Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Pro Admits Stealing 8.4M Consumer Records

Posted by Zonk on from the 500k-seems-small-comparatively dept.

Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."

10 of 108 comments (clear)

  1. Receiving stolen property by SystemFault · · Score: 4, Insightful

    Receiving stolen property is a charge I'd like seeing brought against the direct marketers who bought or rented the list. This would be a good deterrent against shady data acquisition practices.

  2. Instead, authenticate the transaction. by khasim · · Score: 3, Insightful

    This is fraud.

    And because it is fraud, ANY system of identifying the person will be subject to abuse.

    So don't worry about identifying the person. That's too difficult to secure. Instead, focus on validating/authenticating the transaction. That way the resources can more easily be focused.

  3. "used a business he incorporated to sell the list" by circletimessquare · · Score: 2, Insightful

    ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way

    and this guy was a DBA? all jokes aside, we are talking about a baseline level of intelligence here

    does not compute

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Privacy vs Copyright by Em+Adespoton · · Score: 4, Insightful

    Interesting... so he got off lighter than he would have had he been caught torrenting a few blockbuster movies or a few CDs of music?

    What does it say when a country values the property of its corporations more than the rights of its citizens? If they were to apply the same punishment standards to this case as they do to copyright, the guy would be in jail for life with at least a $5million fine.

    Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

  5. How can you stop this? by Shabbs · · Score: 2, Insightful

    Short of probing everyone's orifice as they leave the office. A company's biggest threat has always been inside corruption. The access given to employees is much more damaging than anything an outsider can do, and they can do it so much faster and without being detected. Unless you're auditing every single key stroke and action taken by every single employee and questioning the movement of every piece of data using some intelligent algorithms to pick up nefarious activity, it will be nearly impossible to stop this. You'd have to eliminate any type of "connection" between the employee and the data. It can be done, but it would be hella expensive.

    --
    Mark
  6. (OT) tagging beta... by LiquidMind · · Score: 2, Insightful

    is very ambiguous...case in point:

    thereasontobeadba
    = there as onto be a dba
    = the reason to bead ba
    = the reason to be a dba
    = there a son to bead ba

    ...you get the idea. and spare the offtopic mods, you were warned in the title.

    --
    This sig contains repetition and redundancy.
  7. Not stolen. by Anonymous Coward · · Score: 0, Insightful

    For fuck's sake, if copying MP3s is not theft then surely copying financial or medical records is not theft. In either case, nothing is physically taken from the holder and the original data is left intact. Please, try to be consistent.

    1. Re:Not stolen. by Bearhouse · · Score: 2, Insightful

      I guess the difference lies within individual, and then public/group perceptions of the implications of the same thing - yes, you're right - a crime, namely theft.

      In the case of mp3s, 'the man' (a faceless corporation) takes a profit hit. The artist, too, of course.
      In the case of identity theft, some *insert stereotype one-patent family minority victim here* potentially has their life ruined.

      Hmmmm...personally, I think that identity theft should perhaps be punished more severely. The legal experts would perhaps have a few words to say about 'intent'. I'm not sure that people downloading mp3s intend to ruin peopl's lives...

  8. You've gotta love the "personal data" game by erroneus · · Score: 4, Insightful

    The game started when banks wanted to expand their range. The previous system was whether or not they know you and if they think you're a generally good person. It was a good system, but it required a lot of "humanity" to function. So to make things easier and more efficient, they decided to abuse the social security numbers being issued to individuals... a practice, I will remind anyone reading this, is actually ILLEGAL... or unlawful... whatever... there are explicitly defined rules against the use of SSNs for any purpose OTHER THAN social security use... but low and behold, it's now the "consumer ID tracking number." (And interestingly enough, if you give an incorrect number, you could ultimately me charged with attempted fraud. They go unpunished for breaking the rule abusing the SSN, and when you 'fight back' you can be fined, imprisoned or both!)

    Now we have a "credit rating" system. It's flawed, abused and annoying, but for the banks and lenders, it's awesome. It makes their lives so much easier because now they don't have to "know you" at all! And for all this we receive WHAT in the way of benefit? Not a lot... perhaps the ability to move and take your good credit reputation with you, but that's about it. And here's the real cool part! The DANGER to you and your identity seems to become YOUR liability entirely. If you ever want to play the credit game, you have to convince them that someone else messed up your records. And all this from the institutionalized illegal behavior of abusing the social security number. The benefit is theirs, the burden is yours!

    The benefits are theirs... the burden is yours. Think about what that means and how it came to be.

    This is, in fact, rather like the US government and its national debt! You know, where the executive, legislative and judiciary get free medical and all other manner of benefits including a ridiculous retirement plan that gives full pay until you die in addition to the ever-present revolving door policies... they never need to worry about the trivial problems like we do... you know, the life-or-death matters... the stuff about food and shelter... being homeless... none of it. They get to legislate, sign statements, send teenagers off to die in battles and wars, kill people by the thousands, cause ill-will across the planet against ALL Americans (not just US leaders)... and who gets the bill for all of this while they ride pretty free to do anything they want without consequence? That's right! We the People.

    And this is not a problem of "electing the wrong people." There are no "right people" for these jobs! If you had the same employment plan where you could do just about anything you like and suffer none of the consequences, it becomes pretty easy to accept... I know I'd probably fall into that trap of behavior too... it's human. (It has long been understood that corruption is a problem of opportunity and not so much a problem of bad character.)

    (I know... I'm sounding rather communist/socialist. I don't actually go for that either. What I do advocate is a kind of fairness where the 'elected' have to suffer in the same crap that they create. They make the stew and we have to eat it. If THEY had to eat it with us, you can bet that it would be a lot more palatable.)

  9. Yes, but Identification !=Authentication by Bearhouse · · Score: 3, Insightful

    You raise the right question, but having "a way of positively identifying any person" is a bit of a shortcut.

    Identification = Associating an identity with an individual, process, or request
    Authentication = Verifying a claimed identity

    Ok, so you are John Smith. But are you THE John Smith who is entitled to withdraw all the money on this account?

    Problem is, most systems do only one step, or rather, 'both in one'.
    "We have your password/SSID/whatever, on file, therefore we identify AND authenticate you...

    It's a bit like 'self-certifying' web sites, as discussed here recently. Complete bollocks, worth nothing.

    Also, "The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information." Hmmm...the same Govt. who recently lost (in UK) 25 million personal records?

    Quis custodiet ipsos custodes?

    The first one who cracks THAT problem will make gazillions...