Inside Job Blamed For Leak Of 2.3 Million People's Personal Info

from the it-wasn't-our-fault dept

The latest massive data leak comes from Certegy Check Services, a Florida company that provides check-processing services. Personal information, including credit card and bank data, on 2.3 million people was stolen, with the company blaming a "rogue employee." They say a former database administrator stole the data, and sold it to a data broker, which then sold it to direct-marketing agencies, which used the info to solicit the people by phone and mail. They hasten to add that they don't believe any of the info has been used for identity theft, and they've asked a court to tell the companies to turn the data back over to them and not use it any longer. Of course, there's no guarantee of any of that. For a long time, this sort of inside job has been been a huge security problem for many companies, and little has been done about it. Just as we've wondered why some people think it's a good idea to carry 25 million people's personal info around on a laptop, it's also not clear why so many companies retain personal info, nor allow so many employees unfettered access to it. But as long as the corrective measures to data leaks remain to be weak reactive fines, don't expect anything to change.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    _Jon, 5 Jul 2007 @ 10:25am

    "unfettered"?

    Poor choice of terms, IMO.
    I doubt that a "database administrator" has "unfettered" access to a database. I'm sure s/he has an account with password protection via PC with a USB drive just like 99% of the rest of the commercial world.

    In fact, due to Sarbanes / Oxley, companies have to prove (attest w/ external auditor) that only the required people have access to data like that. So if it is a publicly traded company with a market cap in excess of $1MM, it is hardly "unfettered".

    The other points are good, however.

    reply to this | link to this | view in chronology ]

    • identicon
      YourFrindlyNeighborhoodDBA, 5 Jul 2007 @ 11:14am

      Re: "unfettered"?

      Really? You doubt that a database administrator has unfettered access? I'm a database administrator, give me your name and if you refinanced in the last eight years, perhaps I'll be able to find your social security number for you.

      reply to this | link to this | view in chronology ]

    • identicon
      What, 5 Jul 2007 @ 11:24am

      Re: "unfettered"?

      You don't know what you're talking about. Shut up.

      reply to this | link to this | view in chronology ]

  • identicon
    Bah who needs one, 5 Jul 2007 @ 10:38am

    "It's also not clear why so many companies retain personal info, nor allow so many employees unfettered access to it."

    Er, it's rather hard to imagine the database administrator not having access to the contents of the database, and still being able to do his job. :)

    reply to this | link to this | view in chronology ]

  • identicon
    _Jon, 5 Jul 2007 @ 11:35am

    Re: "unfettered"?

    Well, despite your insults (that makes for good debate), I think we are on the same page. I used to be a DBA and I had access to a lot of information. Running a query isn't that hard. Saving the output to a removable drive isn't hard.

    That was my point.

    But, hey, you guys just keep on making this an unfriendly place to comment on and guess what - people will stop commenting. Good job. Assholes.

    reply to this | link to this | view in chronology ]

    • identicon
      Waaa, 5 Jul 2007 @ 12:12pm

      Re: Re: "unfettered"?

      Well, when you leave comments like that, we'd rather you kept them to yourself because what you said in your first post and what you are saying now don't jive together. So I stand by my original statement: You don't know what you are talking about. Shut up.

      reply to this | link to this | view in chronology ]

  • identicon
    Jason, 5 Jul 2007 @ 12:32pm

    DBA

    I understand the point of not letting every employee have unrestricted access, but the point is quite diluted when you mention it immediately after stating that the employee specifically mentioned is a database administrator... which is one of VERY few employees who actually is basically required to have unfettered access.

    reply to this | link to this | view in chronology ]

  • identicon
    SPR, 5 Jul 2007 @ 12:36pm

    The whole point is that too many people have too much access to too much information. However "fettered" this access may have or may not have been, it's a problem for everyone whose data was "misappropriated". We need a system that makes having this info worthless and meaningless.

    reply to this | link to this | view in chronology ]

  • identicon
    DS, 5 Jul 2007 @ 1:00pm

    Separation of roles

    DBAs have access to data... encrypted data. Unix admins have access to encryption keys, but not databases. Developers have access to code, but no encryption key or db. Takes 2 bad people minimum to get anything useful out of the database. Yeah, it's a pain to work around, but that's the price of security.

    reply to this | link to this | view in chronology ]

  • identicon
    TP, 5 Jul 2007 @ 1:13pm

    Way to go

    You guys are not even talking about the issue. Stop fighting on the net. Keyboard tuff guys, grow up!

    reply to this | link to this | view in chronology ]

  • identicon
    Bryan, 5 Jul 2007 @ 1:32pm

    This is the symptom of the problem

    I would venture to guess that the 'rogue' employee was also a disgruntled one. Upper management shat upon his head every day, treating the person like crap - then they wonder why this kind of thing happens. Happy, Sane employees do not venture out to cause damage to a company for a few bucks (or a few thousand), especially if they feel they are being treaded well.

    Companies need to stop obsessing about the almighty $$, start concerning themselves with their employees (the life blood of their operation) and their customers (where the money comes from in the first place), the $$ will follow. With the continuing downfall of corporate workplaces, I feel we will see more and more of this in the future.

    reply to this | link to this | view in chronology ]

    • identicon
      iPir4te, 5 Jul 2007 @ 4:23pm

      Re: This is the symptom of the problem

      I think you hit the nail on the head with this comment. Overworked, underpaid, "we wanted that info yesyerday," etc. I don't know much about DB admin, but being an ex-coder, I can appreciate the fact.
      Undoubtedly, there had to have been at least 2 people in on this job - obviously the IT or Security types weren't in on it...

      reply to this | link to this | view in chronology ]

  • identicon
    Sean, 6 Jul 2007 @ 3:32am

    Re. Unfettered v. IT Security

    Administrators should always be the most CLOSELY watched and the most RESTRICTED users. This kind of theft is only possible where the admins are too lazy or the company is too cheap to implement and monitor proper controls.
    Until there are good legislative kick-ass penalties, companies won't give a f$ck about our personal data. If they got hit with a fine of 10 bucks per person for the leak...

    reply to this | link to this | view in chronology ]

  • identicon
    Bah who needs one, 6 Jul 2007 @ 12:45pm

    If I were a disgruntled DB admin, nothing so silly as this would happen.

    Instead, I'd pop in late one night looking like the dedicated if underappreciated loyal employee, do some fiddling with computers, and leave, as often is the case. Only the next morning the guys in the three-piece suits with the seven-figure annual salaries are greeted with garbage data and an email saying "I have the decryption key. Give me three billion dollars in small, nonsequential, unmarked bills and get me to Rio on the company jet and you can have it. Send the cops or anything like that, and I rip up the paper I wrote it on and set it on fire. Oh and I won't be able to remember it afterward, it's a 256 bit key. Have a nice day."

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.