Shostack + Friends Blog Archive


Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.

Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.

Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.

In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.

Acxiom’s clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn’t share them with anyone, prosecutors said.

According to Robert O’Harrow’s “No Place to Hide,” pp72, the company chose not to notify: “A company official said that the information was simply not that sensitive and ‘did not meet a threshold that would require customer notification.'” (Update: Try this Google Print link.)

Acxiom’s data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.

One comment on "Discretionary Disclosure"

  • Overzealous sentencing leads to reduction in security

    Yet another disproportionate sentence was handed down for what amounts to a bunch of misdemeanours in the US of A. Adam reports and google has lots of articles on a hacker that spent too much time cracking into various places….

Comments are closed.