Man tricks WESTLAW employee into disclosing password of City Attorneys
Incident Date: 1998 (or prior)
Incident Location: San Diego CA USA
An unusually large bill for WESTLAW led a law librarian to track down a criminal who had illegally obtained the City Attorney’s password for the service. The bill drew scrutiny from Mary Lynn Hyde, a law librarian for the City Attorney of San Diego California, when she noticed the City Attorney had made extensive use of the service for the first time. An inquiry to his office let Mrs. Hyde know that he wasn’t responsible for running up approximately $3,000 in service usage fees.
So, Mrs. Hyde contacted WESTLAW to request a password change for the City Attorney’s account. Since she also knew the charges weren’t associated with legitimate use, she asked WESTLAW to remove them from their bill. WESTLAW refused on the grounds that it was the customer’s responsibility to protect account login credentials. Their policy was only to provide account passwords to authorized contacts, such as Mrs. Hyde, and believed they had followed this policy for the City Attorney of San Diego.
Mrs. Hyde’s search for the perpetrator might have ended here had it not been for her recent communications with another librarian, Saw Ch’ng, who worked at the San Diego County Law Library. Mrs. Ch’ng had noticed an unknown man making extensive use of a WESTLAW terminal in her library. His appearance apparently didn’t resemble that of a typical law student or attorney, so Mrs. Ch’ng decided to cautiously probe the man for information.
Upon approaching his terminal she saw that he was accessing the WESTLAW public records database. The man claimed that he was with the City Attorney’s office, but Mrs. Ch’ng was skeptical. She telephoned Mrs. Hyde and asked her to come to the San Diego County library and identify the man. Upon seeing the man Mrs. Hyde confirmed that he was not an employee and had misled Mrs. Ch’ng. But neither woman felt they could do anything else at the time to identify either the man’s true identity or his motive for lying.
Mrs. Hyde’s large WESTLAW bill brought the man’s actions back to her attention. She felt confident enough that the two events were related. So she told the San Diego library to keep an eye out for him and to contact law enforcement officials when he returned. He did show up at the library but left within a few minutes after finding that he could no longer log into the system with the City Attorney’s password.
However, the criminal was back at the library terminal within 24 hours using the City Attorney’s account again. Police were able to respond in time to detain and hold the man for questioning. During the interrogation he revealed he had been selling personal information from the WESTLAW public records database for $150 per name.
The speed at which the man had used the account also alerted Mrs. Hyde that he wasn’t obtaining the password through her organization. She was the only one with knowledge of the new account password and hadn’t shared it with anyone. The criminal confessed that he had tricked a WESTLAW employee to obtain passwords for both the San Diego City Attorney’s account and the National City California City Attorney’s account. He had posed as the city attorney and convinced the employee to disclose the password directly to him instead of following WESTLAW’s policy of disclosing passwords only to authorized contacts. The password and service theft had yet to be noticed by the National City office.
With this evidence Mrs. Hyde was able to convince WESTLAW to remove the unauthorized charges associated with the fraudulent account use. In a related notice, WESTLAW reiterated their commitment to maintaining a secure online system for users and following their existing password security policies.
Title: Database Password Theft: A Lesson on Monitoring Billing & Preventing Loss
Author: Nanna K. Frye
Publication: Law Library Resource Xchange
Publication Location: San Diego CA USA
Publication URL: http://www.llrx.com/features/password.htm
Do you have additional information to contribute regarding this story? If so, please email firstname.lastname@example.org with the details and source.