Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Pro Admits Stealing 8.4M Consumer Records

Posted by Zonk on from the 500k-seems-small-comparatively dept.

Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."

5 of 108 comments (clear)

  1. Re:Instead, authenticate the transaction. by gmack · · Score: 2, Interesting

    The most common use of this by "Direct marketing firms" is not to open new transactions with it but to engage in a scam known as "Antitel".

    The idea is that the scammer calls the target and claims to be working for the bank's security department and that you will refund the money but you need to confirm the bank details and that a recording is needed for security reasons.

    Que recording of the target with the customer repeating the info the scammer just gave the target in the first place and agreeing to a draft of $399. It's all said too quickly for the customer to hear but if the customer objects the scammer abuses the target for messing up the computer system by not answering with "yes or no" and if needed specify that draft means "to deposit" (it really means to withdraw) and the recording gets restarted.

    The account is then debited for the amount listed.

    If the customer objects then they are told they must return the items they purchased before they can have a refund (all $15 worth). If the customer calls their bank they are shown the recording of them agreeing to a $399 draft (withdrawal).

    Nice eh?

    I got an earfull of this crap a year and a half ago when I did some IT work for a telemarketing place in Montreal. They wouldn't tell me what they were doing but after hearing the calls from start to finish a few times I figured it out in a hurry.

  2. Did a canary sing? by SystemFault · · Score: 4, Interesting

    A mailing list canary is a deliberately inserted entry with (usually) a false name but with real contact information. The contact data leads back to the security arm of the firm that compiled the list. The idea is that the canary sings every time the list is used, and this is but one mechanism to detect unauthorized access.

    Maybe the DBA knew about the canary. With proper security, he shouldn't have. Or maybe the canary sang and that's how the guy got caught.

    1. Re:Did a canary sing? by gEvil+(beta) · · Score: 2, Interesting

      I work in the marketing department of an organization [yeah, I know--but it's a decent-sized nonprofit that all of you have heard of, and many of you like : )] and we have a guy who tracks all the places our mailing list and many others end up. He has a mailbox set aside for all the stuff that comes in. The fictitious name that he monitors has a fairly long European-sounding last name, where he cycles through a series of letters in it to track each list. I went through the box one time and there were easily like 40 different permutations of the name in there, and this was only a few days' worth of mail. I'd love to see the database he uses to track it all...

      --
      This guy's the limit!
  3. Re:Privacy vs Copyright by gillbates · · Score: 2, Interesting

    Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

    You mean like the MLB and NFL have been trying to do for years - copyright facts? Fortunately, facts aren't copyrightable, and there's a long history of case law to this effect.

    You know, it's interesting that privacy advocates are trying, essentially, for what amounts to security through obscurity. That is, they think that someone's private life can remain so by simply passing legislation which would limit what others can do with facts about a private individual. There are two problems with this:

    1. It amounts to an extension of copyright from creative content to merely observable facts, and
    2. It doesn't address the root problem of privacy; that is, individuals making decisions about one base upon facts gathered by others, often of dubious accountability.

    The solution to the problem of privacy is simply to require more human interaction. The job interview is the classic example - imagine if employers hired based on resume and credit score alone. While I'll admit that I don't like the fact that an employer makes hiring decisions based on rumors (which is really what a credit score is...), it could be worse...

    And then there's also the problem of "identity theft" - which is a misnomer, because even if someone uses my credentials to open accounts in my name, I still know who I am. This too, is not a problem of user privacy, but rather, that the financial industry has adopted some rather questionable protocols for verifying the identity of their cutstomers. As it's been said before, "Failure to plan on your part does not create an emergency on my part..." If banks paid punitive damages for losing their customer's money, the problem would fix itself.

    --
    The society for a thought-free internet welcomes you.
  4. Re:Instead, authenticate the transaction. by thePowerOfGrayskull · · Score: 3, Interesting

    Did you report them?