Consumer information held by Acxiom, one of the largest collectors and processors of such data, was reportedly accessed and downloaded recently by an intruder who broke into the company’s massive database.
Law enforcement officials, who notified Acxiom of the breach, have arrested a suspect in Ohio. Acxiom claims the unlawful access to files containing personal information did not result in theft or other harm to any individuals. However, security and privacy experts said that as large consumer databases become more valuable, they are more likely to be targeted by attackers.
Today, there are legislative and other pressures forcing public disclosure of data breaches that in the past might have been kept quiet. “I think we’re going to be hearing about it a lot more – an awful lot more,” Forrester research director Michael Rasmussen told TechNewsWorld. “The climate’s changing now, and there’s a huge amount of liability pressure.”
Unlawful Access
In a security alert on its Web site, Acxiom said the unauthorized access occurred as information was being exchanged with Acxiom clients — which include IBM, Microsoft, AT&T, General Electric, Bank of America and Sears — over a single File Transfer Protocol (FTP) server.
“The files that were accessed contained a wide variety of client information, some of which was personally identifiable and some of which was not,” the alert said. “Most of the data was nonsensitive, and some of the data was encrypted.”
Acxiom spokesperson Dale Ingram told TechNewsWorld that the access involved one of the company’s thousands of servers and that the Little Rock, Arkansas-based company was made aware of the breach by law enforcement officials.
Keeping Track
Electronic Privacy Information Center deputy counsel Chris Hoofnagle told TechNewsWorld that there is an increased risk for information exposure, especially as a result of the war-on-terrorism mandate to collect information.
“The risk is heightened now that Acxiom, ChoicePoint and other database aggregators are focused on selling personal information to the government,” Hoofnagle said. “This data, of course, is going to become more attractive to hackers.”
He said if law enforcement tipped off Acxiom to the breach, it might indicate the company has either no intrusion detection or poor-quality intrusion detection, which Hoofnagle said is a problem.
Closing Off Holes, Consumers
Acxiom’s Ingram said the company has conducted a “quick review” and has eliminated the vulnerability that allowed access to the information. Acxiom also is working with law enforcement as part of an ongoing investigation.
While the company claims “only a small portion of all the information Acxiom processes for our clients was accessed,” Acxiom is not informing consumers whether or not their information was among the exposed data.
“Because the information belongs to Acxiom’s clients, we are not currently authorized to answer questions from individuals about whether their information was accessed in the breach,” said the security alert. “We are working with our clients to assess the impact on their customers.”
Liability Looms Large
Hoofnagle, who said companies like Acxiom are finding a new market for consumer information with the government, said a California database security law that took effect in July represents a larger push for disclosure of such lapses.
“As a result, you’re going to see more notices to the public about security breaches,” he said. “That is going to foster concern over the security of these databases.”
Forrester’s Rasmussen agreed, referring to the California law — introduced at the federal level — and Federal Trade Commission efforts to force disclosure.
“There’s just a lot of pressure from a lot of different angles,” Rasmussen said. “Companies are going to protect themselves and do the right thing. I’m sure Acxiom is going to be changing its privacy policy.”
So when does Acxiom and their customers notify California consumers of the breach..as per the new disclosure law July 1, 2003?