Data Mining Doesn't Always Pay: $1.135 Million Judgment

Now Available:

Featured Resources:

On November 29 Judge Clarence Cooper of Atlanta's U.S. District Court ordered that Tamarac, Fla.-based 1st Source Information Specialists Inc. and company principals Kenneth W. Gorman and Steven Schwartz disgorge all profits and pay Cingular Wireless compensatory and punitive damages and attorney fees totaling $1,135,000.

1st Source was harvesting cell phone numbers from web sites and doing reverse lookups for cellphone numbers and selling the information to other businesss for $110 to $195. To make things worse they were also selling records of the calls made from specific cell phone numbers; an additional huge invasion of privacy.

The Cingular complaint claimed the defendants "engage[d] in deceit, trickery and dishonesty to obtain private information from Cingular's (customer service representatives) through 'social engineering,' improper hacking and/or through unauthorized access to online account information stored on Cingular's database."

The stated techniques included "instances of the defendants or their employees using customers' passwords to access their accounts, pretending to be Cingular customers seeking information about their own accounts or posing as "fellow [Cingular] employees facing an urgent access problem in accessing a customer account.""

Social engineering is a tough threat to guard against, and is widely used. This case highlights the importance of training personnel on an ongoing basis for how to safeguard information, including how to prevent successful social engineering attempts.

Coincidentally Dr. Gary Hinson at NoticeBored issued his monthly newsletter a couple of days ago, the topic for which was social engineering. Dr. Hinson's site has many great article on this topic; it is a good place to go to get ideas for your own awareness and training activities.

This case also shows that organizations, information security and privacy practitioners in particular, need to be diligent in knowing their company's (likely marketing department's) plans for harvesting data such as cell phone numbers and email addresses for marketing purposes. They must also check before purchasing customer contact lists to make sure the information they want to purchase was gathered legally and with the individuals' consent.

Categories

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.

Comments

I agree that inappropriate sharing of private information is wrong, but it simply is not "data mining". Data mining is a sophisticated statistical analytical process, not simple information gathering. Please, let's keep the terminology straight.

Posted by: Will Dwinnell | December 1, 2006 6:45 AM

Will, thanks for your comment.

Yes, in the true academic and scientific sense, "data mining" is not using tools to harvest information from websites. As NIST describes, "Data Mining can take many forms, but it involves the search for some underlying structure. This structure can be regularity in data, or an optimization of some property(s), or even a method such as an algorithm." (http://math.nist.gov/mcsd/savg/datamine/index.html)

However, as the press regularly uses the term "data mining" it is much broader and involves such activities as harvesting information from websites, as the article from the law.com site illustrates.

The general public, most lawyers filing cases such as this one, and reporters now regularly use the term "data mining" interchangeably with "data harvesting." This highlights a general problem with issues information security and privacy; there are communications gaps between different positions that lead to significant differences in interpreting legal compliance requirements, performing cybercrime investigations and associated prosecutions, and so on. This communication gap is a challenge faced by information security and privacy practitioners daily.

Similar to those arguing the correct definition of "hacker," "data mining" is also a term that those in academia, in research, in marketing, in technology, and so on, also debate.

Your point is well taken. Perhaps I should have used the term "data harvesting" in my post title instead of "data mining," but since the story used that term, that is the one I chose to use.

If you would like to educate folks on the true definition of "data mining" and have a link to an article to share, I welcome you posting a URL to it.

Posted by: Rebecca | December 1, 2006 8:52 AM

Now Available:

Featured Resources:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert