The former owner of an email marketing company in Boca Raton, Florida will be spending eight years on a forced sabbatical for filching one billion data records from Acxiom, one of the world’s largest managers of personal, financial, and corporate data.

According to the Cincinnati Post, Acxiom handles “14 of the 15 top credit cards companies, five of the six biggest retail banks and seven of the top 10 car makers. All share the credit card and other information of their customers with Acxiom.”Other customers include TransUnion and the City of Chicago. In addition, Acxiom maintains nearly 850 terabytes of storage across five football fields worth of data centers worldwide, including the US Europe, China and Australia. Among other things, they process over a billion US postal records a day.

Acxiom claims it “continually gathers data from thousands of public and private sources,” enabling it to offer the “widest and latest selection of data possible” with “the most informative, accurate and recent demographic, socio-economic and lifestyle data available-at the individual or household level.”

And all that data’s not being collected for posterity. Acxiom offers it to direct marketers, among others, to identify the best prospects. For example, its CPI score, which is updated monthly, tracks an individual’s economic life and “quantifies the size of a specific consumer’s economic footprint, indicating the historical consumer purchasing and relative amount of marketing activity surrounding that individual.”

Chances you aren’t in Acxiom’s system? Darned near zero, if you’re a US denizen. And it does not matter whether you have ever used the Internet, or not.

A database housing the sensitive data for every sentient citizen demands Fort Knox-level security… or at least “local museum” security.

So you may be surprised at how Scott Levine’s heist was exposed.

It started unravelling when a hacker emailed screenshots of restricted portions of Hamilton County, Ohio websites to a freelance writer, John Lasker, ostensibly to demonstrate hacking prowess. Lasker forwarded the message to the Hamilton County telecom director, who in turn forwarded it to the sheriff’s department, where an astute deputy traced the email message’s header to one Jesse Tuttle (a.k.a. “Hackah Jak”) of Camp Dennison, Ohio.

When investigators raided Tuttle’s home in May 2003, his computer told them much more than they expected. In addition to county hacks, cops said they found kiddie porn, along with the transcript of an email chat wherein another hacker, Epitaph, bragged to Hackah Jak that he had access to Cincinnati Bell’s database.

Authorities hit the jackpot when they opened Epitaph’s computer. Upon Epitaph’s guilty plea, feds say Epitaph… er, Daniel Baas… was the systems administrator for a small shop that did business with Acxiom. He was tasked with downloading his company’s files from Acxiom’s FTP server.

Gregory Lockhart, the US Attorney in Charge said, “Baas committed a crime when he exceeded his authorized access, looked for and downloaded an encrypted password file, and ran a password cracking program against the file.”

You think? In addition, the government’s statement of facts avers:

Baas illegally obtained about 300 passwords, including one that acted like a “master key” and allowed him to download files that belonged to other Acxiom customers. The downloaded files contained personal identification information.

Millions of records worth US$1.9 million.

At the time, Caryn Rousseau reported that, while Baas burned CDs full of Acxiom’s data from 10 December 2002 through New Years, Acxiom said it had no idea its security had been breached till the sheriff called nearly eight months later. In addition, she writes that a sheriff’s deputy claimed Baas bragged in chat rooms that he had removed databases from Acxiom servers.

During the course of the Baas investigation, technicians stumbled over another illicit data miner… Scott Levine, owner of Snipermail… yet another Acxiom customer with a password.

The feds claimed that Levine cracked Acxiom’s password system so he could filch other peoples’ data. From January through July 2003, he abused this authority, ultimately downloading a billion records with a purported street value of US$7 million. Seems like Levine took up where Baas left off.

Despite all this, you might say Scott Levine is lucky. His original indictment in July 2004 carried 144 counts. But by the time his jury was finished a year later, the US prison system’s latest inductee was found guilty of just 120 counts of unauthorized access of a protected computer, two counts of access device fraud, and one count of obstruction of justice.

We woulda hung him. Instead, Levine got eight years.

And the rest of us are still stuck with Acxiom protecting our privates.