Never Heard Of Acxiom? Chances Are It's Heard Of You. How a little-known Little Rock company--the world's largest processor of consumer data--found itself at the center of a very big national security debate.
(FORTUNE Magazine) – Last summer a sheriff in Cincinnati stumbled onto what may have been the biggest security breach of consumer data ever. Searching the home of Daniel Baas, a 24-year-old computer-systems administrator at a data-marketing firm, detectives found dozens of compact discs containing the personal data of millions of Americans. The information, it turned out, had been hacked by Baas over a period of two years from a giant server in Arkansas belonging to a company called Acxiom.
Never heard of Acxiom? The publicly traded, politically connected Little Rock company is the world's largest processor of consumer data, collecting and massaging more than a billion records a day. Its customers include nine of the country's top ten credit-card issuers, as well as nearly all the major retail banks, insurers, and automakers. It's a business that generates $1 billion in sales annually and, after a few bumpy years, is expected to produce $60 million in profits. Analysts project earnings to grow 15% annually over the next five years.
For most of its life, Acxiom (the "c" is silent) has kept a low profile--its corporate customers like it that way. But lately it has found itself at the center of a white-hot swirl of anti-terrorism, national security, and consumer-privacy issues. Remember the flap about JetBlue giving passenger records to a government contractor? And the one about John Poindexter's terrorism futures exchange? They all touched Acxiom.
And in the middle of all that, it now turns out, Acxiom itself was getting hacked. While there's no evidence that Baas--who pleaded guilty in December to federal cybercrime charges--used the stolen data for any commercial purpose, the case raises serious questions about the vulnerability of databases at companies like Acxiom, which should be the most secure.
Indeed, FORTUNE has learned that while the FBI and Secret Service were tracking Baas, they stumbled upon a group of unrelated hackers in Boca Raton, Fla., who had penetrated the same Acxiom server for three months last year, also accessing data on millions of Americans. Once again, it doesn't appear that consumers were defrauded, but indictments aren't expected before March. "We dodged a howitzer with that one," admits Charles Morgan, Acxiom's longtime chairman and CEO. "It was a whole company--a bunch of crooks. If it had been the Russian mafia, we would have been in a hell of a mess."
Such embarrassments come at a bad time, not just for Acxiom but for America. Since 9/11, the company has been campaigning for crucial federal contracts in homeland security. Retired general and presidential candidate Wesley Clark and the Clintons have helped. But until recently, Acxiom officials were unaware that their own homeland had been breached. Baas easily cracked Acxiom's passwords, helping himself to unencrypted data belonging to 10% of Acxiom's customer base--upwards of 200 large companies. "This is a wake-up call for us and our industry," says Morgan.
As Morgan knows, the stakes go way beyond the privacy of consumers. Since 2001, Acxiom has engaged in research with the Pentagon and other agencies to find ways to consolidate, link, and share data. The federal Transportation Security Administration recently announced that this summer it will roll out its controversial second-generation Computer Assisted Passenger Prescreening System, or CAPPS II--a scheme that color-codes airline passengers in terms of their likelihood to be terrorists. The project will rely heavily on Acxiom's data and its identity-matching logarithms. Privacy advocates worry that systems such as CAPPS will hurt the innocent by producing streams of false positives. But the opposite may be the case. In late December several flights from Paris to the U.S. were grounded because intelligence intercepts misidentified a half-dozen people as possible threats, including a 5-year-old child mistaken for an al Qaeda pilot. Had Acxiom's identity-resolution system been in place, that probably wouldn't have happened.
Many say the use of private-sector data is critical in the fight against terrorism. "Government must have access to that information," concludes a recent report by the Markle Foundation, which focuses on technology policy and whose 36-member security task force includes Clark. "The travel, hotel, financial, immigration, health, or educational records of a person suspected by our government of planning terrorism may hold information that is vital."
By most accounts, nobody does a better job of identity verification than Acxiom, which is rapidly expanding its reach in Europe and Asia. "The Acxioms of the world--these are citizen patriots in this new war," says David Aufhauser, the Treasury Department's recently departed general counsel. "It's as if it's 1776 all over again. A great deal of the intelligence that we receive in the shadow war on terror is suspect--the product of capture, interrogation, bribery, deceit, false feints, or, abroad, torture. Information in financial or personal databases provides a measured counterpoint."
But as much as the country may need Acxiom, the hacking incidents could be rocket fuel for those who oppose CAPPS and similar programs. Clark, for one, appears to be distancing himself from his lobbying for the data giant. "Had I still been on that [Acxiom] board when all this was going through," Clark said in a presidential candidates' debate last month, "I would have insisted that ACLU and others be brought in to preapprove CAPPS II." (In fact, Clark was on the board through most of the process.)
Acxiom itself has been downplaying the hacking breaches--it hasn't said anything publicly about the Florida attack--as it tries to maintain the confidence of both its corporate clients and its federal benefactors. Even so, an Acxiom team is beefing up the company's computer security in ways that may also become a model for Washington. That need is pressing: A recent government report concludes that many federal agencies, including the Department of Homeland Security, are failing in computer security.
TO GRASP WHAT IS AT RISK, one need only take a walk through Acxiom's five-acre data center in Conway, Ark. Thousands of servers and storage units--a city of blinking six-foot boxes --quietly process the billions of data bits that flow into the company each second. As silent as Mars, Planet Acxiom has few signs of life beyond a handful of geeky traffic controllers monitoring the liftoffs and landings of data in cyberspace on NASA-sized screens. "Think of it as an automated factory, where the product we make is data," says a manager. In a separate, locked glass room known as the shark tank, black plastic fins jut from the tops of some of the 70 servers and storage units. "Some clients don't work well in the same sandbox," explains Jeff Kauble, who co-manages the complex. Citigroup? Allstate? Homeland Security? He won't say. Another client insists its data be stored miles away, in the sealed underground vault of a former government building.
Once upon a time in America a savvy store clerk knew that you had, say, three kids, an old Ford, a pool, and a passion for golf and yellow sweaters. Today Acxiom is that store clerk. It manages 20 billion customer records, has enough storage space to house all the information in the Library of Congress 50 times over, and maintains a database on 96% of U.S. households that gives marketers a so-called real-time, 360-degree view of their customers.
How? Acxiom provides a 13-digit code for every person, "so we can identify you wherever you go," says the company's demographics guru, Bruce Carroll. Each person is placed into one of 70 lifestyle clusters, ranging from "Rolling Stones" and "Single City Struggles" to "Timeless Elders." Nearly one-third of Americans change their clusters annually as a result of a "lifestyle trigger event," Carroll says. Acxiom's catalog also offers hundreds of lists, including a "pre-movers file," updated daily, of people preparing to change residences, as well as lists of people sorted by the frequency with which they use credit cards, the square footage of their homes, and their interest in the "strange and unusual." Says Carroll: "We're pushing a new paradigm."
The man behind the paradigm is Morgan, who joined the company in 1972 and built the industry's first large-scale, multisourced database in 1978. Although he just turned 61, the IBM-trained engineer still drives a Harley to work, pilots the company plane, and until last year drove in NASCAR races. "Charles is the guy you want to have flying the airplane if something goes wrong," says Acxiom's general counsel, Jerry Jones. "He can take in lots of information and make decisions. He tweaks algorithms in his spare time and loves to drill down into the data."
A decade ago Morgan got rid of most titles at Acxiom and sardined top executives, himself included, into ten-by ten-foot offices. The moves have paid off: For five of the past seven years, Acxiom was among FORTUNE's 100 best places to work in America. Morgan is two years ahead of the marketplace in using grid-based processing--replacing expensive servers with cheap, interconnected PCs to dramatically drive down costs and improve processing speeds. He's also critical of the government's anti-terror infrastructure. While the two-year-old Patriot Act sanctions the sharing of data between the government and private parties, Congress only recently approved the FBI's expanded power to demand records from securities and car dealers, travel agencies, and currency exchanges. But operators of ships, trains, and planes still don't have the ability or authority to verify a simple driver's license. "Homeland Security has done a poor job of doing just about anything," Morgan says.
When America was attacked on 9/11, Acxiom was in a unique position to help. Shortly after the FBI released the names of the 19 hijackers on Sept. 14, Acxiom located 11 of them in its databases. "Call the FBI," suggested company director Mack McLarty, former chief of staff in Bill Clinton's White House. By day's end, subpoena in hand, a team of FBI agents had moved into Acxiom's headquarters. "Isn't there something you guys can be doing to help?" former President Clinton, a friend of Acxiom counsel Jones's, asked in a call to the company a few days later. "We are," said Jones.
Clinton visited the company's Little Rock offices on Oct. 5, 2001, and phoned Attorney General John Ashcroft to encourage him to use Acxiom for passenger ID verification. Clark, too, was impressed when he was given a demonstration. "This is very powerful data--absolutely what the government needs to be aware of," Clark said at the time. Clark, who had declined to join Acxiom's board a year earlier, started working as a consultant and lobbyist. He joined the board in December 2001 and, according to Acxiom, was paid $460,000 in fees by the company. (Clark refused to talk to FORTUNE about his activities on behalf of Acxiom.)
Morgan was dumbfounded, he recalls, when the FBI arrived at Acxiom. "Their technology was unbelievably bad," he recalls, "and the international terror experts were computer illiterate." For one thing, the agents were toting laptops with Intel 286 processors--slow, low-memory computers that went out with the 1980s. "I thought, 'This has to be a joke,' " he says.
The FBI-Acxiom collaboration lasted for months. Morgan won't provide details, but he says current and former addresses helped identify housemates of the hijackers, as well as suspects with whom they may have been in contact. "We were always paranoid about people looking at the data in that way--as an investigative tool," says Morgan, who wrote much of the software code for the FBI. "It was a slow-going, laborious discovery process, with some amazing moments."
Acxiom's work led to "deportations and indictments," says an executive, as well as thank-you calls from Ashcroft and FBI boss Robert Mueller. In one case, Morgan says, Acxiom was enlisted after the capture in Texas of two Muslim immigrants with expired visas who had boarded planes on 9/11 with box cutters. The two were never linked to the hijackings, but Acxiom's data helped convict them of involvement in the sale of fraudulent credit cards, which led to their deportation.
Meanwhile, Clark began opening doors in Washington, looking to convert the good will toward Acxiom into business opportunities. He arranged and attended meetings at the CIA, Treasury, the State Department, and the Pentagon. By all accounts, officials from Paul O'Neill to John Poindexter were impressed, as was Health and Human Services Secretary Tommy Thompson, who met with Clark in October 2002 and agreed to initiate a test using Acxiom data to help reduce fraud. Beyond tracking terrorists, connecting the government's disparate and archaic databases can help drive down identity theft, the nation's fastest-growing crime. In one test, Acxiom found more than 100 people using the same Social Security number.
Morgan recalls joining Clark for a meeting at the Pentagon, where they made their way to the front of a long security line. As soon as guards spotted the retired general, they whisked the two inside under armed escort. "A lot of the headway we have made lies in the access that General Clark has provided," states a memo from Morgan in 2002. "Here's the approach he takes to helping position Acxiom: 'IT has a role to play because we'll never be safe enough if we try to build walls and conduct searches and screenings. We have to really know who our neighbors are and what their interests are.' "
The highest-ranking official Clark and Morgan visited was Vice President Dick Cheney. Clark led the July 2002 presentation, which laid out the firm's capabilities in a 40-page white paper that cited the example of American Airlines hijacker Waleed Alsheri--Acxiom consumer No. 254-04907-10006. Cheney was "very positive," recalls former Arkansas Senator Tim Hutchinson, who arranged the meeting. "He said he would 'ring the bell'--as he put it--and try and let people know about it."
One of Acxiom's biggest cheerleaders was Hillary Clinton. According to Morgan, Clinton expressed support for a system that would gather detailed data on every passenger during the ticketing process. After a visit with Clinton in November 2001, Morgan reported to his staff: "It was very gratifying when the president of one of Lockheed Martin's companies approached Jerry [Jones] and me after one meeting and said she had heard from Senator Clinton that Acxiom was a company she really needed to get to know." Clark also played a significant role with Lockheed, and in February 2003, when the TSA named the company as its prime contractor on CAPPS II, Acxiom got a key subcontract.
Just when things were looking up for Acxiom's government business--which accounts for less than 1% of the company's annual revenue--the wheels came off. Hutchinson says the company got "bogged down" in federal bureaucracy. Others at Acxiom wonder if politics might have been at play. Certainly Clark's harsh attacks on the Bush administration throughout 2003 didn't help. Nor have Clark's post-Acxiom diatribes against the two-year-old Patriot Act, which sanctions the sharing of data between government and the private sector.
And the timing of the computer hacks couldn't have been worse, occurring just as Acxiom's key government projects were coming under fire. In September the Senate wiped out funding for the Terrorism Information Awareness project (TIA), a global surveillance database launched in January 2002 by DARPA, the Pentagon's advanced research agency. Clark had gotten Acxiom in the door. But before it could land a contract, the project was shut down--and its director, John Poindexter, forced out--when a TIA subcontractor posted information on its website about a proposed futures market in terrorism and assassination.
Jones, Acxiom's lawyer, says killing TIA was an overreaction. For one thing, it was purely a research project using artificial data, not a mandate to build and implement a product. "You can't create a system on the fly to make it useful," Jones says. "You must at least build the infrastructure and have things running in the background." A public debate in advance would have been better, he adds: "Starting the debate afterward, the outcome is certain."
Acxiom was also caught in the blowback over CAPPS II. Last February, Torch Concepts, a Pentagon subcontractor, included the real Social Security number of a passenger in a PowerPoint presentation to a trade group. The information came from Acxiom, which had been asked by one of its customers, JetBlue, to provide detailed information on two million passengers to Torch for an Army study. A privacy activist eventually found out about the breach and posted the Social Security number on the Internet. In September, Congress blocked funding for implementing CAPPS II until the GAO issues a report on privacy concerns, which is expected this month.
Today the situation is as complicated as the hunt for terrorists. The Federal Trade Commission is examining Acxiom's role, JetBlue is fending off class-action lawsuits, and one of Clark's former campaign rivals, Senator Joseph Lieberman, has requested that the Secretary of Defense investigate whether the Army violated the Privacy Act by not informing JetBlue's passengers. "There wouldn't be politics in that, now would there?" asks Morgan about the Lieberman effort. Adds Jennifer Barrett, Acxiom's chief privacy officer: "We're not having a thoughtful and deliberative debate. Shut down the funding and you don't fix the problem."
The lack of encryption was a colossal oversight. "So often the thing you don't think about comes and bites you," says Morgan. "Most of our customers didn't want to go through the trouble of encryption." Yet that seems reckless at a time when the credit card industry is under siege by hackers and identity thieves. "The losses [to business] are in the billions," Morgan says. Acxiom maintains that its two breaches were the only ones in its history. How can the company be sure? Baas was nailed almost by accident, after investigators examined the computer of another hacker they were probing. And he had taken up residence inside their server for two years.
If Acxiom expects to hold itself up as the gold standard for technology linking and processing, Morgan has to seal his own leaky roof. Investigators say Baas offered Acxiom's data to other hackers if they would help him organize the information into his own database. Luckily he found no takers. "Large corporations need to realize that they are the trustees of the personal information of millions of Americans," says Robert Behlen, a federal prosecutor in the Baas case. "Had the defendant chosen to post the stolen information on the Internet or used it to open credit card accounts, the amount of damage would have been significantly higher."
Last June, in an appearance before the FTC, Morgan said that Acxiom conducted "risk assessments and regular audits on all internal and external information systems to ensure the integrity of client data and Acxiom data." And Morgan's clients have for years performed their own security audits of Acxiom's network, testing it for penetration weaknesses. But the file transfer protocol (FTP) server penetrated in both computer hacks had miserable protection.
Think of an FTP server as an electronic mailbox sitting outside the firewall--a landing spot used by customers and vendors to send and receive files. Baas used a password issued to his employer, an Acxiom vendor, to access the server. From there he managed to crack hundreds of passwords, including one that acted like a master key to the internal systems, letting him scoop up unencrypted data on millions of consumers. "Once you're in the family, so to speak, we're probably more trusting and not as careful as we probably should be," explains Morgan. "We must change that."
In October, Acxiom told securities analysts that new projects and contracts were largely on hold as the firm scrambled to improve its security. It put a SWAT team in place, hired two independent auditing firms, and bought third-party tools to detect intrusions. The company also changed its access and password procedures, and is rapidly moving toward full and automated encryption. Jones held a conference call with 100 general counsels of the affected companies, while other firms flew to Arkansas to see for themselves what had happened. But publicly Acxiom has tried to play down the breaches. "I think this was a much bigger deal than the company let on to investors," says analyst Brad Eichler, who follows Acxiom for Stephens, the Little Rock investment bank that took Acxiom public. "They spent a lot of time that quarter patching things up with customers who were really ticked off."
Acxiom executives say the breaches haven't resulted in any customer defections. Nor have they affected the company's stock price, which recently hit a 52-week high of $19.32.
The larger question is whether the hacking incidents and the concerns about privacy will derail efforts to create a linked infrastructure of databases to help in the war on terrorism. In the debate between privacy and national security, Congress should not lose sight of its own joint congressional inquiry into 9/11, which concluded that law enforcement was unable to connect the dots before the attacks because technology "has not been fully and most effectively applied" in terror prevention. The hijackers followed patterns that could have been detected: purchasing tickets with cash, sharing residences and post office boxes, even using the same frequent-flier number. One terrorist had an expired visa. Another went to a travel agent to buy his ticket, only to discover that his debit card had insufficient funds. He paid in cash and offered a fake Virginia driver's license for ID. Asked for a telephone number, he gave one that was disconnected and had never been his. Acxiom's database could have provided real-time data to connect those dots.