"He legitimately had the password to upload data to the main Acxiom server," Howard said. "And he guessed that this might be the same password for downloading data. He was right. And so he started downloading a large amount of data. He wasn't supposed to do that, and it was an unwise security decision to have the same password for uploading and downloading."
Baas pleaded guilty to "exceeding authorized access," but he apparently didn't do much with the records.
"He didn't execute any fraud with them," prosecutor Robert Behlen told reporters after Baas entered the plea. "He apparently liked to collect information."
Not all these incidents have a pleasant or at least benign ending. Loss of personal records can be a painful and expensive experience, as millions of Americans have learned over the last couple of decades. And hackers, while not the only villains, are part of the problem.
Howard says they get a "bum rap," because institutions are more at fault. Still, his own research shows that when you look at the total amount of lost data, excluding the Acxiom case, "hackers account for the largest volume of compromised records, some 45 percent."
Better management of private records by corporations and universities would make hackers' skullduggery much more difficult, but more needs to be done. Although some states have enacted laws to force companies to inform persons when their data have been exposed, that only applies to residents of each particular state.
A California company, for instance, is not required to tell a man who lives in Florida that his records have been compromised in California.
"I think this is the next logical place for federal oversight," Howard said. "It works well in quite a few states, and it makes sense to make it comprehensive for the nation."
Perhaps the financial world could learn something from the medical world. Medical records are subject to very strict controls, for obvious reasons.
"We found 589 incidents over 26 years, and only a handful involved medical records," Howard said. "That's because the legislation in the medical domain is pretty strong. It punishes people who don't treat the data properly."
He also thinks it's time to refocus the responsibility for protecting personal data.
"We tend to focus the responsibility for doing something about this on individuals," he said. "It's up to you to check your credit history and make sure there are no mistakes. It's up to you to protect your passwords and make sure nobody is looking over your shoulder. But it turns out that most of the compromised records come from organizations and you don't have a lot of control over the data about you. That's where I think we should be looking."
It doesn't do much good to follow your own strict security rules if someone else leaves a laptop containing your financial records on the backseat of a car that is subsequently stolen, as happened in one recent case.
Howard and Erickson, who published their findings in the current issue of the Journal of Computer Mediated Communication, relied on news media accounts for their research, so there's some margin for error because there is no central clearinghouse for reports on compromised data. They say they are probably conservative in their findings, so the situation could be even worse.
At the very least, even if we throw all the hackers in prison, this problem is not going to be solved until corporations and universities get really serious about protecting sensitive information.