Secondary Screening: Acxiom's High Tech Hacker

« Not Excused | Main | Backpacks that Go Bloom(berg) »

July 15, 2005 | Acxiom's High Tech Hacker

Back in 2003, Acxiom acknowledged it had been hacked and sensitive data it owned had been downloaded.

Axciom said the offender was a crazy smart hacker who fitznagled his way through their heavy-duty black ice who only got a smigden of data.

Recent news suggests you should put down your diet coke so it won't snort through your nose.

Here's what Acxiom said in 2003.

"An individual, who was a former employee of an Acxiom client, was arrested in conjunction with this incident," the company said in a statement Friday. "According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through hacking of encrypted passwords."
The Little Rock, Ark.-based firm said the stolen information was retrieved. "Law enforcement has notified Acxiom that they do not believe that any of the data has been released to other parties or used for fraudulent purposes," the company said.

The breach involved one external FTP server outside Acxiom's firewall that is used to transfer files back and forth between Acxiom and its clients. The company said no internal databases were accessed and no breach penetrated its firewall. Additionally, the firm said only a small percentage of its clients' data was involved in the incident.

Full story from Internet News here.

The alleged ne'erdowell Scott Levine, who ran a greyhat email company called SniperMail.com, is now on trial in Florida.

Levine downloaded credit card numbers and other sensitive data on millions of Americans from ~~Amazon~~ Acxiom using an FTP server, according to testimony.

Evidently, Snipermail was selling email addresses to Acxiom and in the process of FTPing files to Acxiom, Levine discovered that the password for uploading files was the SAME as the one for downloading, according to the Arkansas Democrat-Gazette's Katherine Marks.

Another employee testified Levine was not only aware that he’d illegally downloaded data from Acxiom Corp. but he also encouraged him to download more.
"I would jokingly say, ‘Oops, I downloaded a file off the Acxiom server,’ and Levine would say, ‘Get more’" Jeffrey Burstein, Snipermail.com’s lead technician, testified.
[...]

[Mike] Castro [Levine's brother-in-law] said that Snipermail. com obtained a password from Acxiom to upload data to the company. Employees were amazed to find that they could also use the password to pull information from Acxiom, he said.

"We couldn’t believe such a high-tech company would forget to change the password on something like that," Castro testified.

Levine used this security lapse to download 8.2 gigs of customer data.

One assumes that's gigs of text files and spreadsheets. Gigs that belong to Axciom's other clients.

8.2 gigs. One hopes there were some heavy-duty video files in there because otherwise, that's a lot of credit card numbers.

Full story here (reg req).

Update: Remove erroneous substitution of Amazon for Acxiom in one sentence. Amazon was on the brain.

Posted by Ryan Singel at July 15, 2005 11:59 AM

Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/212

Listed below are links to weblogs that reference Acxiom's High Tech Hacker:

» Secondary Screening: Acxiom's High Tech Hacker from Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)
[Read More]

Tracked on July 16, 2005 10:51 AM

» Axciom, 8.2 gb of love, Bad Password from Emergent Chaos
In "Acxiom's High Tech Hacker," Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Axciom FTP server. The server was misconfigured, and anyone could login and see other people's data. "According to... [Read More]

Tracked on July 18, 2005 08:42 AM