Search
Content type: Examples
In May 2017, Equifax advised a number of customers that between April 2016 and March 2017 criminals had been able to steal income tax data from the service The Work Number provided by its TALX subsidiary. The Work Number provides online payroll, human resources, and tax services to companies for their employees. Criminals were able to reset the four-digit PINs given to customers' employees as passwords and then successfully answer personal questions about those employees. The stolen…
Content type: Examples
In October 2017, researcher Brian Krebs discovered that a service provided by Equifax's TALX division, The Work Number, made it possible for anyone equipped with an individual's Social Security Number and date of birth to access that person's detailed salary and employment history. Because of the mid-2017 data breach affecting 146.6 million Americans, that information was already in the hands of criminals. The service collects data from tens of thousands of companies, which also use it…
Content type: Examples
In September 2017, soon after announcing the company had suffered a major data breach that exposed sensitive information pertaining to about 150 million people, Equifax set up a poorly secured website intended to help people determine whether they had been affected. The site was flagged by numerous browsers as a phishing threat; gave the same people different answers on different devices; and offered some people a monitoring service instead of a clear answer. A few weeks later, Equifax began…
Content type: Examples
In October 2017, an anonymous security researcher informed Equifax that in December 2016 they had found a vulnerability in one of its public-facing websites that allowed them to access the personal data of every American, including full names, birthdates, city and state of residence, and social security numbers. Inputting a single search term, the researcher reported, would return millions of results, all in cleartext, almost instantly. The researcher was also able to obtain control of several…
Content type: Examples
Days after Equifax discovered its data breach in July 2017 but before the breach was announced publicly in September, three of its top executives including the chief financial officer sold nearly $2 million worth of shares. The company told the Securities and Exchange Commission that the sales represented a "small percentage" of the shares the executives owned and that the three did not know the intrusion had occurred when they sold their shares.
https://www.cnbc.com/2017/09/07/equifax-…
Content type: Examples
On September 7, 2017, the credit scoring company Equifax announced that between mid-May and July 2017 its database of consumer records had been hacked. Eventually, in a filing with the Securities and Exchange Commission following demands from US senators, the company provided detailed statistics of what was exposed: name, date of birth, and social security number for more than 145.5 million Americans; and further details such as address, gender, phone number, and driver's licence number…
Content type: Examples
In September 2018, Acxiom introduced an open data framework intended to create an omnichannel view of the people in its database. The company claims this "unified data layer" will let customer companies connect their marketing technology and ad technology ecosystems and connect the online world to the offline world,
https://www.mediapost.com/publications/article/325012/acxiom-launches-tool-for-linking-martech-and-ad-te.html
tags: Acxiom, credit scoring, linking, marketing, advertising…
Content type: Examples
In 2017, a group of data brokers led by Acxiom, AppNexus, and MediaMath, and including Index Exchange, LiveIntent, OpenX, and Rocket Fuel,
launched a consortium to make targeted programmatic advertising more widely available. Part of the consortium's goal is to enable the companies involved to compete better with Google's Ad words and Facebook's ad platform, which together account for 48% of all digital advertising spend. The consortium also intended to create a common omnichannel, people-…
Content type: Examples
In December 2012, the US Federal Trade Commission opened an investigation into data brokers' privacy practices, requesting information from nine companies: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future. The FTC sought information about: the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which the data brokers allow consumers to access and…
Content type: Examples
In 2003, the Electronic Privacy Information Center, Privacy Rights Clearinghouse, and PrivacyActivism filed complaints with the US Federal Trade Commission alleging that JetBlue Airways and Acxiom engaged in deceptive trade practices by supplying personal information about consumers to the Alabama-based information mining company Torch Concepts without the knowledge or consent of those consumers. EPIC argued that the FTC should investigate and enjoin these activities, which it believed were in…
Content type: Examples
In 2013, 44 years after Acxiom went into business selling consumer data, the company opened a website, aboutthedata.com, to allow Americans to see the data the company holds about them and make it easier to opt out of tracking. However, using the site requires visitors to input a substantial amount of personal information for authentication; the results of these searchers omit many of the data elements Acxoim sells its customers; the privacy policy allows the company considerable latitude in…
Content type: Examples
In 2003, the for-profit privacy company Private Citizen, which helps paying consumers unsubscribe from telemarketers' lists and direct mailing offers, found that Acxiom had begun rejecting the batches of opt-out notices the service sent on behalf of its subscribers. Acxiom insisted that each person was required to contact the company individually, apparently on the basis that each should hear the company's pitch for staying in its database. Aciom's membership of the Direct Marketing Association…
Content type: Examples
In 2012, Acxiom's database was reported to be the largest commercial database on consumers in the world, containing approximately 1,500 data points, or "elements", for each of the 500 million active consumers worldwide and processing more than 50 trillion data transactions per year. Each of the individuals in its database is slotted into one of 70 specific socioeconomic clusters as an attempt to predict what they will buy and what types of persuasion they will respond to. In its latest fiscal…
Content type: Examples
In April 2018, Facebook announced that in six months it would end a programme it called "Partner Categories", in which the social network acted as a bridge between data brokers like Acxiom, Epsilon, and TransUnion and the consumers their customers want to reach. In this deal, Facebook did not actually sell the data it collects; instead, it targeted ads to the lists of people the data brokers uploaded. Facebook users can see the results for themselves by going to their privacy settings and…
Content type: Examples
In 2016, Acxiom announced a deal with the media delivery company Valassis, a subsidiary of Harland Clarke Holdings Corp, intended to provide marketers with better post-campaign analytics. The linkage of the two companies was intended to "provide an integrated view of a consumer's purchase behaviour" by integrating Acxiom's people-based recognition tools with Valassis' services to advertisers, such as targeting its customers' most influential and valuable shoppers.
http://www.valassis.com/about…
Content type: Examples
In 2004, the US Department of Justice investigated the theft of 8.2GB of personal data from File Transfer Protocol (FTP) servers belonging to Acxiom between 2002 and 2003. The case was thought to represent the largest case of data theft at the time. Scott Levine, the owner of the email spamming company Snipermail, was indicated on 144 offences in connection with the attack, and was eventually found guilty of 120 of them and sentenced to jail for eight years. In all, Levine and Snipermail were…
Content type: Examples
In 2014, Acxiom's chief product and engineering officer, Phil Mui, described the system the company had been building to link individuals' activities across the many channels, devices, and applications they use. A single individual may accumulate four different personas via 24 cookies across six different devices; Acxiom's goal was to unify these. The company holds some 5,000 pieces of customer data for each of the 700 million individual consumers in its database.
https://www.mediapost.com/…
Content type: Examples
In 2003, Acxiom announced that law enforcement officials had notified the company that it had been hacked, and that the attacker had intercepted information in transit between the company and some of its clients via a File Transfer Protocol (FTP) server located outside the company's firewall. The hacker, later identified as Daniel Baas and prosecuted, had access to passwords and data files belonging to Acxiom customers for two years, from January 2001 to January 2003.
https://www.…
Content type: Examples
Google announced on October 8 having discovered a vulnerability in the Google+ API which has been open since 2015. This vulnerability allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information. While Google only retains 2 weeks of activity logs and cannot assert the exact reach of the breach, it believes that up to 438 applications had access to these data.…
Content type: Examples
Facebook-owned Onavo VPN (adertised as a way to block harmful websites, and keep a user's data safe) is pulled from the Apple App Store due to tracking, collecting, and analysing customers' usage data, including from other unrelated apps.
https://arstechnica.com/tech-policy/2018/08/facebook-violates-apples-data-gathering-rules-pulls-vpn-from-app-store/
Author: Valentina Palladino
Ars Technica
Content type: Examples
30 million users had their accounts breached, with a total of 90 million accounts reset after Facebook's "view as" feature leaked unique user account access tokens, allowing attackers to not only trivially impersonate any other user on the platform, but also to potentially automate the attack on a massive scale using their API.
This is of particular concern where these access tokens were used as a "Single Sign On" for third-party services who authenticate against Facebook. The…
Content type: Examples
There has been the spread of the linking of the patient identity cards of HIV positive patients, pushed for by the National Aids Control Organisation. While it is not compulsory, in November 2017 it was reported that some patients reported that they were denied treatment until they gave their Aadhaar number. This linking with Aadhaar has led to some HIV positive people dropping out of antiretroviral treatment programmes, for fear that their status would be leaked. Given that Aadhaar is…
Content type: Examples
In March 2018, a security researcher discovered that the state-owned utility company Indane had access to the Aadhaar database via an API, but they did not secure this way of entry. As a result, anybody was able to use this service to access details on the Aadhaar database about any Aadhaar number including an individual's name, and details of the bank accounts they had. This breach meant that it would be possible for someone to cycle through the trillions of possible Aadhaar numbers,…
Content type: Examples
In September 2018, a software patch was found by journalists to be widely available, that disabled or weakened the security features in the software used to enroll people on the Aadhaar databse, potentially from anywhere in the world. The patch was reportedly widely-available in WhatsApp groups, available for around $35USD. The demand for individuals to access the Aadhaar databse goes back to 2010, when private entities were allowed to enroll people in the Aadhaar database, to encourage…
Content type: Examples
In December 2017, it was revealed that the large telco Bharti Airtel made use of Aadhaar-linked eKYC (electronic Know Your Customer) to open bank accounts for their customers without their knowledge or consent. eKYC is a way of using data in the UIDAI database as part of the verification process, which Airtel made use of for the issuing of SIM cards, and also secretly opened bank accounts with their Airtel Payments Bank. More than 2 million accounts could have been opened, receiving more than…
Content type: Examples
In January 2018, journalists found that, for 500 rupees (around $7USD), they were able to buy on WhatsApp access to a gateway that allowed them to access the personal details connected to any of the entries on the Aadhaar database - by entering any Aadhaar number, they could see details like the name, address, phone number, and photograph of the individual associated with that Aadhaar number. They were also able to purcahse software to enable the printing of Aadhaar cards more than 100,000…
Content type: Examples
AirAsia engaged Palantir as a data science partner focused on “guest experience, inflight sales, route revenue, finance, security, flight operations, network planning, cargo, supply chain management, commercial and people development.”
Publication: AirAsia newsroom
Date: 8 August 2018
Content type: Examples
In 2013, Edward Snowden, working under contract to the US National Security Agency for the consultancy Booz Allen Hamilton, copied and leaked thousands of classified documents that revealed the inner workings of dozens of previously unknown surveillance programs. One of these was PRISM, launched in 2007, which let NSA use direct access to the systems of numerous giant US technology companies to carry out targeted surveillance of the companies' non-US users and Americans with foreign contacts by…
Content type: Examples
In May 2018, Google announced an AI system to carry out tasks such as scheduling appointments over the phone using natural language. A Duplex user wanting to make a restaurant booking, for example, could hand the task off to Duplex, which would make the phone call and negotiate times and numbers. In announcing the service, Google stressed its use of "speech dysfluencies" - that is, non-verbal syllables such as "um" and "er" to make the interaction sound more natural.
The system almost…
Content type: Examples
In 2017 the Electronic Privacy Information Center filed a complaint with the US Federal Trade Commission asking the agency to block Google's Store Sales Measurement service, which the company introduced in May at the 2017 Google Marketing Next event. Google's stated goal was to link offline sales to online ad spending. EPIC argued that the purchasing information Google collected was highly sensitive, revealing details about consumers purchases, health, and private lives, and that Google was…