Slashdot Mirror
Consumers Data Stolen from LexisNexis
LE UI Guy writes "Reuters is currently running a story regarding LexisNexis being tapped into by identity thieves who accessed up to 32,000 customer profiles. Information hit included names, addresses, Social Security and driver's license numbers. This comes on the heels of rival ChoicePoint being breached for 145,000 profiles last month in a similar case. Better check yourself." Update: 03/10 02:40 GMT by J : ChoicePoint's name corrected (and, it may be more than 145,000, they don't know).
Make the CEO, CTO and Customer Support manager provide their own personal information in their own databases.
Check yourself? What does that mean? Check that you haven't been stolen? What if you haven't - what can you do to stop it from happening after you check?
These corporations are destroying the value of our essential property: our identities. They demand we give our personal info, without enforcing our copyrights to prevent its being disseminated, then let it get stolen by people who will use it to damage us. When someone rips me off with some personal info they stole from some negligent data warehouse, the warehouse should be liable for my damages, including the work to recover my losses, and the defamation that will inevitably ripple through the endlessly interlinked online infosystems forever. And when compromised, they should pay my identity theft insurance premiums. This free value we deliver to them has a cost when it's abused, and such insecurity abuse is now obviously standard practice.
--
make install -not war
I know only the name of my phone company, for example, but I have no clue who they contract with for data processing or billing or marketing. How can we ever really find out if a security problem at one company affects us? These back-end companies are generally companies that serve niche markets and practically no one has heard of them.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
Microsoft isn't just a software company, they are a culture. The people that are attracted to Microsoft value the appearance of convenience to real utility, and they value the appearance of convenience over real security. In the end they don't get utility, security, or convenience.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
OK, I don't get it. Why are these companies not practicing basic database security? I'm just a lowly programmer but even I realize that sensitive information should be encrypted in the database. Most databases support one way hashes so things like social security numbers can be used to verify identities but stored in non-reversable encryption in the database.
I realize this isn't a complete if your webserver is hacked but at least only thos users who validate their identity then are affected.
For example: Using One-Way Functions to Protect Sensitive Information in SQL Server Databases
It was information on 32,000 (anybody want to bet it was 32,768?) members of the public, not customers. To bad, in a way -- Lexis is used most by lawyers, judges, congresspeople and so on -- had the Lexis customer data been hacked and say all the judges on the 5th Circuit or the Ohio congressional delegation had their identities stolen as a result, you'd probably see reform a whole lot faster.
Sysadmins? Screw that, most of this shit happens with social engineering.
This is getting to be like the Enron/WorldCom type of scandal. Company X coughs up a few thousand files, Company Y coughs up a couple hundred thousand files, Company Z has the fucking barn door wide open and the theives have a battered pickup truck parked on the lawn and they're so damn surprised that it takes place.
So... where's the law that can be leveraged, saying these companies are responsible for keeping this information under lock and key, to hit them with the civil suits they so richly deserve for their laxis maxis business controls?
A feeling of having made the same mistake before: Deja Foobar
They're flippin' evil. I'm sure I'm not the only one out there who's revolted by the fact that private corporations are the only effective sources of legal (read: public domain) data and other such public information. Shouldn't the government offer a LexisNexis-type service for free?
From the Wikipedia entry on Lexis-Nexis; all emphasis mine:
"LexisNexis is a popular searchable archive of content from newspapers, magazines, legal documents and other printed sources. Primary customers are lawyers and journalists.
Besides all current statutes, Lexis contains nearly all published case opinions in the United States back to the 1770s, and all unpublished (but publicly available) case opinions from 1980 onward. It also has full libraries of statutes and case opinions for many other common law jurisdictions like Australia and the United Kingdom.
News stories from the majority of English-language periodicals worldwide are available back to 1986, and there are a few articles available as far back as 1980.
Lexis has a library of public records, which includes current mailing addresses for nearly every living person in the United States. It has real property deeds and mortgages for most states.
A fee is charged for using the service. The fee was formerly hourly (at $300/hour or higher) but LexisNexis now prefers to negotiate monthly flat fees based on the user's ability to pay."
("Based on the user's ability to pay"? I wonder how they'd respond if I said "I barely can afford to pay my bills, much less offer you money for access to public domain data...")
With spending like this, exactly what are "conservatives" conserving?
In Westlaw it's called "People Search." Type in a name and some other information, such as what state the person lives in and Westlaw will give you the persons current address, past addresses, social security number, phone numbers, what elections they voted in, pretty much everything. I had a chance to play around with it about a month ago and was able to find all of the above information about myself. I was pretty blown away. You could even find the above info on Congressman and other high ranking government officals.
The problem is that a lot of information that you think is private it not and its already inside a computer somewhere. For instance if you have a listed phone number, your name, phone number, and address is inside a computer, thus it just takes a simple SQL query to retieve all of your past addresses and phone numbers. And of course since you chose to have a listed phone number all of that information is public. It just was a matter of time until Lexis and Westlaw linked all the databases. They are very good at that type of thing. The only way I see to truly protect your identity is to have a really common name.I liked "databese" more. I guess that would be a very fat database, which makes sense since it would have to be very large to have everyone's data.
...people willingly give away their personal property, their data, their "IP", then these other companies own it. If people just insisted that THEIR data was THEIR property and took care of it with that sort of mindset backed op with some rational laws, then this wouldn't happen, and these companies with the data warehouses wouldn't even exist like they do now.
.0001% people ever even tried one time to keep their data to themselves and to insist to government that this should be so. They never gave a care, to busy with entertainments or whatever to even lift a phone to make a call to a congress critter, or to say NO to some company "asking" for data they don't need really for a business transaction. Mass conditioning that it's socially cool to get ripped off. Shazzam, the world is full of thieves, maybe more people will stop and think about who they give their property to and why they give it away for what purposes now. Maybe it's a better idea to just retain ownership? One law would do it, too, your data is yours, it shouldn't be necessary to transfer ownership of your data just to do business someplace.
Most people don't think that way, but people who start corporations DO think that way, they recognize valuable property when they see it, and make billions off of millions of people voluntarily giving away their property to them.
If it wasn't stolen from you directly, it's sure not your property anymore. If you donate your old TV to the thriftstore and they get broken into and that TV is stolen, well, "your" TV didn't get stolen, their TV got stolen. If you want to own and keep possession of your TV, well, don't give it away in the first place then. Simple concept, just apply it to your data. It's similar enough for conversational purposes anyway. "IP" ownership is bigtime in business, there's zero reason everyone's personal data "IP" shouldn't be theirs in total.
So people can't really say "their" stuff got stolen, some big companies stuff got stolen, they gave up their rights to full and complete ownership a long time ago. they already got "social engineered" out of ownership, just they don't realise it, or just don't care enough to think it through. Now that same data property down the pike got social engineered again, oh well, guess the original owner didn't care enough to hang on to it.
but, but..we can't live in society without giving our property away! Yep, that's the point, much less than
yea, how? Just because it's running IIS 5 doesn't mean it has 14 holes automatically. I would imagine it's either A. Unpatched or B. Holes in LexusNexus software. C. Social engineering.
However, I don't think the comparison with giving away a TV is accurate. One's name, address, phone number, social security number, drivers license number, etc., are attributes that are retained by the one who owns them. This information is simply provided under various circumstances. The fallacy here is that businesses and other entities have taken it upon themselves to decide that the mere act of provision extols upon them a right of ownership. While there are not yet any laws that clarify this, I maintain that it does not, Be that as it may, people must be proactive about how this information is used. Insist that it not be used for anything but the transaction at hand.