith. But are you THE John Smith who is entitled to withdraw all the money on this account?
Problem is, most systems do only one step, or rather, 'both in one'.
"We have your password/SSID/whatever, on file, therefore we identify AND authenticate you...
It's a bit like 'self-certifying' web sites, as discussed here recently. Complete bollocks, worth nothing.
Also, "The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information." Hmmm...the same Govt. who recently lost (in UK) 25 million personal records?
Quis custodiet ipsos custodes?
The first one who cracks THAT problem will make gazillions...
"how trustworthy are those Indian/Offshore callcenter staff are, i wonder how many records you get for offering them a years salary in cash for a few dvd's of data"
I work for a major US bank and we offshore various stuff. The people who have access to customer data are given desktops with no local drives and no access to a printer.
They are not allowed access to paper, pens, pencils, etc. and are searched upon entry to the premises. They are not allow to carry any electronic devices of any kind (celphones, etc. which might allow them to copy or photograph any information displayed).
Obviously I can't say that all financial institutions do this, but we certainly do.
One word, and a byline:
Enron.
"The smartest guys in the room".
Smart criminals are smart right up until they get caught. Having a lack of ethics has nothing to do with having a lack of intelligence. "Doing it illegally and unethically without being caught" does NOT equal "doing it legally".
If you commit the perfect crime, you've still committed a crime.
I will allow that you can be unethical without breaking the law. This only means that the law is an ass, and the person acting in this way would use criminal means if their unethical ones were made illegal.
Correction: Criminality favors everyone equally, it's the not-so-bright ones that get caught. Or the not-so-careful.
The smartest criminals make their activities legal: see RIAA, MPAA.
criminality has always favored the not so bright
Don't be so sure.
I think that any programmer or administrator who has access to {some level} of personal information about other people should be required to be licensed and accredited. In other words, I'd like to see an official standards and accreditation board for the various flavors of software engineers, the way that lawyers, doctors, architects, contractors, etc. have to have. If you sufficiently abuse your position or malign your clients, not only do you face legal penalties, but you also lose your ability to have a (credible) job in the future. Obviously there are a lot of kinks in this process that'd have to be worked out, but if it works for the medical profession it seems like it'd have some effect in software too.
When you have power over systems that can seriously eff up people's lives, you should have to be vetted.
My company gives full network access (VPN) to our Chinese developers. We have plenty of sensitive customer data on our network (our customers are other companies). Have they stolen anything? Who knows? The point is they are perfectly capable of doing so, since my company opens the door and turns its back. They could run out with all the data and we wouldn't know or care -- and that's the sad thing. We love our Chinese developers, because they can pay for a whole team of them for the same cost as my salary. So no big deal if they steal a few bits of data, we're saving money!
"IT Pro Admits Stealing 8.4M Consumer Records"
If a pyromaniac starts out with small fires, and a serial killer starts out with torturing pets? What did this guy start out with? Downloading movies, music, games, software, and books?
Securely establishing the identity of both parties in the transaction is a crucial first step in validating/authenticating a transaction. How else are you going to know if a transaction is legit unless you know who's doing it?
The identity does not have to be tied to a name or person. For example a GUID would work, but you would still need a credential to ID the parties first.
If it isn't nailed down, it will be stolen. Sooner or later someone will come along with the idea that if adequate measures aren't taken to prevent them from stealing it, then it must be OK - or they would have been prevented.
You would think in this case it would be pretty easy to prosecute the thief. Unfortunately, it is very unclear the value of an individual record, much less the value of a large collection. I seriously doubt this guy is going to get prosecuted for some kind of "privacy violation". My guess is more along the lines of one record being worth $100, therefore 8 million records = $800 million in damages. Ought to be worth a pretty long jail term.
It is okay to talk about social ills; I do it myself sometimes. And once in a while I let loose and get rather carried away making one-two-three pictures of my favourite posts converted into gif files that get carried all over the World. Gives me something to do, better than fishing, kind of like being an unofficial, self-elected public servant. Sometimes I even go to the trouble of explaining exactly why Mankind is going to be extinct in the next few years one-two punch. Realistically though, writing a lot of stuff on /. and making pictures & posts isn't going to reach a lot of people. The Internet is too large and mostly people like moving pictures and sound and videogames, none of which my simple warnings does. The important thing, I think, is to educate people and they will come to the water when they're good and ready and not a moment afore that. ImitationEnergy wrote this, too late and too lazy to log in tonite just to make one comment. You wrote a good piece.
Dumb people are proven criminals. Does that mean that smart people are never criminals, or does it mean that smart people are never proven to be criminals? If he was more knowledgable, then he would have covered his tracks, thus making him unknown to the statistical pool.
So, the value of my personal data, such as name, address, and potentially my SS, credit card, and private buying information... the value of that in a criminal court is under 6 cents. That's just great, I feel very secure against data theft since those penalties are less than the going rate for the information. And yet, somehow, my lending a copy of a song to someone is valued at nearly $10,000 per song to judge by recent court precedent.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
I was around when Certegy was formed as a company. When they started they used a home grown software system written by one guy. Certegy bought their database (bad check debt recovery) from RMA who used to be part of Equifax. This was back in late 2001. I was subcontracted and flew to Florida and converted the RMA (PICK Universe) data base to Certegy's system.
"Bill", they guy in this story, is actually a very likable person. He's inviting and happy (maybe not now) laughs a lot. He's the kind of easy going guy, trusted and liked. He's fun. This really hits home. I've known this guy for years and was floored when I read the story.
I guess it shows, at least for me, a very fine line. Bill is not a "criminal type" or a "bad character" that might come to mind when these things happen. I don't know what happened, money problems, greed took over, I don't know but I suspect many of us at Slashdot are in positions exposed to temptation. Everyone has a price? Knowing Bill, I suspect this was just a very bad and stupid decision. The temptation of 100's of thousands of dollars for a couple keystrokes and a memory stick. This sure sobered me up.
-[d]-
While the harsher punishments you suggest may be a bit extreme, I'm glad I'm not the only one who had this reaction -- "Oh, you ruined people's lives on a massive scale and got caught? Please stop, won't you? Please stop. No? OK, give us a couple bucks, you scamp."
I think the simplest rule to cover people for whom ethics are unimportant is ensure that if a person abuses the information in one database or even one kind of database, they are barred from ever accessing it again. That can be a career killer. The personal data I deal with isn't a big deal, just contact info, salary details, stuff like that for tens of thousands of people, but even that stuff I guard like a mint. It's personal data after all, and I fell my strength of character is at least as important as my skills. Problem is, from what I have seen, the kinds of people hired to manage big financial databases and the like tend to include droves of people who hop from job to job. Big financial institutions tend to get what they pay for, but unfortunately the hidden cost of their budget crunching tends to be paid by consumers. And yes, I know finance companies also employ some kick ass people (like the NYC Perl hackers), but several sections of their operations include what are essentially bargain basement oracle tweakers and nomadic qa consultants and the such.
does that count as double jeopardy? i'm not a lawyer, i am a Fidelity customer, i don't appreciate my shit being sold to spammers or whoever else.
waspleg
Lop off the guy's head, put it on a stake, and post a vid of all this on YouTube (or liveleak)? I reckon that would make anyone else think twice before doing this!
Mod parent up as Informative.
Thanks for the insight into who this guy was/is.
We have four boxes with which to defend our freedom: the soap box, the ballot box, the jury box, and the cartridge box.