Like Taking Candy from a Database
Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data.
Many people might assume that only cops can look up this type of information, but Smith was granted access to the database by virtue of her job as a bill collector for the Center for Medicaid Services, an agency of the Department of Health and Human Services.
So reports Brian Krebs in “Prostitution Suspect Used Data Access to Keep Tabs on Cops.” In “Ex-Gov’t Worker Sentenced In Prostitution Case,” The Kansas City Channel reports that she “pleaded guilty in July to unauthorized computer intrusion.” Which is interesting, to me, as it seems she was authorized to access the data she used. Are additional, unauthorized uses really covered by a criminal statue? It seems (unfortunately) more likely that what she did is a civil matter of a contract violation.
Chris Hoofnagle has some good bits on how lax audit logs are in “Data Brokers’ Anti-Fraud Databases Used for Crime (Again).” Note that he’s referring to Choicepoint, not Lexis-Nexis when he says “we obtained documents under the Freedom of Information Act that strongly suggested that the government could not audit officers’ use of Choicepoint.”