IT Pro Admits Stealing 8.4M Consumer Records 108
Billosaur writes "The Channel Register is reporting that a database administrator at Fidelity National Information Services, a consumer reporting agency in Florida, has admitted to stealing more than 8.4 million account records and selling them to a data broker. The DBA, William Gary Sullivan, faces up to 10 years in prison and fines of $500,000. He worked at a subsidiary of Fidelity and used his access to its database to steal customer names, addresses and financial account information, then used a business he incorporated to sell the list to an accomplice, who eventually sold it to direct marketing firms."
Let's just assume... (Score:4, Informative)
Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.
In essence, the system is structured to benefit the lenders with little regard for the clients. (yeah, i know - big surprise).
Instead, authenticate the transaction. (Score:4, Insightful)
And because it is fraud, ANY system of identifying the person will be subject to abuse.
So don't worry about identifying the person. That's too difficult to secure. Instead, focus on validating/authenticating the transaction. That way the resources can more easily be focused.
Re: (Score:3, Interesting)
The idea is that the scammer calls the target and claims to be working for the bank's security department and that you will refund the money but you need to confirm the bank details and that a recording is needed for security reasons.
Que recording of the target with the customer repeating the info the scammer just gave the target in the first place and agreeing to a draf
Re:Instead, authenticate the transaction. (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Meanwhile, the person needs car insurance (in my s
Re: (Score:1)
http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm [bbc.co.uk]
* The government deny it, but the missing CD's have not turned up, so you must assume the worst.
Re: (Score:2)
For less important things (like buying stuff on the Intertubes) the current system works pretty well. The occasional card thefts can be mostly eliminated by things like RSA tokens.
The current practice
Yes, but Identification !=Authentication (Score:4, Insightful)
Identification = Associating an identity with an individual, process, or request
Authentication = Verifying a claimed identity
Ok, so you are John Smith. But are you THE John Smith who is entitled to withdraw all the money on this account?
Problem is, most systems do only one step, or rather, 'both in one'.
"We have your password/SSID/whatever, on file, therefore we identify AND authenticate you...
It's a bit like 'self-certifying' web sites, as discussed here recently. Complete bollocks, worth nothing.
Also, "The trouble with that, is that it would require a single entity (presumably government) to store (and thus have access to) this information." Hmmm...the same Govt. who recently lost (in UK) 25 million personal records?
Quis custodiet ipsos custodes?
The first one who cracks THAT problem will make gazillions...
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Just my 2 cents.
Its not spelled 'ludite'.
Re: (Score:1)
Of course, this all assumes that the current financial system stays as is... when it is as much to blame for the rash of identity theft, as the thieves themselves... because it both makes it easy to establish credit, and difficult to recover one's credit and finances, once they've been compromised.
This will continue as long as we keep calling it 'identity theft'.
Random people getting hold of my personal information is annoying. It sucks, and I'd rather it didn't happen. It is not, however, any form of t
Fidelity (Score:3, Funny)
Re: (Score:1)
He's just lucky he didn't pirate a couple dozen mp3s.
Then he'd be in REAL trouble!
Thank God (Score:2)
totally different organizations (Score:4, Informative)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2, Informative)
While you are correct in many respects--that Fidelity Investments (FMR Corp.) has a lot of subsidiaries--this company, Fidelity National Information Systems, is NOT one of them. They are not connected in any way.
FMR Corp. is privately owned, whereas FNIS (NYSE:FIS) is publicly traded and a member of the S&P 500.
I u
Receiving stolen property (Score:4, Insightful)
Re: (Score:2)
Yeah, sending this guy to jail does nothing to curb the damage from those 8.4M comsumer records. It doesn't even stop them from being used for direct marketing.
Demand the records be destroyed, open a case for possession of stolen property, and fire up a class action on the part of 8.4 million plaintiffs.
Re: (Score:2)
Barring solid proof that this loser is going to cure cancer or stop the aging process, I see no reason for this guy to be allowed a continued existence within civilized society.
Re: (Score:1)
Let ME pick the prison... (Score:1)
totally different organizations (Score:1, Redundant)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Irony? (Score:5, Funny)
"used a business he incorporated to sell the list" (Score:3, Insightful)
and this guy was a DBA? all jokes aside, we are talking about a baseline level of intelligence here
does not compute
Re:"used a business he incorporated to sell the li (Score:2, Informative)
ok i'm confused. criminality has always favored the not so bright, since if you were smart enough, you'd figure out a better way to get some loot- more of it in a safer way, which usually means you'd find a legal way
You're confused because your premise is faulty.
It's estimated that global organized crime reaps illegal profits of around $1 trillion per year [fbi.gov].
That's one trillion dollars that you just can't make legally. Criminality does not favor the not so bright, the media favor the not so bright criminals, and you somehow confused their overexposition as a true representation of reality. And there's a saying that crime does not pay, which is propaganda: crime does pay, it pays a trillion dollars a year.
true (Score:2)
but, having heard from you, i guess we can safely conclude which camp you lie in?
Re:"used a business he incorporated to sell the li (Score:2)
Correction: Criminality favors everyone equally, it's the not-so-bright ones that get caught. Or the not-so-careful.
The smartest criminals make their activities legal: see RIAA, MPAA.
Re:"used a business he incorporated to sell the li (Score:1)
criminality has always favored the not so bright
Don't be so sure.
Re:"used a business he incorporated to sell the li (Score:2)
Re: (Score:1)
Privacy vs Copyright (Score:5, Insightful)
What does it say when a country values the property of its corporations more than the rights of its citizens? If they were to apply the same punishment standards to this case as they do to copyright, the guy would be in jail for life with at least a $5million fine.
Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.
Re: (Score:2)
Standard RIAA charge is $750.00 per infringement, so $6,375,000,000 if this was about MP3's and not sensitive personal information.
It stinks, just one of these records in the wrong hands could in theory ruin someone's life (cleaned out bank account, credit blacklist, who knows if they fall for a phishing attack), an infringed MP3 actually only costs the rights holder less than 99c.
Re: (Score:3, Interesting)
Maybe what people have to start doing is claim copyright on all their personal information and file class action suits when it is illegally copied by some entity.
You mean like the MLB and NFL have been trying to do for years - copyright facts? Fortunately, facts aren't copyrightable, and there's a long history of case law to this effect.
You know, it's interesting that privacy advocates are trying, essentially, for what amounts to security through obscurity. That is, they think that someone's priva
How can you stop this? (Score:3, Insightful)
Re: (Score:2)
You'll also need someone who's not the DBA on the monitored system to run and monitor it.
Re: (Score:2)
Re: (Score:2)
If the company exercised reasonable standards of care, they're off the hook. If they can be shown to have neglected procedures a reasonable person would have taken, then they can be made to pay for the entire damages if your identity has been stolen, including the value of your lost credit and also the
I know (Score:2)
(OT) tagging beta... (Score:2, Insightful)
thereasontobeadba
= there as onto be a dba
= the reason to bead ba
= the reason to be a dba
= there a son to bead ba
Re: (Score:1)
wonder when IRS or SSA will "lose" records (Score:3, Funny)
Re: (Score:1)
Here is a bbc timeline of events: http://news.bbc.co.uk/2/hi/uk_news/politics/7104368.stm [bbc.co.uk]
Re: (Score:3, Insightful)
In the case of mp3s, 'the man' (a faceless corporation) takes a profit hit. The artist, too, of course.
In the case of identity theft, some *insert stereotype one-patent family minority victim here* potentially has their life ruined.
Hmmmm...personally, I think that identity theft should perhaps be punished more severely. The legal experts would p
Re: (Score:2)
Re:Big Dumb Idiot Admitted It (Score:4, Informative)
I dunno 'bout that. By admitting it, he kept his damage down to $500k. If it'd gone to trial, and he lost, I'd bet the penalties and forfeiture might have been higher.
"Why would this matter?", I can hear y'all asking. Because that's the margin between profit and loss. According to TFA, he netted $580,000 from his evildoing. After his fines and penalties, he profited $80k.
So, in this case, "4) ???" is actually "4) plead guilty". "5)" remains "PROFIT!".
You have to be marginally smart and be willing to take acceptable short-term losses in order to make crime pay. But it can be done.
Re: (Score:2)
Re: (Score:2)
Well, as a long-term plan, it sucks.
As damage control, it's damn fine work. Given the circumstances, it's as close to profit as he can get.
Re: (Score:2)
You've gotta love the "personal data" game (Score:4, Insightful)
Now we have a "credit rating" system. It's flawed, abused and annoying, but for the banks and lenders, it's awesome. It makes their lives so much easier because now they don't have to "know you" at all! And for all this we receive WHAT in the way of benefit? Not a lot... perhaps the ability to move and take your good credit reputation with you, but that's about it. And here's the real cool part! The DANGER to you and your identity seems to become YOUR liability entirely. If you ever want to play the credit game, you have to convince them that someone else messed up your records. And all this from the institutionalized illegal behavior of abusing the social security number. The benefit is theirs, the burden is yours!
The benefits are theirs... the burden is yours. Think about what that means and how it came to be.
This is, in fact, rather like the US government and its national debt! You know, where the executive, legislative and judiciary get free medical and all other manner of benefits including a ridiculous retirement plan that gives full pay until you die in addition to the ever-present revolving door policies... they never need to worry about the trivial problems like we do... you know, the life-or-death matters... the stuff about food and shelter... being homeless... none of it. They get to legislate, sign statements, send teenagers off to die in battles and wars, kill people by the thousands, cause ill-will across the planet against ALL Americans (not just US leaders)... and who gets the bill for all of this while they ride pretty free to do anything they want without consequence? That's right! We the People.
And this is not a problem of "electing the wrong people." There are no "right people" for these jobs! If you had the same employment plan where you could do just about anything you like and suffer none of the consequences, it becomes pretty easy to accept... I know I'd probably fall into that trap of behavior too... it's human. (It has long been understood that corruption is a problem of opportunity and not so much a problem of bad character.)
(I know... I'm sounding rather communist/socialist. I don't actually go for that either. What I do advocate is a kind of fairness where the 'elected' have to suffer in the same crap that they create. They make the stew and we have to eat it. If THEY had to eat it with us, you can bet that it would be a lot more palatable.)
Outlaw Receiving Stolen Data! (Score:2)
Re: (Score:2)
the only issue was the lack of permission (Score:1)
In other words, he ripped himself off.
Did a canary sing? (Score:4, Interesting)
Maybe the DBA knew about the canary. With proper security, he shouldn't have. Or maybe the canary sang and that's how the guy got caught.
Re: (Score:3, Interesting)
And what happens to his customers? (Score:2)
I don't believe for a sec any of his customers thought the lists were acquired legitimately.
umm... tomorrow's news? (Score:2)
I bet this happens all too often... (Score:2)
Another Example: I keenly remember learning from a high-level old-guard "Network Administrator" (over a few pitchers of free beer) about how a DB containing 30 year's worth of a 'Student Information' was dumped onto a HDD (and 'given' to a third party) after being "merged" into the "_______ Alumni Association" database. This admin, whom I trust, was a 20-year
Re: (Score:2)
Statutory damages (Score:2)
Just another example (Score:2)
You would think in this case it would be pretty easy to prosecute the thief. Unfortunately, it is very unclear the value of an individual record, much less the value of a large collection. I seriously doubt this guy is going to get prosecuted for some kind of "privacy violation". M
Value (Score:2)
I've known this guy for years (Score:2)
I was around when Certegy was formed as a company. When they started they used a home grown software system written by one guy. Certegy bought their database (bad check debt recovery) from RMA who used to be part of Equifax. This was back in late 2001. I was subcontracted and flew to Florida and converted the RMA (PICK Universe) data base to Certegy's system.
"Bill", they guy in this story, is actually a very likable person. He's inviting and happy (maybe not now) laughs a lot. He's the kind of easy
MOD PARENT UP (Score:1)
Thanks for the insight into who this guy was/is.
civil suits? (Score:2)
waspleg
Troll? (Score:2)
A year's salary for a database admin in Bangalore = a cup of Java at Starbucks. Sleep tight.