Advanced Search
Content Type: Examples
On October 13, 2017, as a result of the massive data breach announced in September and the discovery that the company's website was infected with malware, the U.S. Internal Revenue Service suspended a $7.2 million contract with Equifax pending investigation. A week earlier, the IRS had announced that Equifax would supply it with taxpayer identity verification for users wishing to access their tax records via the IRS's online Secure Access service.
https://arstechnica.com/tech-policy/2017/10/…
Content Type: Examples
In September 2017, soon after announcing the company had suffered a major data breach that exposed sensitive information pertaining to about 150 million people, Equifax set up a poorly secured website intended to help people determine whether they had been affected. The site was flagged by numerous browsers as a phishing threat; gave the same people different answers on different devices; and offered some people a monitoring service instead of a clear answer. A few weeks later, Equifax began…
Content Type: Examples
In October 2017, researcher Brian Krebs discovered that a service provided by Equifax's TALX division, The Work Number, made it possible for anyone equipped with an individual's Social Security Number and date of birth to access that person's detailed salary and employment history. Because of the mid-2017 data breach affecting 146.6 million Americans, that information was already in the hands of criminals. The service collects data from tens of thousands of companies, which also use it…
Content Type: Examples
In May 2017, Equifax advised a number of customers that between April 2016 and March 2017 criminals had been able to steal income tax data from the service The Work Number provided by its TALX subsidiary. The Work Number provides online payroll, human resources, and tax services to companies for their employees. Criminals were able to reset the four-digit PINs given to customers' employees as passwords and then successfully answer personal questions about those employees. The stolen…
Content Type: Examples
In August 2013, a jury in the Portland, Oregon Federal District Court awarded Julie Miller $18.4 million in punitive damages when despite two years of complaints and filings Equifax failed to rectify errors in her credit report that blocked many aspects of her financial life. Miller had followed the company's processes for resolving the errors in her report, which were a result of entangling her record with that of another, much less creditworthy, Julie Miller as a result of the partial…
Content Type: Examples
In 2000, and then again in 2003, the US Federal Trade Commission fined Equifax for blocking phone calls from consumers trying to get information about their credit or discuss their reports or making them wait for extended periods of time in violation of the Fair Credit Reporting Act. In 1996, Congress amended FCRA to require credit bureaus to supply a free phone number on the credit reports issued to consumers. The FTC claimed that the company maintained insufficient personnel to answer calls.…
Content Type: Examples
In October 2012, Equifax agreed to a settlement with the US Federal Trade Commission over charges that between January 2008 and early 2010 the company improperly sold lists of consumers who were late on their mortgage payments in violation of the FTC Act and the Fair Credit Reporting Act. Equifax and the companies that allegedly bought and resold the information - Direct Lending Source and affiliates - agreed to forfeit the nearly $1.6 million they made from these activities. The settlement…
Content Type: Examples
In November 2017, an investigation of Equifax's Work Number database, owned by the company's TALX division, found that it contains over 296 million employment records including employees at all salary levels. Every week the database receives current payroll data on about a third of the working US population from sources including 75% of Fortune 500 companies, 85% of federal government, and state governments and agencies, courts, colleges, and thousands of small businesses. Companies pay Equifax…
Content Type: Examples
In October 2017, an anonymous security researcher informed Equifax that in December 2016 they had found a vulnerability in one of its public-facing websites that allowed them to access the personal data of every American, including full names, birthdates, city and state of residence, and social security numbers. Inputting a single search term, the researcher reported, would return millions of results, all in cleartext, almost instantly. The researcher was also able to obtain control of several…
Content Type: Examples
In 2017, a group of data brokers led by Acxiom, AppNexus, and MediaMath, and including Index Exchange, LiveIntent, OpenX, and Rocket Fuel,
launched a consortium to make targeted programmatic advertising more widely available. Part of the consortium's goal is to enable the companies involved to compete better with Google's Ad words and Facebook's ad platform, which together account for 48% of all digital advertising spend. The consortium also intended to create a common omnichannel, people-…
Content Type: Examples
In September 2018, Acxiom introduced an open data framework intended to create an omnichannel view of the people in its database. The company claims this "unified data layer" will let customer companies connect their marketing technology and ad technology ecosystems and connect the online world to the offline world,
https://www.mediapost.com/publications/article/325012/acxiom-launches-tool-for-linking-martech-and-ad-te.html
tags: Acxiom, credit scoring, linking, marketing, advertising…
Content Type: Examples
On September 7, 2017, the credit scoring company Equifax announced that between mid-May and July 2017 its database of consumer records had been hacked. Eventually, in a filing with the Securities and Exchange Commission following demands from US senators, the company provided detailed statistics of what was exposed: name, date of birth, and social security number for more than 145.5 million Americans; and further details such as address, gender, phone number, and driver's licence number…
Content Type: Examples
Days after Equifax discovered its data breach in July 2017 but before the breach was announced publicly in September, three of its top executives including the chief financial officer sold nearly $2 million worth of shares. The company told the Securities and Exchange Commission that the sales represented a "small percentage" of the shares the executives owned and that the three did not know the intrusion had occurred when they sold their shares.
https://www.cnbc.com/2017/09/07/equifax-…
Content Type: Examples
In 2012, Acxiom's database was reported to be the largest commercial database on consumers in the world, containing approximately 1,500 data points, or "elements", for each of the 500 million active consumers worldwide and processing more than 50 trillion data transactions per year. Each of the individuals in its database is slotted into one of 70 specific socioeconomic clusters as an attempt to predict what they will buy and what types of persuasion they will respond to. In its latest fiscal…
Content Type: Examples
In 2003, the for-profit privacy company Private Citizen, which helps paying consumers unsubscribe from telemarketers' lists and direct mailing offers, found that Acxiom had begun rejecting the batches of opt-out notices the service sent on behalf of its subscribers. Acxiom insisted that each person was required to contact the company individually, apparently on the basis that each should hear the company's pitch for staying in its database. Aciom's membership of the Direct Marketing Association…
Content Type: Examples
In 2013, 44 years after Acxiom went into business selling consumer data, the company opened a website, aboutthedata.com, to allow Americans to see the data the company holds about them and make it easier to opt out of tracking. However, using the site requires visitors to input a substantial amount of personal information for authentication; the results of these searchers omit many of the data elements Acxoim sells its customers; the privacy policy allows the company considerable latitude in…
Content Type: Examples
In 2003, the Electronic Privacy Information Center, Privacy Rights Clearinghouse, and PrivacyActivism filed complaints with the US Federal Trade Commission alleging that JetBlue Airways and Acxiom engaged in deceptive trade practices by supplying personal information about consumers to the Alabama-based information mining company Torch Concepts without the knowledge or consent of those consumers. EPIC argued that the FTC should investigate and enjoin these activities, which it believed were in…
Content Type: Examples
In December 2012, the US Federal Trade Commission opened an investigation into data brokers' privacy practices, requesting information from nine companies: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future. The FTC sought information about: the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which the data brokers allow consumers to access and…
Content Type: Examples
In 2014, Acxiom's chief product and engineering officer, Phil Mui, described the system the company had been building to link individuals' activities across the many channels, devices, and applications they use. A single individual may accumulate four different personas via 24 cookies across six different devices; Acxiom's goal was to unify these. The company holds some 5,000 pieces of customer data for each of the 700 million individual consumers in its database.
https://www.mediapost.com/…
Content Type: Examples
In 2004, the US Department of Justice investigated the theft of 8.2GB of personal data from File Transfer Protocol (FTP) servers belonging to Acxiom between 2002 and 2003. The case was thought to represent the largest case of data theft at the time. Scott Levine, the owner of the email spamming company Snipermail, was indicated on 144 offences in connection with the attack, and was eventually found guilty of 120 of them and sentenced to jail for eight years. In all, Levine and Snipermail were…
Content Type: Examples
In 2016, Acxiom announced a deal with the media delivery company Valassis, a subsidiary of Harland Clarke Holdings Corp, intended to provide marketers with better post-campaign analytics. The linkage of the two companies was intended to "provide an integrated view of a consumer's purchase behaviour" by integrating Acxiom's people-based recognition tools with Valassis' services to advertisers, such as targeting its customers' most influential and valuable shoppers.
http://www.valassis.com/about…
Content Type: Examples
In April 2018, Facebook announced that in six months it would end a programme it called "Partner Categories", in which the social network acted as a bridge between data brokers like Acxiom, Epsilon, and TransUnion and the consumers their customers want to reach. In this deal, Facebook did not actually sell the data it collects; instead, it targeted ads to the lists of people the data brokers uploaded. Facebook users can see the results for themselves by going to their privacy settings and…
Content Type: Examples
In 2003, Acxiom announced that law enforcement officials had notified the company that it had been hacked, and that the attacker had intercepted information in transit between the company and some of its clients via a File Transfer Protocol (FTP) server located outside the company's firewall. The hacker, later identified as Daniel Baas and prosecuted, had access to passwords and data files belonging to Acxiom customers for two years, from January 2001 to January 2003.
https://www.…
Content Type: Examples
Google announced on October 8 having discovered a vulnerability in the Google+ API which has been open since 2015. This vulnerability allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information. While Google only retains 2 weeks of activity logs and cannot assert the exact reach of the breach, it believes that up to 438 applications had access to these data.…
Content Type: Examples
Facebook-owned Onavo VPN (adertised as a way to block harmful websites, and keep a user's data safe) is pulled from the Apple App Store due to tracking, collecting, and analysing customers' usage data, including from other unrelated apps.
https://arstechnica.com/tech-policy/2018/08/facebook-violates-apples-data-gathering-rules-pulls-vpn-from-app-store/
Author: Valentina Palladino
Ars Technica
Content Type: Examples
30 million users had their accounts breached, with a total of 90 million accounts reset after Facebook's "view as" feature leaked unique user account access tokens, allowing attackers to not only trivially impersonate any other user on the platform, but also to potentially automate the attack on a massive scale using their API.
This is of particular concern where these access tokens were used as a "Single Sign On" for third-party services who authenticate against Facebook. The…
Content Type: Examples
In March 2018, a security researcher discovered that the state-owned utility company Indane had access to the Aadhaar database via an API, but they did not secure this way of entry. As a result, anybody was able to use this service to access details on the Aadhaar database about any Aadhaar number including an individual's name, and details of the bank accounts they had. This breach meant that it would be possible for someone to cycle through the trillions of possible Aadhaar numbers,…
Content Type: Examples
There has been the spread of the linking of the patient identity cards of HIV positive patients, pushed for by the National Aids Control Organisation. While it is not compulsory, in November 2017 it was reported that some patients reported that they were denied treatment until they gave their Aadhaar number. This linking with Aadhaar has led to some HIV positive people dropping out of antiretroviral treatment programmes, for fear that their status would be leaked. Given that Aadhaar is…
Content Type: Examples
In January 2018, journalists found that, for 500 rupees (around $7USD), they were able to buy on WhatsApp access to a gateway that allowed them to access the personal details connected to any of the entries on the Aadhaar database - by entering any Aadhaar number, they could see details like the name, address, phone number, and photograph of the individual associated with that Aadhaar number. They were also able to purcahse software to enable the printing of Aadhaar cards more than 100,000…
Content Type: Examples
In December 2017, it was revealed that the large telco Bharti Airtel made use of Aadhaar-linked eKYC (electronic Know Your Customer) to open bank accounts for their customers without their knowledge or consent. eKYC is a way of using data in the UIDAI database as part of the verification process, which Airtel made use of for the issuing of SIM cards, and also secretly opened bank accounts with their Airtel Payments Bank. More than 2 million accounts could have been opened, receiving more than…