Thursday, March 09, 2006

iBill Customer Database Breach

See Update at Bottom!

Cutomer records lost to apparent inside job from online billing site iBill, an online payments system doing a reported 85% of its business with online porn sites, billing customers. But because of an odd loophole in data breach reporting laws, the leak, which apparently happened in 2003 or earlier, went unreported because reporting laws require notification to victims only if credit card numbers are exposed in the breach. Apparently all personal information about iBill clients was exposed EXCEPT credit card numbers, including passwords for iBill logins and customer email addresses.

Clearly, a list of 17 million email addresses of mostly porn site customers would be valuable information to other porn service operators and would be an attractive purchase to spammer lists. While email addresses sold to spammers is also a serious data breach in itself. The potential for financial data loss is more important and dangerous to victims than embarassment and spamming from additional porn sites.

A Google search for "iBill Data Breach" turns up a large number of adult oriented blogs, discussion lists and "terms of service" pages where iBill is named as the payment processor.

This thorough story, by Wired News reporter Quinn Norton takes a look at the players in the story, iBill history, security firm discovery of the customer information online in hacker forums and web sites registered under phantom names.

While the iBill customer data breach went unreported for at least three years, 17 million iBill customers names and personal login information no doubt proved fruitful to enterprising hackers armed with that information.

It is well known that people are lazy with passwords and usernames, using the same logins for multiple sites. This knowledge and name access could be as dangerous financially as actual credit card numbers to hackers.

Long story short, this iBill data breach and lack of required reporting to victims of the breach makes apparent the fact that reporting requirements should be extended to cover instances where credit card information is not lost, but passwords and other personally identifiable information is lost.

In this case, hackers probably used the password information to exploit those exposed in the breach without the victim knowing how they were exposed. The wired story concentrates on the embarassment of the victims because they are on long lists of porn site customers, but the focus should not be on the type of business that loses customer information.

Reporting needs to be universally required when large scale data breaches such as this happen at companies that handle financial data.


Apparently iBill has been framed, according to another Wired News story, which was the original source for this post. In the follow-up story, iBill president Gary Spaniak, Jr. claims that the database is secure and that he believes spammers are to blame for planting false files on the sites where they were found by security firm Secure Science Corporation and apparently the sole identifying clue was a filename for the data posted on a spamming website, seeking the sale of the information.

It appears spammers have no hesitation to screw each other by selling fake information in the underground economy. This time porn billing company iBill appears to be Sunday school clean in a misunderstanding and a drive-by shooting by "security firms" seeking publicity for their "discovery" of data breaches based on nothing more than a filename from a spamming web site.

There appear to be risks involved for iBill in dealing with an industry known for low morals.

But Wired news should be taken to task for breaking this story before iBill was able to respond, the same way the security firms are taken to task for drawing conclusions based on nothing more than a filename "discovered" while trolling the underworld of the web. It appears someone must be having a good chuckle in this story. It isn't the good guys.

Save To    Digg! Digg This!
posted by RealitySEO at 9:43 AM


Post a Comment

<< Home