Consumers Data Stolen from LexisNexis

LE UI Guy writes "Reuters is currently running a story regarding LexisNexis being tapped into by identity thieves who accessed up to 32,000 customer profiles. Information hit included names, addresses, Social Security and driver's license numbers. This comes on the heels of rival ChoicePoint being breached for 145,000 profiles last month in a similar case. Better check yourself." Update: 03/10 02:40 GMT by J : ChoicePoint's name corrected (and, it may be more than 145,000, they don't know).

ChoicePoint =! CheckPoint

[DA-MAN]

Jesus! I've seen this mistake on the national news and now on slashdot. I thought the geeks would realize there is a difference.

Let me make it clear, CheckPoint makes security software, rfid badges and firewalls. They are not the ones who sell all of your information to credit card companies. CheckPoint has no info that you didn't give them. ChoicePoint is the one that fucked up!!!

Re:ChoicePoint =! CheckPoint

[reality-bytes]

I'd bet this is the sort of advertising they'd rather not have.

Surely this would (rightly) file under "false allegation"?

Clearly the links haven't been followed by the editors.

Re:ChoicePoint =! CheckPoint

[Flendon]

Checkpoint was protecting Choicepoint's systems, I guess the management did a bad choice going with a weak firewall protection like checkpoint after all, now they pay the price. Rumors are going on in our company that we're going to move away from Checkpoint for the same reasons.

ChoicePoint was not hacked. It was purely social engineering. The criminals were granted access because ChoicePoint didn't bother checking if the real estate license (or the name on it) they were shown was real. At least in this case it wouldn't have mattered if they had no firewall.

Re:ChoicePoint =! CheckPoint

[akalat]

For the record, they don't make rfid tags, that's a different company found at www.checkpointsystems.com. They are often confused with Check Point Software though.

Re:ChoicePoint =! CheckPoint

You are absolutely right. Checkpoint is the company that sells defective firewalls based on Linux, and won't give you a patch unless you buy a support contract. They also won't give you a refund for a defective product.

Oh yeah. You have to be running Windows to do any administration of the firewall.

I'm quite glad they are getting mistaken.

Dear Checkpoint,

You sent us a non-functional firewall last year, and wouldn't help us make it work. When our support contract kicked in you told us it was a problem on your end, and we needed to download a patch. Everything worked after that.

Please note that I've told my company all about this, and I'll make sure that our company of over 100,000 never buys a product from you again. Fuck you and your useless crap.

Sorry for the rant, but Checkpoint deserves it for shipping out defective software.

PS - Mod this up if you don't like Linux being used to make money for a company that won't even back up their own modifications.

Checkpoint?

Checkpoint ( www.checkpoint.com ) makes firewall software. THEY HAD NO CUSTOMER INFROMATION STOLEN. please update the story and make sure the facts are correct - its pretty freaking rude to say a company lost data, especially an innocent company.

Choicepoint lost the data. not Checkpoint.

Re:Windows Servers

[odin53]

The article says that the data stolen was collected by Seisent, which is a company that LexisNexis/Reed Elsevier acquired recently. Because of this, I doubt that looking up the netcraft report for www.lexisnexis.com will tell you much about where that data is stored.

If you look up Seisint, you'll see Linux/Solaris servers.

Rivals?

[psaindon]

I'm not sure how the two are really comparable as rivals. LexisNexis (along with their rival in the legal profession, http://www.westlaw.com/ ) Provide excellent (as well as very expensive with searches running at over $70 per minute) coverage of court cases, codes, laws, public records, etc, which are all immensely helpful to legal types. Sure they have public records containing some personal information, but very little that isn't already available as public information (so things such as deeds, criminal records, voter registrations, etc), and it's definately not their primary focus in life.

Re:Information Wants to Be Free :P

These corporations are destroying the value of our essential property: our identities. They demand we give our personal info, without enforcing our copyrights to prevent its being disseminated, then let it get stolen by people who will use it to damage us. When someone rips me off with some personal info they stole from some negligent data warehouse,

Your personal data, which are considered "facts", have no copyright and are not eligible for such. Collections of facts, however, are copyrightable. In one of the classic cases, Harper & Row, Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 556 (1985), the courts ruled that "No author may copyright facts or ideas. The copyright is limited to those aspects of the work -- termed 'expression' -- that display the stamp of the author's originality". However, compilations of facts, such as databases, were expressly mentioned in the Copyright Act of 1909, and again in the Copyright Act of 1976, and as such were copyrightable, even though they are nothing more than collections of facts, due to the "sweat of the brow" theory that the work sustained in creating the compilation justified its copyright.

However, this changed when the US Supreme Court clarified the matter, in FEIST PUBLICATIONS, INC. v. RURAL TELEPHONE SERVICE CO., 499 U.S. 340 (1991), that copyright requires originality, that facts are never original, that the copyright in a compilation does not extend to the facts it contains, and that a compilation is copyrightable only to the extent that it features an original selection, coordination, or arrangement.

However, IANAL, so take this with a pound of salt.

DSW Shoe Warehouse - Stolen CC Data

DSW's parent company, Retail Ventures, just issued the warning that thieves may have stolen credit card information for thousands of customers by hacking into the company's corporate database.

It only affects credit card customers who used their cards the past three months at more than 100 stores nationwide. There are at least eight locations in North Texas.

http://www.msnbc.msn.com/id/7137966/

Re:data mining

[eight08]

oops.. http://www.turbulence.org/Works/swipe/request.html

Re:Westlaw

Funny you mention them. In our firm, the two compete equally. Every time one of the two upgrade our site, the other follows shortly after. We are now up to a dedicated T1 each for both of them. They do everything, supply the router, install the lines, and pay for them including service. They have even installed dedicated printers in our library facility. All we do is provide a port on the PIX and modify the routes to direct the traffic to each of them. When they notice the router or the pipe going down, they call us within minutes. We have more bandwidth available to each of Westlaw and Lexis for our ~300 users then we have for overall internet access.

Re:How long it will take ..

[WhatAmIDoingHere]

"No entry found for whome."

from dictionary.com

"whom
pron.

The objective case of who."

Also, the word "whom" is pretty much only used by people who want to sound smarter.

Re:Windows Servers

WinNT for sure...

[joeuser@mybox ~]$ nmap -P0 www.lexisnexis.com.sg

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-03-09 22:03 EST
Interesting ports on 203.115.247.182:
(The 1655 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
1352/tcp closed lotusnotes
4444/tcp closed krb524

Re:*Not* Customer Profiles

[anagama]

I had lexis for a while. now westlaw, but for the lexis service, I have no recollection of giving them my SS#. We had to give firm name, lawyers who would use it, credit card unless we wanted to pay by check. But SS# ... not that. Aside from a credit card number, everything they got on me is already in the phone book. The problem here is with their subsidiary which is trying to collect information without people's assent. The subsidiary should be sued to hell by anyone who is affected. The irony would be if the plaintiffs' lawyers did their research on Lexis. *wild cackling*

Re:Information Wants to Be Free :P

[1ucius]

Copyright simply does not protect facts, only expression, so no luck there. Trade secrets are probably out b/c you freely gave up the info. Probably have a plain old negligence suit, though, if you can show you were damaged.

Re:How long it will take ..

[langelgjm]

From the Oxford English Dictionary:

"whom, pron.

Forms: [snip] 4-7 whome [snip]

1551 TURNER Herbal I. Kv, We haue no herbe in Englande that I knowe to whome all thes hole descriptions do agre."

From the same page:

"The objective case of WHO: no longer current in natural colloquial speech."

So while he might've been able to get away with 'to whome' 450 years ago, I don't ever recall 'worth' being a verb (at least not with his intended meaning). As a whole, the grammar (or lack thereof) of that post is fascinating. I hope he is not a native speaker.

Re:Social Security numbers?

[AtomicDog]

A company that does, and that refuses to do business with you if you refuse to give them your SSN is in violation of federal law.

Which federal law? I couldn't find anything about that from the SSA's website, but I did find this page:

When am I legally required to provide my Social Security number?:

"If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means."

Also, your SSN is required for more than just tax purposes, as you claimed:

"Specific laws require a person to provide his/her SSN for certain purposes. While we cannot give you a comprehensive list of all situations where an SSN might be required or requested, an SSN is required/requested by:

• Internal Revenue Service for tax returns and federal loans
  
• Employers for wage and tax reporting purposes
  
• States for the school lunch program
  
• Banks for monetary transactions
  
• Veterans Administration as a hospital admission number
  
• Department of Labor for workers compensation
  
• Department of Education for Student Loans
  
• States to administer any tax, general public assistance, motor vehicle or drivers license law within its jurisdiction
  
• States for child support enforcement
  
• States for commercial drivers licenses
  
• States for Food Stamps
  
• States for Medicaid
  
• States for Unemployment Compensation
  
• States for Temporary Assistance to Needy Families
  
• U.S. Treasury for U.S. Savings Bonds"

The Privacy Act regulates the use of SSNs by government agencies. When a Federal, State, or local government agency asks an individual to disclose his or her Social Security number, the Privacy Act requires the agency to inform the person of the following: the statutory or other authority for requesting the information; whether disclosure is mandatory or voluntary; what uses will be made of the information; and the consequences, if any, of failure to provide the information.

(from the same page linked to above)

Finally, to the grandparent: yes, you can get a new SSN number assigned to you. Here's how:

How can I get a different Social Security number assigned to me?

Re:the law is...

These companies will not have any information on you as long as you do not have a job, own a home, rent an apartment, or have credit of any kind (car loans, credit cards, whatever). If any of the above apply to you, then you are in their database. I do agree that we need to protect our information, but unless you live in a shack in the mountains and have no contact with society, you have very little control over your information.