Slashdot Mirror
LexisNexis Breach Worse Than Believed
Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation.
More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought.
LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."
From the article:
Your network's security is inversely proportional to your users' gullibility.
____
~ |rip/\/\aster /\/\onkey
Why on earth would lexisnexis (or any other site providing a service) need a customer's SSN? Ok, some tax sites I can understand if you are electronically filing, but for anything else?
Don't blame me, I voted for Kodos
You'd have to be stupid to pull something like this then rush out and use the information you just got.
Wait 8-9 years, then we'll see whose identity information is being misused when this incident is just a distant memory and people are scratching their heads over how their information "got away".
If I have been able to see further than others, it is because I bought a pair of binoculars.
1) give everybody security traininge -or-email hacks with getting your ass fired being the punishment for failiure
2) give everyone a copy of that Mitnik book about social engineering
3) keep topping up on the security training
4) every so often hire an expert to try and break into your systems using data hacks, or idiots-who-give-their-passwords-out-over-the-phon
5) enforce a protocol in regards to passing information about anything regarding your computer.
6) have sensitive information only be allowed to be passed onto people calling from specific extensions
-SJ53
Well,
If you look at the post, it clearly states that customer information is what was snatched.
To answer your question more specifically: Google yeilds zero results for my name, well for my name but not me specifically. The LN database however does yeild valid results for my name. Non of which contains personal info more than my name and hometown.
Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.
I've always said that a combination of Google and Google news alerts is the poor man's Lexis-Nexis, and now we see that it's not just cheaper, it's safer.
All those folks who paid Lexis-Nexis' fees to save time are suddenly going to be wasting a lot of time dealing with identity theft. I may come out ahead not only in saved money, but in saved time, too. For once, being cheap has paid off.
See what I've been reading.
I sure don't think so. As long as computer systems and their security are incredibly complex mechanisms that only a fraction of the people on the planet can operate, we're going to be in this boat. Sit down and think for a minute. In the past (long before computers) confidential and valuable information or posessions were stored by trusted sources. Banks, legal firms, certain museums, etc... They all were more than capable of protecting valuable information or posessions from theft. The occasional break in would happen, but not anywhere near the frequency that we see computer systems being compromised. And who was responsible for security in those insititutions? Did we have security staff that went to college and were learned in maths and science? Were the lawyers who protected secrets expert lock smiths and did they have break-in drills to hone their security? No.
So how did we survive all those centuries without the need for the kind of security practices we see as a requirement today? I'll [tt]ell you how... the systems that secured the information or posessions were built with security in mind. A bank vault, for instance, isn't going to be made out of glass, ceramic or some other easily penetrable substance (like certain biological orifices). When it came to the legal profession in the past, there were stronger barriers to entry. Those barriers, for the most part, ensured the integrity of the people who entered into the profession. Again, for legal professionals of the past, confidentiality was assured as far as can be since we are all human.
The plain truth that no one wants to acknowledge is that computers are not secure by nature. The OS or hardware platforms all have faults (with the possible exception of OpenVMS on Alphas). What is needed is a completely new hardware and OS platform that is built completely with security in mind. A system where the hardware platform has restrictions built in that only allow proper access through only one channel. Just a vault only has one door, so too should a system, that is storing sensitive data. This should be implemented in hardware BEFORE the OS.
Why isn't this happening? Because it's not profitable enough. There isn't enough demand for this kind of system yet, and there won't be demand until the businesses are made to acknowledge that these kinds of break ins are unacceptable.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
These fiends must be immediately caught and billed!
One line blog. I hear that they're called Twitters now.
'Freegans', huh....
I remember when we used to call those people 'bums'.
____
~ |rip/\/\aster /\/\onkey
Among the most important, IMO, are:
1) More news coverage. As we've seen with many things in the past few years, only if it's on the news a lot will US citizens get upset. It's a sad commentary on the education of our population, but it's true. See also: Terri Schaivo.
2) Legislation. Time and time again, corporations (and indeed entire industries) prove that when their bottom line is involved, they will not self-police.
While other things in the world are certainly news-worthy, I hope this one doesn't get overlooked. If you're upset, write your senator or representative. Urge them to support Dianne Feinstein's legislation on tougher data-leak laws. I would, but I live in DC, which means I'm taxed but have no representation.
akad0nric0
This sentence no verb.
I can change my credit card number, I can't change my social security number. I also get a monthly statement of charges on my credit card, and the credit card company will help me with any invalid charges. I don't know how someone will use my social security number, and I'm on my own when I eventually find someone has trashed my credit rating.
I'm much more paranoid about my SSN than I am about my credit card number.
Of course I try to protect both but if someone fraudulently uses my card I get my money back from the CC company and cancel the card. If someone misuses my SSN to apply for a card in my name there is much less that I can do about it to try and stop them.
I'd agree that once a year isn't enough. However, the mandate is that EACH credit service give you a free report once year. There's no requirement that you get them all at the same time. So you can spread out the requests to each service throughout the year.
Why did L/N need to know their subsribers SSNs?
It's not their subscribers' SSNs, it's the SSNs included in the data they sell to their subscribers. Their subscribers might be, say, a bank. The bank is trying to decide whether John Doe is worth the risk of a car loan. The bank gathers the info from John Doe, then compares it to what someone like L-N has to say about Mr. Doe. Without critical identifiers like SSNs, it's pretty hard to compare Jane Smith to all of her identically named counterparts around the world.
Don't disappoint your bird dog. Go to the range.