Tuesday, February 28, 2006

The tragicomic security failures of the financial services industry: Acxiom's story

The security situation in the financial services industry has passed beyond shocking into darkly comical. For about four years the personal data, effectively the digital identities, of millions of Americans were sold for less than a dollar apiece to criminal organizations. The source was Acxiom, a little-known financial services company that provides transactional services for the credit card industry. This very poorly written story also has some interesting details on how extraordinary the financial data mining industry has become: (I've edited it as much as I can to help make it a bit more coherent):
Data Thief Exposes Flimsy Security, Nets 8 Years

Posted on 02/24/2006 @ 16:55:34 in Security.

The former owner of an email marketing company in Boca Raton, Florida [Scott Levine] will be spending eight years on a forced sabbatical for filching one billion data records from Acxiom, one of the world's largest managers of personal, financial, and corporate data.

According to the Cincinnati Post, Acxiom handles "14 of the 15 top credit cards companies, five of the six biggest retail banks and seven of the top 10 car makers. All share the credit card and other information of their customers with Acxiom."Other customers include TransUnion and the City of Chicago. In addition, Acxiom maintains nearly 850 terabytes of storage across five football fields worth of data centers worldwide, including the US Europe, China and Australia. Among other things, they process over a billion US postal records a day.

Acxiom claims it "continually gathers data from thousands of public and private sources," enabling it to offer the "widest and latest selection of data possible" with "the most informative, accurate and recent demographic, socio-economic and lifestyle data available-at the individual or household level."

And all that data's not being collected for posterity. Acxiom offers it to direct marketers, among others, to identify the best prospects. For example, its CPI score, which is updated monthly, tracks an individual's economic life and "quantifies the size of a specific consumer's economic footprint, indicating the historical consumer purchasing and relative amount of marketing activity surrounding that individual."

... Daniel Baas... was the systems administrator for a small shop that did business with Acxiom. He was tasked with downloading his company's files from Acxiom's FTP server.

Gregory Lockhart, the US Attorney in Charge said, "Baas committed a crime when he exceeded his authorized access, looked for and downloaded an encrypted password file, and ran a password cracking program against the file."

... Baas illegally obtained about 300 passwords, including one that acted like a "master key" and allowed him to download files that belonged to other Acxiom customers. The downloaded files contained personal identification information.

Millions of records worth US$1.9 million.

... Baas burned CDs full of Acxiom's data from 10 December 2002 through New Years [year?], Acxiom said it had no idea its security had been breached till the sheriff called nearly eight months later.

During the course of the Baas investigation, technicians stumbled over another illicit data miner... Scott Levine, owner of Snipermail... yet another Acxiom customer with a password.

The feds claimed that Levine cracked Acxiom's password system so he could filch other peoples' data. From January through July 2003, he abused this authority, ultimately downloading a billion records with a purported street value of US$7 million. ..

... Despite all this, you might say Scott Levine is lucky. His original indictment in July 2004 carried 144 counts. But by the time his jury was finished a year later, the US prison system's latest inductee was found guilty of just 120 counts of unauthorized access of a protected computer, two counts of access device fraud, and one count of obstruction of justice.
So there were two separate identified break-ins of which one led to one conviction on two counts. There were no consequences for Acxiom's crummy security -- after all, they were the "injured" party. The inability of the jury to convict more broadly is typical of these crimes; they are too complex for most trials. Given the history it is reasonable to assume there were other unidentified break-ins.

Bruce Schneier has written for years that nothing will happen until the financial services companies are held directly liable for their security.

There's a lot of enthusiasm in many quarters for electronic health care standards and transactions. Often the security of financial industry transactions is upheld as an indicator that privacy and security issues will be managed well. Pardon my skepticism.

No comments: