WWW- Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database.
“I’m the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say ‘we screwed up,’ if that were the case,” said iBill President Gary Spaniak Jr.
Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill.
Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called “phishing” scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information.
Secure Science found that data in February 2005, and reported it to the FBI’s Miami field office, the company says. An additional list of slightly over 1 million individual entries was uncovered on a spamming website by Sunbelt Software last month, where it was labeled Ibill_1m.txt. That list appeared to date from 2003.
The databases, examined by Wired News, include names, phone numbers, addresses, e-mail addresses and internet IP addresses of customers making online purchases. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.
But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two.
Additionally, some entries in the stolen databases were identified as purchases on Diner’s Club cards, which iBill says it has never accepted in its nine year history. Spaniak says iBill recently passed a security audit that found its databases well secured.
SunBelt Software couldn’t immediately be reached for comment Thursday. But Secure Science’s Lance James backed away from his conclusion that iBill, which processes most of its transactions on behalf of adult services, was the source of the leak. He says pornography transaction databases may be considered especially desirable to spammers, and that a criminal may have deliberately mislabeled a database taken from another source “This might be part of a new hacker establishing their reputation,” says James. “They could say, ‘I hacked iBill.'”
Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising “20mill ibill list w/Full data from 2003” for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list.
Other offers on the site purport to sell data from competing internet billing firm CCBill, which says that it isn’t aware of having been breached either.
Spaniak has his own theory on why a data thief might falsely link a database to iBill. He believes it’s an outgrowth of animosity in the adult website community dating from the time when the trouble-plagued company was forced to suspend payments to its webmaster customers.
He says as long as iBill stays in business, it will try to repay those webmasters. “Over $20 million has been paid back, we have plans for paying back another $18 million.”
James says the actual source of the stolen data remains a mystery. An FBI spokeswoman says the bureau wouldn’t investigate the breach unless the source of the leak comes forward to make a complaint.