Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Pro Admits Stealing 8.4M Consumer Records

Posted by Zonk on from the 500k-seems-small-comparatively dept.

Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."

22 of 108 comments (clear)

  1. Let's just assume... by TheMeuge · · Score: 3, Informative

    Given the number of these news lately, let us just assume that EVERYONE'S personal information has been compromised. The problem is that the only way to combat identity theft, is to have a way of positively identifying any person. The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information. So the question is this - what's worth more to us - financial safety, or privacy and anonymity.

    Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.

    In essence, the system is structured to benefit the lenders with little regard for the clients. (yeah, i know - big surprise).

  2. Fidelity by Anonymous Coward · · Score: 3, Funny

    Indeed

  3. Receiving stolen property by SystemFault · · Score: 4, Insightful

    Receiving stolen property is a charge I'd like seeing brought against the direct marketers who bought or rented the list. This would be a good deterrent against shady data acquisition practices.

  4. totally different organizations by peter303 · · Score: 3, Informative

    Fidelity is a very common name in financial services.

    1. Re:totally different organizations by Aqua_boy17 · · Score: 2, Funny

      Fidelity is a very common name in financial services.
      I suppose that makes sense. I'd have little motivation to in invest my money with a company named "Infidelity" unless they made pr0n videos, that is.
      --
      What if the Hokey Pokey really is what it's all about?
    2. Re:totally different organizations by audentis · · Score: 2, Informative

      That's because they are one of the largest financial services companies in the US. Anyone you deal with that has "Fidelity" as part of their company's name is probably a subsidiary.

      While you are correct in many respects--that Fidelity Investments (FMR Corp.) has a lot of subsidiaries--this company, Fidelity National Information Systems, is NOT one of them. They are not connected in any way.

      FMR Corp. is privately owned, whereas FNIS (NYSE:FIS) is publicly traded and a member of the S&P 500.

      I used to work for Fidelity Investments, and even for me it was often confusing which companies were ours. But this is a clear-cut case of different companies. Just want to make sure that gets out there before people start worrying about their 401Ks.

  5. Instead, authenticate the transaction. by khasim · · Score: 3, Insightful

    This is fraud.

    And because it is fraud, ANY system of identifying the person will be subject to abuse.

    So don't worry about identifying the person. That's too difficult to secure. Instead, focus on validating/authenticating the transaction. That way the resources can more easily be focused.

    1. Re:Instead, authenticate the transaction. by gmack · · Score: 2, Interesting

      The most common use of this by "Direct marketing firms" is not to open new transactions with it but to engage in a scam known as "Antitel".

      The idea is that the scammer calls the target and claims to be working for the bank's security department and that you will refund the money but you need to confirm the bank details and that a recording is needed for security reasons.

      Que recording of the target with the customer repeating the info the scammer just gave the target in the first place and agreeing to a draft of $399. It's all said too quickly for the customer to hear but if the customer objects the scammer abuses the target for messing up the computer system by not answering with "yes or no" and if needed specify that draft means "to deposit" (it really means to withdraw) and the recording gets restarted.

      The account is then debited for the amount listed.

      If the customer objects then they are told they must return the items they purchased before they can have a refund (all $15 worth). If the customer calls their bank they are shown the recording of them agreeing to a $399 draft (withdrawal).

      Nice eh?

      I got an earfull of this crap a year and a half ago when I did some IT work for a telemarketing place in Montreal. They wouldn't tell me what they were doing but after hearing the calls from start to finish a few times I figured it out in a hurry.

    2. Re:Instead, authenticate the transaction. by thePowerOfGrayskull · · Score: 3, Interesting

      Did you report them?

  6. Irony? by coug_ · · Score: 4, Funny

    Fidelity - n. 1. Faithfulness to obligations, duties, or observances.

  7. "used a business he incorporated to sell the list" by circletimessquare · · Score: 2, Insightful

    ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way

    and this guy was a DBA? all jokes aside, we are talking about a baseline level of intelligence here

    does not compute

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  8. Privacy vs Copyright by Em+Adespoton · · Score: 4, Insightful

    Interesting... so he got off lighter than he would have had he been caught torrenting a few blockbuster movies or a few CDs of music?

    What does it say when a country values the property of its corporations more than the rights of its citizens? If they were to apply the same punishment standards to this case as they do to copyright, the guy would be in jail for life with at least a $5million fine.

    Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

    1. Re:Privacy vs Copyright by gillbates · · Score: 2, Interesting

      Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

      You mean like the MLB and NFL have been trying to do for years - copyright facts? Fortunately, facts aren't copyrightable, and there's a long history of case law to this effect.

      You know, it's interesting that privacy advocates are trying, essentially, for what amounts to security through obscurity. That is, they think that someone's private life can remain so by simply passing legislation which would limit what others can do with facts about a private individual. There are two problems with this:

      1. It amounts to an extension of copyright from creative content to merely observable facts, and
      2. It doesn't address the root problem of privacy; that is, individuals making decisions about one base upon facts gathered by others, often of dubious accountability.

      The solution to the problem of privacy is simply to require more human interaction. The job interview is the classic example - imagine if employers hired based on resume and credit score alone. While I'll admit that I don't like the fact that an employer makes hiring decisions based on rumors (which is really what a credit score is...), it could be worse...

      And then there's also the problem of "identity theft" - which is a misnomer, because even if someone uses my credentials to open accounts in my name, I still know who I am. This too, is not a problem of user privacy, but rather, that the financial industry has adopted some rather questionable protocols for verifying the identity of their cutstomers. As it's been said before, "Failure to plan on your part does not create an emergency on my part..." If banks paid punitive damages for losing their customer's money, the problem would fix itself.

      --
      The society for a thought-free internet welcomes you.
  9. How can you stop this? by Shabbs · · Score: 2, Insightful

    Short of probing everyone's orifice as they leave the office. A company's biggest threat has always been inside corruption. The access given to employees is much more damaging than anything an outsider can do, and they can do it so much faster and without being detected. Unless you're auditing every single key stroke and action taken by every single employee and questioning the movement of every piece of data using some intelligent algorithms to pick up nefarious activity, it will be nearly impossible to stop this. You'd have to eliminate any type of "connection" between the employee and the data. It can be done, but it would be hella expensive.

    --
    Mark
  10. (OT) tagging beta... by LiquidMind · · Score: 2, Insightful

    is very ambiguous...case in point:

    thereasontobeadba
    = there as onto be a dba
    = the reason to bead ba
    = the reason to be a dba
    = there a son to bead ba

    ...you get the idea. and spare the offtopic mods, you were warned in the title.

    --
    This sig contains repetition and redundancy.
  11. wonder when IRS or SSA will "lose" records by peter303 · · Score: 2, Funny

    UK beat USA in this race by having the identifications of 25 million of its residents stolen last month. Its only a matter of time for a US agency. I suspect the US is semi-protected by backward computer systems. Like who can read a nine-track tape anymore?

  12. You've gotta love the "personal data" game by erroneus · · Score: 4, Insightful

    The game started when banks wanted to expand their range. The previous system was whether or not they know you and if they think you're a generally good person. It was a good system, but it required a lot of "humanity" to function. So to make things easier and more efficient, they decided to abuse the social security numbers being issued to individuals... a practice, I will remind anyone reading this, is actually ILLEGAL... or unlawful... whatever... there are explicitly defined rules against the use of SSNs for any purpose OTHER THAN social security use... but low and behold, it's now the "consumer ID tracking number." (And interestingly enough, if you give an incorrect number, you could ultimately me charged with attempted fraud. They go unpunished for breaking the rule abusing the SSN, and when you 'fight back' you can be fined, imprisoned or both!)

    Now we have a "credit rating" system. It's flawed, abused and annoying, but for the banks and lenders, it's awesome. It makes their lives so much easier because now they don't have to "know you" at all! And for all this we receive WHAT in the way of benefit? Not a lot... perhaps the ability to move and take your good credit reputation with you, but that's about it. And here's the real cool part! The DANGER to you and your identity seems to become YOUR liability entirely. If you ever want to play the credit game, you have to convince them that someone else messed up your records. And all this from the institutionalized illegal behavior of abusing the social security number. The benefit is theirs, the burden is yours!

    The benefits are theirs... the burden is yours. Think about what that means and how it came to be.

    This is, in fact, rather like the US government and its national debt! You know, where the executive, legislative and judiciary get free medical and all other manner of benefits including a ridiculous retirement plan that gives full pay until you die in addition to the ever-present revolving door policies... they never need to worry about the trivial problems like we do... you know, the life-or-death matters... the stuff about food and shelter... being homeless... none of it. They get to legislate, sign statements, send teenagers off to die in battles and wars, kill people by the thousands, cause ill-will across the planet against ALL Americans (not just US leaders)... and who gets the bill for all of this while they ride pretty free to do anything they want without consequence? That's right! We the People.

    And this is not a problem of "electing the wrong people." There are no "right people" for these jobs! If you had the same employment plan where you could do just about anything you like and suffer none of the consequences, it becomes pretty easy to accept... I know I'd probably fall into that trap of behavior too... it's human. (It has long been understood that corruption is a problem of opportunity and not so much a problem of bad character.)

    (I know... I'm sounding rather communist/socialist. I don't actually go for that either. What I do advocate is a kind of fairness where the 'elected' have to suffer in the same crap that they create. They make the stew and we have to eat it. If THEY had to eat it with us, you can bet that it would be a lot more palatable.)

  13. Did a canary sing? by SystemFault · · Score: 4, Interesting

    A mailing list canary is a deliberately inserted entry with (usually) a false name but with real contact information. The contact data leads back to the security arm of the firm that compiled the list. The idea is that the canary sings every time the list is used, and this is but one mechanism to detect unauthorized access.

    Maybe the DBA knew about the canary. With proper security, he shouldn't have. Or maybe the canary sang and that's how the guy got caught.

    1. Re:Did a canary sing? by gEvil+(beta) · · Score: 2, Interesting

      I work in the marketing department of an organization [yeah, I know--but it's a decent-sized nonprofit that all of you have heard of, and many of you like : )] and we have a guy who tracks all the places our mailing list and many others end up. He has a mailbox set aside for all the stuff that comes in. The fictitious name that he monitors has a fairly long European-sounding last name, where he cycles through a series of letters in it to track each list. I went through the box one time and there were easily like 40 different permutations of the name in there, and this was only a few days' worth of mail. I'd love to see the database he uses to track it all...

      --
      This guy's the limit!
  14. Re:Big Dumb Idiot Admitted It by idontgno · · Score: 3, Informative

    I dunno 'bout that. By admitting it, he kept his damage down to $500k. If it'd gone to trial, and he lost, I'd bet the penalties and forfeiture might have been higher.

    "Why would this matter?", I can hear y'all asking. Because that's the margin between profit and loss. According to TFA, he netted $580,000 from his evildoing. After his fines and penalties, he profited $80k.

    So, in this case, "4) ???" is actually "4) plead guilty". "5)" remains "PROFIT!".

    You have to be marginally smart and be willing to take acceptable short-term losses in order to make crime pay. But it can be done.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  15. Yes, but Identification !=Authentication by Bearhouse · · Score: 3, Insightful

    You raise the right question, but having "a way of positively identifying any person" is a bit of a shortcut.

    Identification = Associating an identity with an individual, process, or request
    Authentication = Verifying a claimed identity

    Ok, so you are John Smith. But are you THE John Smith who is entitled to withdraw all the money on this account?

    Problem is, most systems do only one step, or rather, 'both in one'.
    "We have your password/SSID/whatever, on file, therefore we identify AND authenticate you...

    It's a bit like 'self-certifying' web sites, as discussed here recently. Complete bollocks, worth nothing.

    Also, "The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information." Hmmm...the same Govt. who recently lost (in UK) 25 million personal records?

    Quis custodiet ipsos custodes?

    The first one who cracks THAT problem will make gazillions...

  16. Re:Not stolen. by Bearhouse · · Score: 2, Insightful

    I guess the difference lies within individual, and then public/group perceptions of the implications of the same thing - yes, you're right - a crime, namely theft.

    In the case of mp3s, 'the man' (a faceless corporation) takes a profit hit. The artist, too, of course.
    In the case of identity theft, some *insert stereotype one-patent family minority victim here* potentially has their life ruined.

    Hmmmm...personally, I think that identity theft should perhaps be punished more severely. The legal experts would perhaps have a few words to say about 'intent'. I'm not sure that people downloading mp3s intend to ruin peopl's lives...