Trial Highlights Vulnerability of Databases
By ANN CARRNS
Staff Reporter of THE WALL STREET JOURNAL
August 3, 2005; Page B1
http://online.wsj.com/article/0,,SB112303369519303392,00.html?mod=technology%5Ffeatured%5Fstories%5Fhs
LITTLE ROCK, Ark. -- Companies owning databases brimming with consumers'
personal information pitch themselves as private-sector versions of Fort
Knox -- heavily guarded fortresses of lucrative assets. But the trial of a
spammer accused of stealing more than one billion records from data seller
Acxiom Corp. shows how easy it can be to penetrate those defenses.
Scott Levine, an owner of Snipermail.com Inc., a defunct bulk-email
marketing company, is accused of conspiring to download roughly 1.6 billion
names, addresses, phone numbers and other personal information from an
Acxiom computer server in 2002 and 2003.
Acxiom acknowledges that the purloined data could include information about
"tens of millions" of Americans. If so, the intrusion ranks among the
biggest personal-data breaches ever disclosed in the U.S. In comparison,
CardSystems Solutions Inc. in June said hackers may have put the data of as
many as 40 million consumers at risk by obtaining information on
approximately 200,000 credit- and debit-card accounts.
Acxiom executives say the breach exposed little "sensitive" data likely to
be used in identity theft, and there is no sign any consumers were harmed.
Prosecutors allege Mr. Levine sought only to resell the data to other
marketers. But evidence presented by the government at Mr. Levine's trial,
now in its third week here, suggests that Snipermail easily downloaded a
file containing encrypted passwords of about 300 Acxiom customers.
Acxiom didn't know it had been invaded until being contacted by
investigators in Ohio following the 2003 arrest of a man who worked for an
Acxiom subcontractor and was accused of illegally downloading information
from a company computer server. Acxiom then detected more intrusions of the
same server, which were traced to Snipermail.
"We should have known better," concedes Jerry Jones, who leads Acxiom's
business-development and legal teams. Since the Snipermail incident, Acxiom
has toughened its encryption and password protocols and enhanced
intrusion-detection systems. Acxiom also conducted 82 security audits
during the past year, noting that its quick response and other efforts to
reassure customers have helped it keep every client affected by the breach.
The company says that the vast bulk of its data was never at risk because
the breach occurred at a server located outside its technology "firewall."
Mr. Levine's trial comes at an awkward time for Acxiom, which is known for
its unconventional culture and political connections but suddenly is
fighting for its life as a public company. Acxiom's largest shareholder,
ValueAct Capital, is pressing ahead with a $2 billion takeover offer, even
though Acxiom insists it isn't interested.
Rejection of the proposal by Acxiom directors last month raises the
possibility that the San Francisco investment firm, which typically takes
an active role in companies where it owns stakes, could take its fight
directly to other Acxiom shareholders with a tender offer.
Jeffrey Ubben, a ValueAct managing partner, declines to say what his next
move will be, though he says Acxiom must move beyond its roots as a
"personality-driven" company to generate better returns for shareholders.
"We're not going away," he vows.
Previously, Mr. Ubben was chairman of Martha Stewart Omnimedia Inc. during
the home-decorating entrepreneur's legal troubles, helping to engineer that
company's rebound. In contrast to the sharp criticism of Charles Morgan,
Acxiom's chairman and top executive, Mr. Ubben remained loyal to Ms.
Stewart throughout her legal travails.
"I don't think we've done an awful job," Mr. Morgan responds with a shrug.
Still, Acxiom is firing 250 people, or 4% of its work force, as part of a
turnaround plan prompted by slumping first-quarter profit.
Founded in 1969, Acxiom (pronounced AK-see-um) pioneered the use of
computers to boost direct marketing. The company collects, stores, and
analyzes information on roughly 95% of all U.S. households, sifting through
court filings, phone books and other publicly accessible records, as well
as privately commissioned surveys, to create consumer databases that help
clients tailor marketing campaigns. Acxiom typically can tell whether a
person owns a house or has children. In addition to major credit-card
issuers, corporate clients include Allstate Corp. and Sears Holdings Corp.
Mr. Morgan, 62 years old and trained as a mechanical engineer, bought a 10%
stake in the company in 1972, as it was using computers to zero in on
potential political donors. (His current stake is valued at roughly $80
million.) Acxiom eventually put its prospecting skills to work on behalf of
companies, and Mr. Morgan created a touchy-feely place to work. In 1997,
Acxiom banished formal executive-job titles to promote flexibility, making
Mr. Morgan "company leader" instead of chief executive officer.
Mr. Morgan, who races cars as a hobby, often pores over email responses
triggered by his weekly "Morgan's Minutes" messages to employees. A meeting
area outside his small office is labeled "Charles' Conference Room." The
sleek headquarters building, overlooking the Arkansas River near downtown
Little Rock, is located at 1 Information Way.
"They give the state a very positive image," says Arkansas Gov. Mike
Huckabee, adding that Acxiom is the same kind of business magnet for the
state as Wal-Mart Stores Inc. Acxiom's board includes Thomas F. (Mack)
McLarty III, a chief of staff for President Clinton, and William T. Dillard
II, chairman and CEO of department-store chain Dillard's Inc., also of
Little Rock. Acxiom is set to hold its annual shareholder meeting today in
Little Rock.
Still, the Snipermail trial is a reminder of how vulnerable even
well-regarded data providers can be to snoops. Snipermail actually was
authorized to access Acxiom's server, because it worked for at least one of
Acxiom's customers.
The problem erupted when Mr. Levine and other Snipermail employees
allegedly downloaded a file containing encrypted passwords, unscrambled
about 40% of them and gained access to information from other Acxiom clients.
Mr. Jones, the company's legal chief, says the password file shouldn't have
been accessible and that passwords should have been harder to decode. The
downloaded information included data from Citigroup Inc. and J.P. Morgan
Chase & Co., according to courtroom evidence. A J.P. Morgan spokesman says
there is "no evidence of any attempted use" of its data. Citigroup says
there was no risk of identify theft from the stolen data.
Mr. Levine, who faces 138 criminal counts, has denied any wrongdoing,
according to his lawyer, David Garvin.
================================
George Antunes, Political Science Dept
University of Houston; Houston, TX 77204
Voice: 713-743-3923 Fax: 713-743-3927
antunes at uh dot edu
Reply with a "Thank you" if you liked this post.
_______________________________________________
MEDIANEWS mailing list
[email protected]
To unsubscribe send an email to:
[EMAIL PROTECTED]
