IT Pro Admits Stealing 8.4M Consumer Records

Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."

Let's just assume...

[TheMeuge]

Given the number of these news lately, let us just assume that EVERYONE'S personal information has been compromised. The problem is that the only way to combat identity theft, is to have a way of positively identifying any person. The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information. So the question is this - what's worth more to us - financial safety, or privacy and anonymity.

Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.

In essence, the system is structured to benefit the lenders with little regard for the clients. (yeah, i know - big surprise).

Instead, authenticate the transaction.

[khasim]

This is fraud.

And because it is fraud, ANY system of identifying the person will be subject to abuse.

So don't worry about identifying the person. That's too difficult to secure. Instead, focus on validating/authenticating the transaction. That way the resources can more easily be focused.

Re:

[gmack]

The most common use of this by "Direct marketing firms" is not to open new transactions with it but to engage in a scam known as "Antitel".

The idea is that the scammer calls the target and claims to be working for the bank's security department and that you will refund the money but you need to confirm the bank details and that a recording is needed for security reasons.

Que recording of the target with the customer repeating the info the scammer just gave the target in the first place and agreeing to a draf

Re:Instead, authenticate the transaction.

[thePowerOfGrayskull]

Did you report them?

Re:

[QuantumRiff]

The thing that gets me is that if someone steals my identity, and writes checks, credit card payments, etc. I have to prove that the purchaser IS NOT me! That seems a little backward. Shouldn't the merchant, Credit reporting company etc, have to prove it IS me? (ie, the presumption of innocence?) I can't hire an employee without Social Security number, State issued ID Card, etc, to make sure that they are them. I would love to see someone release EVERYONE's name and social security number, because then

Re:

[QuantumRiff]

True, but that is for collections issues. What if they royally hose my credit score, that everything from loans to Car insurance rates are based upon? Why should I have to monitor my credit (from 3 different companies) and look for anomalies, then try to spend hours and hours of time to try to rectify the situation? And of course, Usually people find out about this because they get denied for something because of the inaccuracies in their credit reports..

Meanwhile, the person needs car insurance (in my s

Re:

[Wowsers]

The UK government already gave the criminals* 25 million records of peoples personal information, including their "national insurance" numbers, bank account details, names, addresses, ages of people etc. etc.

http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm [bbc.co.uk]

* The government deny it, but the missing CD's have not turned up, so you must assume the worst.

Re:

[Cyberax]

The best way to authenticate a person is to use physical documents (ID card/passport with photo). Usually, passports have pretty good forgery protections. If you can't be present in person - use notarized documents sent by snail-mail. That should cover 'important' things like getting a mortgage or buying a car.

For less important things (like buying stuff on the Intertubes) the current system works pretty well. The occasional card thefts can be mostly eliminated by things like RSA tokens.

The current practice

Yes, but Identification !=Authentication

[Bearhouse]

You raise the right question, but having "a way of positively identifying any person" is a bit of a shortcut.

Identification = Associating an identity with an individual, process, or request
Authentication = Verifying a claimed identity

Ok, so you are John Smith. But are you THE John Smith who is entitled to withdraw all the money on this account?

Problem is, most systems do only one step, or rather, 'both in one'.
"We have your password/SSID/whatever, on file, therefore we identify AND authenticate you...

It's a bit like 'self-certifying' web sites, as discussed here recently. Complete bollocks, worth nothing.

Also, "The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information." Hmmm...the same Govt. who recently lost (in UK) 25 million personal records?

Quis custodiet ipsos custodes?

The first one who cracks THAT problem will make gazillions...

Re:

[Kennon]

I dont see how identity theft is any different than any other kind of theft. My car is out the parking lot right now and if someone steals it I call the police they investigate and sometimes eventually catch whoever did it. Or I claim it on insurance and get a new one. A while back someone used my Visa card number to order something from a pharmacy in Brazil. My bank called me and told me they suspected fraud, I confirmed it and they issued me a card with a new number on it. Big deal...Giving the government

Re:

[JadeNB]

Of course, identity theft is rampant, but, at least according to the story, this is just a case of selling the names for marketing purposes, not identity theft. Better identification wouldn't help much in this situation.

Re:

[Igarden2]

Pretty soon we may revert to a cash based system. Think of all the ways your life would change. I, for one, do not have a love affair with my credit card. It is very difficult to overspend when you are limited to cash on hand.

Just my 2 cents.

Its not spelled 'ludite'.

Re:

[DavidTC]

Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.

This will continue as long as we keep calling it 'identity theft'.

Random people getting hold of my personal information is annoying. It sucks, and I'd rather it didn't happen. It is not, however, any form of t

Fidelity

[Anonymous Coward]

Indeed

Re:

[SgtSnorkel]

He's just lucky he didn't pirate a couple dozen mp3s.
Then he'd be in REAL trouble!

Thank God

[Aqua_boy17]

He worked at a subsidiary of Fidelity and used his access to its database to steal customer names...

I nearly moved all of my 403b funds recently to Fidelity from another company. I'm sure if I had, all of my information would have been at the top of his list.

totally different organizations

[peter303]

Fidelity is a very common name in financial services.

Re:

[Aqua_boy17]

Fidelity is a very common name in financial services.

I suppose that makes sense. I'd have little motivation to in invest my money with a company named "Infidelity" unless they made pr0n videos, that is.

Re:

[Anonymous Psychopath]

Fidelity is a very common name in financial services.

That's because they are one of the largest financial services companies in the US. Anyone you deal with that has "Fidelity" as part of their company's name is probably a subsidiary.

Re:

[audentis]

That's because they are one of the largest financial services companies in the US. Anyone you deal with that has "Fidelity" as part of their company's name is probably a subsidiary.

While you are correct in many respects--that Fidelity Investments (FMR Corp.) has a lot of subsidiaries--this company, Fidelity National Information Systems, is NOT one of them. They are not connected in any way.

FMR Corp. is privately owned, whereas FNIS (NYSE:FIS) is publicly traded and a member of the S&P 500.

I u

Receiving stolen property

[SystemFault]

Receiving stolen property is a charge I'd like seeing brought against the direct marketers who bought or rented the list. This would be a good deterrent against shady data acquisition practices.

Re:

[Dr. Evil]

Yeah, sending this guy to jail does nothing to curb the damage from those 8.4M comsumer records. It doesn't even stop them from being used for direct marketing.

Demand the records be destroyed, open a case for possession of stolen property, and fire up a class action on the part of 8.4 million plaintiffs.

Re:

[Score Whore]

Yeah, sending this guy to jail does nothing to curb the damage from those 8.4M comsumer records.

Barring solid proof that this loser is going to cure cancer or stop the aging process, I see no reason for this guy to be allowed a continued existence within civilized society.

Re:

[maxume]

Jailing him will cost money, and Australia went and passed immigration laws, so we can't just send him there.

Let ME pick the prison...

[fdrebin]

As a Fidelity customer, I'd like to have some say in exactly which prison this guy goes to; one of those cushy Country Club sort of places isn't what I have in mind...

totally different organizations

[peter303]

Fidelity is a common word in financial institution names.

Re:

[QuickFox]

Fidelity is a common word in financial institution names.

Don't be swayed by labels without substance. Choose instead an honest firm with an honest name. Entrust your savings to us at Crooks, Plunderers and Embezzlers, Inc. [crooks.com]

Re:

[rvw14]

They must use the law firm Dewy, Cheetum, and Howe.

Re:

[Cairnarvon]

Those "cushy Country Club" prisons don't exist. I don't know where that meme came from, but if it's responsible for the wave of self-proclaimed "tough on crime" politicians, I think it's time it died.

Re:

[JadeNB]

While the harsher punishments you suggest may be a bit extreme, I'm glad I'm not the only one who had this reaction -- "Oh, you ruined people's lives on a massive scale and got caught? Please stop, won't you? Please stop. No? OK, give us a couple bucks, you scamp."

Irony?

[coug_]

Fidelity - n. 1. Faithfulness to obligations, duties, or observances.

"used a business he incorporated to sell the list"

[circletimessquare]

ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way

and this guy was a DBA? all jokes aside, we are talking about a baseline level of intelligence here

does not compute

Re:"used a business he incorporated to sell the li

[Scrameustache]

ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way

You're confused because your premise is faulty.
It's estimated that global organized crime reaps illegal profits of around $1 trillion per year [fbi.gov].
That's one trillion dollars that you just can't make legally. Criminality does not favor the not so bright, the media favor the not so bright criminals, and you somehow confused their overexposition as a true representation of reality. And there's a saying that crime does not pay, which is propaganda: crime does pay, it pays a trillion dollars a year.

true

[circletimessquare]

it is true that the only criminals we hear about are the dumb ones, leading to the supposition that you never hear about the smart ones, not because they don't exist, but because they are smart

but, having heard from you, i guess we can safely conclude which camp you lie in? ;-)

Re:"used a business he incorporated to sell the li

[p0tat03]

Correction: Criminality favors everyone equally, it's the not-so-bright ones that get caught. Or the not-so-careful.

The smartest criminals make their activities legal: see RIAA, MPAA.

Re:"used a business he incorporated to sell the li

[justinlee37]

criminality has always favored the not so bright

Don't be so sure.

Re:"used a business he incorporated to sell the li

[elb]

I think that any programmer or administrator who has access to {some level} of personal information about other people should be required to be licensed and accredited. In other words, I'd like to see an official standards and accreditation board for the various flavors of software engineers, the way that lawyers, doctors, architects, contractors, etc. have to have. If you sufficiently abuse your position or malign your clients, not only do you face legal penalties, but you also lose your ability to have a

Re:

[Samgilljoy]

I think the simplest rule to cover people for whom ethics are unimportant is ensure that if a person abuses the information in one database or even one kind of database, they are barred from ever accessing it again. That can be a career killer. The personal data I deal with isn't a big deal, just contact info, salary details, stuff like that for tens of thousands of people, but even that stuff I guard like a mint. It's personal data after all, and I fell my strength of character is at least as important a

Privacy vs Copyright

[Em Adespoton]

Interesting... so he got off lighter than he would have had he been caught torrenting a few blockbuster movies or a few CDs of music?

What does it say when a country values the property of its corporations more than the rights of its citizens? If they were to apply the same punishment standards to this case as they do to copyright, the guy would be in jail for life with at least a $5million fine.

Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

Re:

[yakumo.unr]

8.5 million infringements? the RIAA would be pursuing a HELL of a lot more than a mere $5 million.

Standard RIAA charge is $750.00 per infringement, so $6,375,000,000 if this was about MP3's and not sensitive personal information.

It stinks, just one of these records in the wrong hands could in theory ruin someone's life (cleaned out bank account, credit blacklist, who knows if they fall for a phishing attack), an infringed MP3 actually only costs the rights holder less than 99c.

Re:

[gillbates]

Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.

You mean like the MLB and NFL have been trying to do for years - copyright facts? Fortunately, facts aren't copyrightable, and there's a long history of case law to this effect.

You know, it's interesting that privacy advocates are trying, essentially, for what amounts to security through obscurity. That is, they think that someone's priva

How can you stop this?

[Shabbs]

Short of probing everyone's orifice as they leave the office. A company's biggest threat has always been inside corruption. The access given to employees is much more damaging than anything an outsider can do, and they can do it so much faster and without being detected. Unless you're auditing every single key stroke and action taken by every single employee and questioning the movement of every piece of data using some intelligent algorithms to pick up nefarious activity, it will be nearly impossible to stop this. You'd have to eliminate any type of "connection" between the employee and the data. It can be done, but it would be hella expensive.

Re:

[grassy_knoll]

You could use something like Oracle Audit Vault [oracle.com]. Yes, it's not open source and has an additional license cost over and above that for the database itself.

You'll also need someone who's not the DBA on the monitored system to run and monitor it.

Re:

[Shabbs]

HA! Looks like a new position. "Data Security Manager" indeed.

Re:

[hey!]

Simple. You create a standardized damage amount, say $1000, associated with having your data stolen. This gives you standing to sue people responsible for this, including the company who hired this bozo.

If the company exercised reasonable standards of care, they're off the hook. If they can be shown to have neglected procedures a reasonable person would have taken, then they can be made to pay for the entire damages if your identity has been stolen, including the value of your lost credit and also the

I know

[BeanThere]

Lop off the guy's head, put it on a stake, and post a vid of all this on YouTube (or liveleak)? I reckon that would make anyone else think twice before doing this!

(OT) tagging beta...

[LiquidMind]

is very ambiguous...case in point:

thereasontobeadba
= there as onto be a dba
= the reason to bead ba
= the reason to be a dba
= there a son to bead ba

...you get the idea. and spare the offtopic mods, you were warned in the title.

Re:

[3p1ph4ny]

As of this post, the GP hasn't been modded anything. Looks like you're the phallus!

wonder when IRS or SSA will "lose" records

[peter303]

UK beat USA in this race by having the identifications of 25 million of its residents stolen last month. Its only a matter of time for a US agency. I suspect the US is semi-protected by backward computer systems. Like who can read a nine-track tape anymore?

Re:

[piltdownman84]

They weren't 'stolen', HM Revenue and Customs lost them in the mail which is way worse. They sent two discs contain the names, addresses, dates of birth and bank account details of 25 m people in the mail, and they never showed up. Ok so they were most likely stolen, but it wasn't like a grand robbery, they went missing in the mail. There is a 200m pound reward for the return of the discs.

Here is a bbc timeline of events: http://news.bbc.co.uk/2/hi/uk_news/politics/7104368.stm [bbc.co.uk]

Re:

[Bearhouse]

I guess the difference lies within individual, and then public/group perceptions of the implications of the same thing - yes, you're right - a crime, namely theft.

In the case of mp3s, 'the man' (a faceless corporation) takes a profit hit. The artist, too, of course.
In the case of identity theft, some *insert stereotype one-patent family minority victim here* potentially has their life ruined.

Hmmmm...personally, I think that identity theft should perhaps be punished more severely. The legal experts would p

Re:

[JadeNB]

Unlike in the case of copying MP3s, though, there is something very tangible lost with identity (or financial or medical record) theft. If even one other person has all my personally identifying information, then I can no longer prove who I am -- and that's a big and concrete loss, unlike any abstract and hypothetical loss of profits from file sharing.

Re:Big Dumb Idiot Admitted It

[idontgno]

I dunno 'bout that. By admitting it, he kept his damage down to $500k. If it'd gone to trial, and he lost, I'd bet the penalties and forfeiture might have been higher.

"Why would this matter?", I can hear y'all asking. Because that's the margin between profit and loss. According to TFA, he netted $580,000 from his evildoing. After his fines and penalties, he profited $80k.

So, in this case, "4) ???" is actually "4) plead guilty". "5)" remains "PROFIT!".

You have to be marginally smart and be willing to take acceptable short-term losses in order to make crime pay. But it can be done.

Re:

[darjen]

I dunno, 10 years in prison for $80k doesn't seem like such a great deal to me...

Re:

[idontgno]

Well, as a long-term plan, it sucks.

As damage control, it's damn fine work. Given the circumstances, it's as close to profit as he can get.

Re:

[KevinIsOwn]

You don't get to keep the money you steal, which means he will not profit at all. He's financially screwed.

You've gotta love the "personal data" game

[erroneus]

The game started when banks wanted to expand their range. The previous system was whether or not they know you and if they think you're a generally good person. It was a good system, but it required a lot of "humanity" to function. So to make things easier and more efficient, they decided to abuse the social security numbers being issued to individuals... a practice, I will remind anyone reading this, is actually ILLEGAL... or unlawful... whatever... there are explicitly defined rules against the use of SSNs for any purpose OTHER THAN social security use... but low and behold, it's now the "consumer ID tracking number." (And interestingly enough, if you give an incorrect number, you could ultimately me charged with attempted fraud. They go unpunished for breaking the rule abusing the SSN, and when you 'fight back' you can be fined, imprisoned or both!)

Now we have a "credit rating" system. It's flawed, abused and annoying, but for the banks and lenders, it's awesome. It makes their lives so much easier because now they don't have to "know you" at all! And for all this we receive WHAT in the way of benefit? Not a lot... perhaps the ability to move and take your good credit reputation with you, but that's about it. And here's the real cool part! The DANGER to you and your identity seems to become YOUR liability entirely. If you ever want to play the credit game, you have to convince them that someone else messed up your records. And all this from the institutionalized illegal behavior of abusing the social security number. The benefit is theirs, the burden is yours!

The benefits are theirs... the burden is yours. Think about what that means and how it came to be.

This is, in fact, rather like the US government and its national debt! You know, where the executive, legislative and judiciary get free medical and all other manner of benefits including a ridiculous retirement plan that gives full pay until you die in addition to the ever-present revolving door policies... they never need to worry about the trivial problems like we do... you know, the life-or-death matters... the stuff about food and shelter... being homeless... none of it. They get to legislate, sign statements, send teenagers off to die in battles and wars, kill people by the thousands, cause ill-will across the planet against ALL Americans (not just US leaders)... and who gets the bill for all of this while they ride pretty free to do anything they want without consequence? That's right! We the People.

And this is not a problem of "electing the wrong people." There are no "right people" for these jobs! If you had the same employment plan where you could do just about anything you like and suffer none of the consequences, it becomes pretty easy to accept... I know I'd probably fall into that trap of behavior too... it's human. (It has long been understood that corruption is a problem of opportunity and not so much a problem of bad character.)

(I know... I'm sounding rather communist/socialist. I don't actually go for that either. What I do advocate is a kind of fairness where the 'elected' have to suffer in the same crap that they create. They make the stew and we have to eat it. If THEY had to eat it with us, you can bet that it would be a lot more palatable.)

Outlaw Receiving Stolen Data!

[n1ywb]

Why is it so easy for companies to get away with receiving and using stolen data? The gummint vigorously prosecutes people receiving stolen property, including stolen intellectual property. Why can you get fined $200,000 for copying an MP3, but you can get away with buying 2.8 million stolen customer data records?

Re:

[Dan667]

How can you be sure there are not 1 or more mp3's in those records. I mean, it is 2.8 million records. There may be at least one mp3. If they find some, I bet the sentence goes from 10 years and $500,000 to 1000 years and $500 million with the credit card data case dismissed. /sarcasm

the only issue was the lack of permission

[themushroom]

Companies sell their info to direct marketers all the time. The only thing missing in this guy's case was the flyspeck-script in the contract saying they're going to do that.

In other words, he ripped himself off.

Did a canary sing?

[SystemFault]

A mailing list canary is a deliberately inserted entry with (usually) a false name but with real contact information. The contact data leads back to the security arm of the firm that compiled the list. The idea is that the canary sings every time the list is used, and this is but one mechanism to detect unauthorized access.

Maybe the DBA knew about the canary. With proper security, he shouldn't have. Or maybe the canary sang and that's how the guy got caught.

Re:

[gEvil (beta)]

I work in the marketing department of an organization [yeah, I know--but it's a decent-sized nonprofit that all of you have heard of, and many of you like : )] and we have a guy who tracks all the places our mailing list and many others end up. He has a mailbox set aside for all the stuff that comes in. The fictitious name that he monitors has a fairly long European-sounding last name, where he cycles through a series of letters in it to track each list. I went through the box one time and there were easily

And what happens to his customers?

[gorbachev]

Why aren't the direct marketing companies getting sued?

I don't believe for a sec any of his customers thought the lists were acquired legitimately.

umm... tomorrow's news?

[superwiz]

"Fidelity National Information Services" spokesman commented that the organization is appalled at the scandalous nature of the reporting of this event. "After all, this is a very difficult time for our country and only criminals have something to hide."

I bet this happens all too often...

[Zymergy]

One example: The recent Duke University situation: http://www.upi.com/NewsTrack/Top_News/2007/12/05/hacker_may_have_stolen_duke_students_data/2789/ [upi.com]

Another Example: I keenly remember learning from a high-level old-guard "Network Administrator" (over a few pitchers of free beer) about how a DB containing 30 year's worth of a 'Student Information' was dumped onto a HDD (and 'given' to a third party) after being "merged" into the "_______ Alumni Association" database. This admin, whom I trust, was a 20-year

Re:

[Shag]

the School's Board of Reagents

I endorse this product or service. What shall we mix them with as punishment?

Statutory damages

[wiredlogic]

It copyright infringement of a song can bring statutory damages of $9000 per copy, should we not see at least an equivalent level of punishment for unauthorized duplication of consumer records? Maybe the american people can form a lobby group to ramrod this idea through Congress.

Just another example

[cdrguru]

If it isn't nailed down, it will be stolen. Sooner or later someone will come along with the idea that if adequate measures aren't taken to prevent them from stealing it, then it must be OK - or they would have been prevented.

You would think in this case it would be pretty easy to prosecute the thief. Unfortunately, it is very unclear the value of an individual record, much less the value of a large collection. I seriously doubt this guy is going to get prosecuted for some kind of "privacy violation". M

Value

[The Raven]

So, the value of my personal data, such as name, address, and potentially my SS, credit card, and private buying information... the value of that in a criminal court is under 6 cents [google.com]. That's just great, I feel very secure against data theft since those penalties are less than the going rate for the information. And yet, somehow, my lending a copy of a song to someone is valued at nearly $10,000 per song to judge by recent court precedent [lawyers.com].

I've known this guy for years

[DeanFox]

I was around when Certegy was formed as a company. When they started they used a home grown software system written by one guy. Certegy bought their database (bad check debt recovery) from RMA who used to be part of Equifax. This was back in late 2001. I was subcontracted and flew to Florida and converted the RMA (PICK Universe) data base to Certegy's system.

"Bill", they guy in this story, is actually a very likable person. He's inviting and happy (maybe not now) laughs a lot. He's the kind of easy

MOD PARENT UP

[jdjbuffalo]

Mod parent up as Informative.

Thanks for the insight into who this guy was/is.

civil suits?

[waspleg]

does that count as double jeopardy? i'm not a lawyer, i am a Fidelity customer, i don't appreciate my shit being sold to spammers or whoever else.

waspleg

Troll?

[Travoltus]

AC is right. The FBI can't prosecute someone in East India who shuttles your money over to Al Qaeda. But the FBI sure can come nab you because they think it was you who did it.

A year's salary for a database admin in Bangalore = a cup of Java at Starbucks. Sleep tight.