Slashdot Mirror

← Back to Stories (view on slashdot.org)

LexisNexis Breach Worse Than Believed

Posted by Zonk on from the when-it-rains dept.

Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation. More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought. LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."

12 of 238 comments (clear)

  1. Re:So how long before congress mandates... by OpenYourEyes · · Score: 3, Informative

    Somewhere between -5 and 5 months ago/from now.

    The FTC is already requiring the credit agencies to give you a free report every year, with implementation rolling out since 1 Dec 2004 depending on where you live. Some states have required this for years.

  2. arrogance by netruner · · Score: 4, Informative

    I took a class in grad school on the general legal environment in engineering (mostly IP issues), but for part of our legal research, we were given access to Lexus Nexus by one of their sales reps. Part of us being given access was that we had to listen to the rep talk about the company. I questioned whether ornot the responsability of keeping such a large database with such personal info in it was a nitemarish liability, and was told by the rep that if anyone wanted to sue them "I'ts a company full of lawyers- good luck".

    --



    DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
  3. Re:Do they know more than google? by Tenareth · · Score: 4, Informative


    Their biggest database is just public records, so they have your information if you ever took out a loan, bought a house, have a drivers license, been arrested, or walked near an ATM.

    That is not what got abused, another database owned by Seisint (Only recently purchased by LexisNexis) was the target.

    It was a social engineering attack.

    --
    This sig is the express property of someone.
  4. Re:Screw LexisNexis by roye · · Score: 3, Informative

    Have you used Lexis-Nexis? Identity loss notwithstanding, the amount of important data available in one place is fantastic. While one might be able to gather bits and peices (or eventually the entire set) L-N has it ready. Not to mention ready access to all of the "archives" sections of newspapers and wire services from around the world, ready to be searched. I regret the day I have to leave University and my included L-N access.

  5. Re:Screw LexisNexis by Anonymous Coward · · Score: 1, Informative

    Too bad it wasn't LexisNexis that got affected, but Seisint, a recently acquired company.

  6. Re:New Rule for companies with data by Anonymous Coward · · Score: 1, Informative

    All of which is done inside LexisNexis, but apparently Seisint (the company that got affected) didn't have the social engineering training.

  7. Re:I'm really glad by program21 · · Score: 2, Informative

    It's not just people who were customers of theirs; Lexis-Nexis also maintains records about people, much like ChoicePoint does. So not being a customer doesn't necessarily mean that they don't have information about you.

    --
    This has been a test. Had this been a real emergency, we would have fled in terror and you would not have been informed.
  8. Re:I'm really glad by The+Good+Reverend · · Score: 4, Informative

    Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.

    That's simply not true. As someone uses Lexis-Nexis' public records and data content every day, as well as google, there's a lot of information that isn't available on the free internet. While a lot of it IS in the public domain, it's not centralized, and it's not updated, and it's not reliable. If you have some source publically and freely available, I'd love to know about it.

  9. Re:So how long before congress mandates... by Anonymous Coward · · Score: 1, Informative

    Uh, that's 3 free reports per year.

    "The law allows you to order one free copy from each of the nationwide consumer reporting companies every 12 months."

    There are 3 companies.

  10. Re:Of course it hasn't been used yet. by 955301 · · Score: 2, Informative


    But this type of information has details which get stale quickly. What good is the SSN, Name, birthday when you can't provide a current address because the victim moved. Or died. Or married.

    It's a race condition. Whoever did this would be wise to move soon, if they haven't already. How long was the period between when they thought it was 30k and 300k? A few weeks? Consider that a lead in the race.

    --
    You are checking your backups, aren't you?
  11. Re:Social Security Reform by 123abc987 · · Score: 2, Informative

    Universities also used to require SSNs for unique student IDs, but now that's illegal and all the universities have to change everyone's ID and issue new cards. If they have such a beef with your industry requiring SSNs, tell them to call their senetors to have the law changed. That's the only way the industry will change this policy.

  12. Re:Why? by Anonymous Coward · · Score: 1, Informative
    First of all, it's not really Lexis Nexis that had the break-in, per se. Lexis Nexis only recently bought Seisint, a Boca Raton company. The main "product" that Seisint provided was called Accurint. This was (and is) a very useful tool for skip-tracing, law enforcement, and others. By simply typing in all or part of a subject's name, where you think he might have lived, and a few other bits and pieces of information, you can pull up a basic report (for- get this- a quarter, yes $.25) showing minimal information. For a fee, a few more clicks gets you a list of everywhere he's ever lived, the names and addresses of (and a full report on) all his relatives and known associates, his property ownership, court records (takes a bit since that's got to be researched), and a host of other amazingly detailed data about his life. In mere seconds. Where other firms could provide similar information, Accurint can provide much much more and at damn-near instantaneous speed. Imagine being a police officer with a report of an abduction-by-parent, being able to go to this tool and look up all the abductor's relatives current and previous residences in under five minutes. You could turn around, get on the phone and dispatch officers to all those locations, probably BEFORE the abductor had time to get to them. This is an amazing tool in the hands of the right people. Of course, imagine this in the hands of a stalker (or God forbid, a terrorist) and you have a different scenario. Personally, I think they're lucky it was only identity thieves who got access.

    Lexis-Nexis just had the unfortunate luck of buying the wrong company at the wrong time. Even if it had occurred to them, Lexis-Nexis did not have enough time to perform the type of full security audit that would have prevented this breach. Some of the theft likely occurred BEFORE the buy out (speculation- I don't know the exact timing). You can blame Lexis-Nexis for not doing their homework, but you can't blame them for the original negligence that allowed the theft of information.

    And just to avoid some confusion, when the previous poster mentioned the Matrix, he was closer to the truth than he knew. The "Matrix" is the "Multistate Anti-Terrorist Information eXchange," another product/project of Seisint's. That has a whole nuther set of issues. Mostly, those revolve around the alleged criminal behavior of Seisint's ex-CEO (who was long-gone before all this happened). Start with the ACLU's myths/realities page about the Matrix: http://www.aclu.org/Privacy/Privacy.cfm?ID=14894&c =130 Then do some more research based on the ex-CEO's name and his prior companies. I can guarantee you an interesting and informative web crawl.