Editor’s Note: Since this article was originally published on YNOT last week, Wired News, the source of this story, has issued the following message in relation to their story: “Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data.” For more information, see this follow-up story.
CYBERSPACE — According to Wired News, the personal information of millions of iBill’s electronic payment customers is in the hands of black market spammers and fraud experts due to a database security invasion.After having the opportunity to pore through the information, Wired News reports that although it does not include credit card numbers, it does include enough delicate data to be of serious concerns for the almost 18 million people whose transactions occurred between 1998 and 2003 – years during which iBill enjoyed some of its greatest professional success.
Wired News states that personal and professional names; phone numbers; home, email, and IP addresses are unquestionably circulating, and passwords, usernames, credit card types, and purchase totals also are likely included in the information making its way through the underground economy.
As Wired News explains it, iBill, which did not return email or telephone inquiries from the online publication, discovered that it had experienced the loss of two caches of customer data after two different security companies conducted routine searches for information about malicious software
Secure Science Corporation found the first data file in February of 2005 on a private website dedicated to phishing. The file contained records on 17 million individuals, all of whom had their information lifted after scammers had fraudulently presented themselves as retailers or bank professionals. The company reported the find to the FBI’s Miami field office.
Then last month, a second list, possessing more than one million entries, labeled “Ibill_1.txt,” and appearing to contain information dated from 2003 was uncovered by Sunbelt Software while visiting a spamming site.
The news can’t be welcome to iBill, a credit card processor for adult websites that experienced great popularity during the first few years of the new millennium. In 2002, approximately $400 million in credit card transactions were being processed per year, with 15-percent of that going into the five-year-old company’s coffers. Todd Dugas, a Wired News source, reports that 85-percent of that money came from the adult industry.
Dark days fell upon iBill in 2002, when Atlanta-based InterCept purchased the company for $120 million and immediately began experiencing difficulties.
Complicated new Visa requirements drove up the cost of processing adult web purchases and, according to the source, a former inside sales representative for the company, “accounts dropped like flies.” MasterCard’s decision to levy $5.85 million in fines against iBill for what the card company viewed as unacceptably high charge backs, didn’t help matters, although InterCept was able to recoup most of the fine from the company’s previous owners.
iBill’s woes didn’t end there, however. In September of 2004, the company lost its contract with First Data, its upstream credit-card processor. The processor had become nervous about working with adult companies, leaving webmasters waiting months for payments while First Data sat on the money, safely squirreled away in escrow. As Wired News explains it, morale within the once-thriving company dropped dramatically.
Although there’s no knowing for certain what, aside from spamming, has been done with the information that was lifted from iBill’s computers, security experts speculate about what could have led to its theft. Wired News states that Lance James, an employee of Secure Science, and Adam Thomas of Sunbelt Software, suspect that company ills opened iBill to sabotage from within, especially since the files appear to have had their origin in an SQL database and then were converted to CSV format, which is generally too sophisticated a move for hack attacks depending upon stealth and speed. Additionally, the 4.5 gigabyte file transfer would have been exceptionally difficult to hide.
Ironically, the theft itself remained unknown to those whose information was lifted – until Wired News contacted some of them. Because Social Security, credit card, and driver’s license numbers were not included in the stolen identity information, neither iBill nor the companies they worked with are required by law to alert the public.
iBill was purchased in January of 2005 by Interactive Brand Development for $23.5 million, a company whose recent over-the-counter stock price was eight cents per share.
