According to Attrition.org Data Loss Database, Acxiom has suffered only a single breach in December 2003. In actuality, Acxiom experienced at least two data breaches, the one as reported in December 2003 and another first reported in July 2004. The latter is often referred to as the "worst breach ever" in terms of total records exposed.
In both cases, the perpetrators were employees of third-party companies that at some point had legitimate access to the Acxiom FTP servers but then used additional hacking to gain access to the data. The investigation of the first breach lead to discovery of the second. The second has been described as the largest data breach ever exposing as many as 1.6 billion records. Both resulted in either a guilty plea or conviction.
Baas worked for a company that contracted with Acxiom to perform data analysis. Baas had legitimate access to the files to begin with because the company was contracted to analyze them. It was only later that he cracked the passwords and downloaded additional files. The plea agreement announcement states:
The statement of facts says Baas illegally obtained about 300 passwords, including one that acted like a "master key" and allowed him to download files that belonged to other Acxiom customers. The downloaded files contained personal identification information.
Additional information about Daniel Baas available via Google Search.
Acxiom describes this in their FY2004 10-K:
In early August 2003 management determined that the Company had experienced unlawful security breaches of its file transfer protocol ("FTP") server. Unauthorized access to certain files occurred as a result of information being exchanged between the Company and a number of clients via the FTP server. Acxiom was among several companies whose security was breached. Law enforcement authorities have arrested and charged a former employee of one of Acxiom's clients and are investigating another company. Thus far, seven individuals have pled guilty and are awaiting sentencing. The Company continues to fully cooperate with the investigation, which involves multiple law enforcement agencies.
Only FTP files on a server located outside of the Company's firewall were compromised and not all FTP files nor all clients were affected. No internal systems or databases were accessed, and there was no breach that penetrated the Acxiom security firewall. Based on the facts known to management, the Company does not believe that there is any risk of harm to individuals, and the Company does not expect any material adverse effect from this incident.
The second breach was perpetrated by Scott Levine who was the chief executive of oft-alleged spammers Snipermail.com.
Acxiom updates the situation in their FY2005 10-K:
In early August 2003 management determined that the Company had experienced unlawful security breaches of its file transfer protocol ("FTP") server. Unauthorized access to certain files occurred as a result of information being exchanged between the Company and a number of clients via the FTP server. Acxiom was among several companies whose security was breached. Law enforcement authorities have arrested and charged a former employee of one of Acxiom's clients. That person eventually pled guilty to various computer crimes and is currently incarcerated. As a result of that investigation a second set of unauthorized intrusions of the same FTP server was discovered. Those intrusions were traced to another company, Snipermail.com, Inc. of Boca Raton, Florida. On July 21, 2004 a 144-count Federal indictment was issued against the former leader of that company and the case against him is currently expected to be tried in the summer of 2005.
In both sets of intrusions only FTP files on a server located outside of the Company's firewall were compromised and not all FTP files nor all clients were affected. No internal systems or databases were accessed, and there was no breach that penetrated the Acxiom security firewall. Based on the facts known to management, the Company does not believe that there is any risk of harm to individuals, and the Company does not expect any material adverse effect from this incident. The investigating government agencies have publicly stated that there is no evidence to indicate that consumers were subjected to any instances of harm as a result of these incidents.
The indictment describes the circumstances in great detail. The Levine "hack" sounds about the same as what Baas did. Counts 142 and 143 of the indictment are for "Access Device Fraud" and indicate that he illegally possessed ids/passwords on two occasions: May 22, 2003 and July 24, 2003. The evidence list (page 63) lists "ftpsam724 log (106 pgs)" and "L0phtcrack report 07-24-23.txt log of cracked passwords". It appears that there was some data that was downloaded not using cracked passwords, but the bulk was accessing using stolen credentials.
In some instances, the media referred to Levine as a malicious insider, and in others portrayed him as an outside hacker. The reality is probably a bit of both. The Levine company (Snipermail) was a sub-contractor for a contractor with the unnamed Company 1 that worked with Acxiom. According to the indictment, Snipermail was only allowed to upload files to a specific location. There wasn't any direct business relationship between Acxiom and Snipermail. So, even though there was some "inside" information and authorized access, was it much different than if a public FTP server was exploited in a similar manner?
Another bone of contention with regards to the Levine trial (and Acxiom's reports to the media) concerned the number of records that were actually accessed. At different times, the number has ranged anywhere from tens of thousands to over a billion. Part of the confusion stems from the fact that people and records were often referred to interchangeably. Lyger from Attrition has an excellent discussion of this and problems the semantic confusion causes.
I'm of the mindset that when discussing data breaches, the number of people does not necessarily equal the number of records. I'm sure that often incidents occur where one person has multiple records compromised (CardSystems or TJX come to mind). And, assuming that I haven't completely missed the boat with counting records and people, here is what I've found out about the numbers in the Acxiom breach.
The greatest number of records reported as having been exposed is 1.6 billion. The 1.6 billion number appears to have originated with an expert witness named Tom Hiller (reported here). He was #22 on US Witness List (pg 41) and testified on 26 July 2005. (AKA: Thomas E. Hiller)
Hiller used to work for Metromail as Vice President, Data Acquisition; he left in 1997 (article from 1998 mentioning both Metromail and Acxiom). And you may have heard of Metromail as the company that used Texas prison labor to process survey data until 1994. They quit doing this after a lady received a sexually graphic letter from a rapist in prison. Metromail was subsequently sued in a class action lawsuit (reported here).
So Hiller appears to have the appropriate credentials and should know what he is talking about. We have to assume that the reporter heard the 1.6 billion number correctly and reported on it. Unfortunately, the trial transcripts are not available electronically and some are sealed (see #158).
The news report time line of a billion records: Google New Search
So, what kind of data does Acxiom handle and how much? According to their sales-marketing fact sheet:
Acxiom's InfoBase can best be described as a "monster." Over 200 items of your most private data--total value vehicles owned, available home equity and market value, date of birth, gambling and drinking habits, your politics, etc. -- from 176 million individuals in 114 million households. That's pretty much all of us, isn't it? Acxiom, like ChoicePoint, has Homeland Security contracts, garnered with the help of retired General and former presidential candidate, Wesley Clark, who is an Acxiom-paid board member; $300,000 in 2002.
Client success story talks about 290 million records and FTP:
Acxiom Chief Privacy Officer testimony to House Committee on Energy and Commerce in 2001:
- Acxiom does not have one big database that contains detailed information about all individuals. Instead, we have many databases developed and tailored to meet the specific needs of our business customers' entities that are carefully screened and with whom we have legally-enforceable contractual commitments.
- Acxiom does not provide information on a particular individual to the public. The information we sell is provided only to qualified businesses for specific legitimate business purposes. I cannot call up from our databases a detailed dossier on any of you, let alone me.
- The information we provide cannot be used, according to existing law, for decisions of credit, insurance or employment. These activities are regulated by the Fair Credit Reporting Act and such uses are prohibited under our contracts.
- Acxiom does not contribute to the nation's identity theft problem. We do not sell Social Security numbers or credit card numbers to anyone, nor do we sell credit or other detailed personal financial information that could be used to steal someones identity.
- Acxiom does not develop any information products containing sensitive information. We define sensitive information as personal information about children, medical information, and detailed financial information. The only exception to this would be a situation where the consumer has opted-in to volunteer such information for distribution or where the information may be a part of the public record.
- Acxiom does not sell detailed or specific transaction-related information on individuals or households, such as what purchases an individual made on the Web or what Web sites they visited. The information we provide is general in nature and not specific to an individual purchase or transaction. For marketing purposes, businesses need information about the household, not the specific individuals comprising the household.
That's nice testimony, but what about reality? What does Acxiom really do? Remember Torch Concepts and JetBlue? Acxiom provided PNR and demographic data to Torch Concepts. From the EPIC complaint:
30. The information Acxiom provided to Torch Concepts about these passengers included gender, home specifics (owner/renter, etc.), years at residence, economic status (income, etc.), number of children, Social Security number, number of adults, occupation, and vehicle information.
32. The presentation disclosed "Anomalous Demographic Information" on one JetBlue passenger, including addresses, cities, states, zip codes, Social Security numbers, date of birth, and lengths of residence, though the passenger was not identified by name.
And once something is released on the web, it just never seems to disappear and can always be found somewhere.
Here are DHS reports about the incident:
DHS has more precise info (from pg 22):
In September 2002, Acxiom provided Torch Concepts with approximately five million JetBlue PNRs representing 2,226,715 passengers. These records corresponded to JetBlue passengers traveling over a 33-month period. Torch Concepts received this data set in an encrypted format via a File Transfer Protocol (FTP) web site maintained by Acxiom.
Torch Concepts then purchased supplementary demographic information on passengers from Acxiom. This commercially available dataset of demographic information included social security numbers, salary data, housing ownership indicators, and length of residence, among other information. Acxiom matched the demographic data to the JetBlue airline passenger data and provided it to Torch Concepts.
Torch Concepts followed the same internal security procedure each time it received data from Acxiom. In each case, Torch Concepts decrypted the files it received via Acxiom's FTP site and then disconnected the host computer from the internet and intranet.
And then there is DARPA's interest in using Acxiom in 2002:
Coverage claimed: Acxiom spends about $50M for data on US data and covers more than 80% of the population. They have 80% coverage in the UK and have some coverage in Australia, Canada and Germany.
Acxiom has an interesting take on their responsibilities with respect to the data breaches:
The files that were accessed contained a wide variety of client information, some of which was personally identifiable and some of which was not. Most of the data was non-sensitive, and some of the data was encrypted.
Because the information belongs to Acxiom's clients, we are not authorized to answer questions from individuals about whether their information was accessed in the breach. We are working with our clients to assess the impact on their customers. Both Acxiom and our clients are taking this situation very seriously.
In their response to the class action (footnote 4):
At one point in the Complaint, plaintiff contends that when Acxiom's clients' information was stolen, Acxiom was (or should be) obligated to directly notify the consumers from whom Acxiom's clients had collected information. No such legal obligation has ever existed. Indeed, while Arkansas enacted a data security notification statute years after the incident in question, even under this new statute, in the event its clients' data is stolen, Acxiom's only obligation is to notify its clients of the incident. See, e.g., Ark. Code Ann. § 4-110-105 (2005). The Arkansas legislature chose not to impose upon Acxiom a duty to notify consumers directly. Id. Plaintiff certainly should not be permitted to invent a duty for which there is no authority and which the Arkansas legislature has, at least impliedly, rejected. See Arthur v. Zearley, 895 S.W.2d 928 (Ark. 1995) (invoking canon of expressio unius est exclusio alterius for the proposition that where a statute imposes clear requirements, that which is not expressly included must be excluded).
Acxiom seems to view this as a set of separate, discreet data breaches and not one gigantic one. The indictment lists over 130 files that where downloaded (with about 80 downloads after 1 July 2003 alone). It makes one wonder if any of these stolen files contained individuals who should have been notified under SB 1386? That issue was raised after the original Baas hack was revealed.
SB 1386 became effective on July 1, 2003. It requires any:
state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Personal information is defined as:
(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Since there isn't any way to know what was actually contained in the files that were downloaded by Levine, it is impossible to know if any data elements were present that would have triggered a breach notification. But we can still speculate and use what is known to do a little sleuthing.
In the indictment that are a number of companies that are simply referenced as Company 1, Company 2 and Company 3.
According to the trial docket, there are two companies that filed sealed motions Polo Ralph Lauren Corporation and Philip Morris USA Inc. Philip Morris is listed among the major clients in Acxiom's 2004 annual report (as well as 2005 and 2006). Additionally, Anheuser Busch is mentioned in the evidence list on page 47. It is not clear if any of these is Company 1.
Based on the evidence list, Company 2 is clearly Harrah's Entertainment. Page 45 refers to "Harrah's Entertainment 203 Ferry Street Seeds and Decoys" and page 47 refers to "Harrah's Entertainment Seed Data". Harrah's Metropolis casino is listed at 203 Ferry Street, Metropolis IL.
Also in the evidence list, on page 44, there are numerous references to the postal addresses and the "Allegra Campaign". It can be inferred that Company 3 is most likely Aventis (or post-2004, sanofi-aventis).
So, according to the indictment, on May 23, 2003, Levine downloaded 10 files from Acxiom's FTP server that belonged to Harrah's Entertainment. These records were included in the list provided to Direct Partner Solutions. In August 2003, Harrah's receives numerous advertisements for Allegra at the "seeds and decoys" addresses; Levine is confronted with this on August 7, 2003 and replies on August 8 and 12 (page 44 on evidence list).
Now, it just so happens that Harrah's Rincon Casino and Resort is in San Diego, California and opened in August 2002. It would be very interesting to know if any of their California employees were included in the data that Levine downloaded from Acxiom. And if if there were California employees, did the files contain any of the additional data elements that might have triggered a SB 1386 notification? Had the stars aligned just so, it could have been one of the first notifications under SB 1386.
According to the indictment, Levine/Snipermail had access to the Acxiom FTP server from at least November 2001 until August 2003. Levine was accused of downloading about 8 GB of data (the bulk of it between March 2003 and August 2003). But he was only convicted on the counts that involved unauthorized access beginning on May 20, 2003. The indictment states 302 files from 23 different accounts. However, counts 2-5 indicate that there was access at least as far back as April 2002. So, in all likelihood there was additional access that is not specifically addressed in the indictment.
This all adds up to a company that has 20 billion records on file covering some 300 million individuals (and tracking just about every detail about them) and processes 1.5 billion records per day. Levine had access to Acxiom's FTP server for eighteen months. Even if only a small number of clients used that FTP server and were accessed, it seems well within reason to assume that 1.6 billion records could have been exposed.
When I started looking at this I thought that 1.6 billion was just some media shock number, but the more I dug the more reasonable it seemed. I can understand some reluctance in accepting the number since it far outweighs other data loss incidents. But, then again, maybe that just underscores the seriousness of it.