Here’s how much you could have lost. Time
(This story was updated to clarify U.S. Justice Department policies on notification of victims of data breach crimes.)
Fired by his employer, Ethan Fey had an ace up his sleeve.
Before he was canned, he copied the birthdates and social security numbers of thousands of customers. A year later, he sent an anonymous email to his former bosses threatening to sell the personal information on the black market unless he was paid 50 bitcoins – worth about $150,000 then; about $1.3 million now.
Confronted by the FBI, Fey, 37, of Louisville, confessed. Last week he was sentenced to 15 months in prison for extortion – attempting to extract money by “the wrongful use of fear.”
But you can't find the name of Fey's old company in the indictment or any other court papers. The corporate victim is not identified in legal papers, and it didn't make a public announcement about the breach.
Through Fey’s LinkedIn account and other sources, Courier Journal identified his employer as United Tote, a Louisville-based subsidiary of Churchill Downs Inc., which fired him as a senior operator in June 2016.
Stephanie Collins, a spokeswoman for the U.S. attorney’s office in Louisville, said “corporations, like all victims under the Crime Victims’ Rights Act, have a right to be treated with dignity and privacy” and her office asks corporate victims if they are willing to be identified.
John Asher, a Churchill Downs Inc. spokesman, confirmed Fey worked for United Tote. He said the company had promptly reported the extortion threat and worked closely with federal law enforcement officials.
“We can assure our customers that no personal information of any kind has been publicly disclosed or misused,” Asher said.
Collins said customers weren't notified because investigators determined that Fey had not distributed the information to unauthorized individuals and no one suffered a financial loss.
Albert Gidari, director of privacy at Stanford University’s Center for Internet and Society, said a company that has suffered a breach has a duty to notify affected customers even though no further compromise occurred, because “with a criminal like this, there is no way to be certain of that.”
The breach at United Tote, whose systems for pari-mutual wagering are used at racetracks worldwide and process more than $5 billion annually, is the third in six years at Churchill Downs' subsidiaries, according to the Privacy Rights Clearinghouse and news accounts.
In 2012, a hacker accessed the names, email addresses, dates of birth and encrypted social security numbers of customers of TwinSpires, the Churchill Downs global online wagering site.
The company announced that breach but said only that fewer than 20 percent of customers had information compromised, without disclosing the total number of customers. But a corporate lawyer told the attorney general of New Hampshire, which has strict breach reporting requirements, that 370 customers in that state were affected. If a proportionate number of players in other states were involved, about 90,000 people were affected.
In 2015, Churchill Downs’ newly acquired Big Fish Games, a mobile and online gaming company, alerted customers that payment information was stolen by “an unknown criminal” using malware on its site, Insider Louisville reported.
Big Fish wouldn’t disclose how many customers were affected but said it alerted law enforcement and offered gamblers one year of free credit monitoring.
Churchill Downs Inc. warns investors in annual reports that it is subject to “online security risk” and that breaches could cause current or potential customers to believe “our systems are unreliable, leading them to switch to our competitors or to avoid our site, and could permanently harm our reputation and brand.”
In federal courts, prosecutors routinely identify crime victims by their initials, although it is rare for the names of corporate victims to be redacted.
For example, news releases about the most recent half-dozen embezzlement cases prosecuted by the U.S. attorney’s office for the Western District of Kentucky identify victim companies. The office didn’t issue a news release on Fey’s prosecution, however.
The U.S. attorney’s manual says that in all public filings and proceedings, federal prosecutors “should remain sensitive to the privacy and reputational interests” of what it calls “uncharged third parties” and not identify them absent “significant justification.” The manual also says that victims may be companies or corporations.
Collins said the government does not always identify corporate data theft victims “to encourage business to report crimes that they may not be required by law to report.”
Former federal prosecutors differ on whether the identities of corporate crime victims should be shielded:
Brian Butler said if disclosure could harm their business, named companies would be “revictimized.”
Kent Wicker said companies may have a duty to disclose crimes committed against them to shareholders, customers or the public, but they – not prosecutors – are in the best position to decide.
But Scott C. Cox said that he believes the public has a right to know when public companies are the targets of crimes, and that their identities should be included in court records.