Slashdot Mirror

← Back to Stories (view on slashdot.org)

LexisNexis Breach Worse Than Believed

Posted by Zonk on from the when-it-rains dept.

Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation. More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought. LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."

16 of 238 comments (clear)

  1. Do they know more than google? by edmicman · · Score: 3, Interesting

    How do you know if they have info about you contained in their database? Or does it have info on EVERYBODY?

    1. Re:Do they know more than google? by Tlosk · · Score: 2, Interesting

      Some people already are...

      http://freegan.info/

  2. These identity theft notices are pretty frequent by HMA2000 · · Score: 5, Interesting

    Increased security will only take us so far considering the increasing reliance of all companies on databases.

    Businesses need to quit making personal information so valuable, which means an end to instant credit. This, of course, would have some pretty far reaching implications for the hot-tub and big screen TV market but you take the good with the bad.

  3. Social Security Reform by BandwidthHog · · Score: 3, Interesting

    The one aspect of the Social Security system I wanna see changed is the use of the same string for both username and password. So much of the threat of identity theft is because SSNs are so powerful. If the identifying number and associated secret were separate bits of information, 98.43% of the entities that have had breaches of this nature would not have had the passphrase in the first place, only the unique identifier.

    Why does it seem that I'm the only one who finds this to be utterly ridiculous? First and last name (even with middle name or initial) is simply not sufficient to separate one Frank Jacobs from another. A unique identifier is needed. Yet when I ask students for their SSN, as is *required* in my industry, many of them get all pissy about it, as they've had it drilled into their heads all their lives that anybody asking for your SSN is a devil worshiping credit card thief, and probably a yankee to boot. (It especially amuses me when I've got their credit card info on screen in front of me, yet they're getting all sketchy about giving out their SSN.)

    And now, feel free to do what so many people do in person or over the phone every day, and explain to me how it's illegal for me to be asking for that information, blah, blah, blah. We always get a kick out of that one.

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  4. More Liability Needed by Anonymous Coward · · Score: 1, Interesting

    I would love to see companies be held legally responsible for such security breeches. Maybe that'll get them to think twice before installing that swiss cheese M$ server or hiring that shady-but-cheap admin/tech support person just to save a few bucks and make the numbers come out "right". Of course, this will also lead to a new type of insurance, but at least the punishment will still be there.

  5. Home server security? by JerkyBoy · · Score: 3, Interesting

    These breaches really making me think... I'd like to run a server out of my home, and collect personal information from users (it's an online business). A host (no pun intended) of questions arise.
    1. What kind of training do I need to learn how to keep my data safe?
    2. What do I do if I find an intrusion?
    3. What if I detect intrusion attempts? Should I report them?
    4. Should I use FreeBSD, which has a better security history than Linux?
    Those are just a few of the things that come immediately to mind, except that maybe I shouldn't run my own server...

    Any ideas?
    --


    Always do right. This will gratify some people and astonish the rest. -- Mark Twain
  6. Re:Why? by Peyna · · Score: 2, Interesting

    The information was taken from Seisint, which LexisNexis recently acquired.

    Former Seisint customer's data may have been revealed; LexisNexis' regular customers are not part of this group.

    --
    What?
  7. Re:Why? by The+Good+Reverend · · Score: 5, Interesting

    Do you know what Lexis Nexis does? Among many other things, they provide personal information, including names, addresses, phone numbers, and state/federal public records (bankruptcies, mortgage records, court filings, etc.). Many of these records have social security numbers associated with them, just like they do if you go to your county hall of records.

    Customers didn't have their SSNs stolen, some people with records in the system (which includes everyone in the US) did. While I think this really is bad, you'd be amazed who already has your SSN, your address history, and all sorts of other personal information. It's not hard to get.

  8. Re:Of course it hasn't been used yet. by qwijibo · · Score: 3, Interesting

    That depends on how well they covered their tracks. This is already a high profile compromise. The only additional risk of using the data now is that LexisNexis will also be interested in finding the culprits. Most people don't get into identity theft as a retirement planning investment. Chances are, we'd see some of this information used this year.

  9. Re:Social Engineering by andy1307 · · Score: 4, Interesting

    How long before "someone" calls up people to tell them their SSN was stolen in the Lexis-Nexis break-in and asks them to verify their SSN/address so that they can receive "free" credit protection. I'm willing to bet at least 10% of people called will give away their own information.

  10. Oh My Data! by hetairoi · · Score: 2, Interesting

    I sometimes think that Lexis Nexis is the Matrix

    I thought the Matrix was the matrix. But I get so confused with all this personal data floating around everywhere.

    --
    you're all figments of my deranged imagination
  11. Re:Social Engineering by legirons · · Score: 2, Interesting

    "but to be fair, maybe they offered them chocolate for all that personal information."

    Who's more gullible, the person giving away their password for chocolate, or the researcher giving away chocolate for fake passwords?

  12. Sort of like the free salary CD by alexhohio · · Score: 2, Interesting

    I heard on the radio saying all you have to do is go in a corporate office, drop a CD somewhere with a label that says CONFIDENTIAL Salary Information with a a company logo, and gauranteed, whomever finds it will stick the CD in their computer with whatever bug you have on it... and if the computer is on the network, you are in...

    --
    Almost every Harvard student was High School Valedictorian- After a year of college, half are in the bottom of the class
  13. Re:Social Engineering by Anonymous Coward · · Score: 1, Interesting

    How abot the 300.000th dollar? IMHO there's gonna be a tipping point evenvtually, where the info isn't worth the extra buck. I doubt if class-action settlements will do the trick, given Feist v. Rural. Instead, it will probably require a metric shitload of individual suits against someone that one had no direct business relationship with.

    -- inode_buddha (not logged in)

  14. Several Workable Resolutions to Identity Theft by Dark+Coder · · Score: 2, Interesting

    To reduce the identity theft immensely, one or more of the following MUST be legislated:

    1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)

    2. Make data aggregation illegal (ooooh, sorry credit bureaus)

    3. Make IRS the focal point of multi-keyed 2nd-generation SSN registration centre (sorry SSA, you screwed up, big-time!)

    4. Customer "optionally" generate a NEW SSN for each business or financial institutions. (remember, data aggregation should be illegal)

    5. Credit Bureau would function just fine (just a bit laggard with aggregation effort).

    Once imposed, identity theft would (I guarantee this) be reduced to insignificant amount.

    UNTIL THEN, nothing is currently being done to reduce the water flow from the Dutch Boy's leaking dikes.

    It doesn't take much brain to resolve this crisis, just time and money. The Congress has absolutely no clue on how to fix this mess... Write your congressman today with these suggestions.

  15. full implications of problem not explored by TFAs by ffflala · · Score: 2, Interesting

    My department was aware of this breach a few months back, before it broke. Our concern definately wasn't the SS #s -- it was the home addresses. Problem was that a number of state and federal officials, judges, DAs, and other folks with long lists of people who may harbor grudges against them for performing their jobs, suddenly had their contact information wiidely available. The breach happened before courtroom security issues took such a dramatic front-page turn, but recent events highlight the additional danger these folks have always faced when dealing with criminal prosecutions.