Slashdot Mirror


LexisNexis Breach Worse Than Believed

Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation. More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought. LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."

7 of 238 comments (clear)

  1. Do they know more than google? by edmicman · · Score: 3, Interesting

    How do you know if they have info about you contained in their database? Or does it have info on EVERYBODY?

  2. These identity theft notices are pretty frequent by HMA2000 · · Score: 5, Interesting

    Increased security will only take us so far considering the increasing reliance of all companies on databases.

    Businesses need to quit making personal information so valuable, which means an end to instant credit. This, of course, would have some pretty far reaching implications for the hot-tub and big screen TV market but you take the good with the bad.

  3. Social Security Reform by BandwidthHog · · Score: 3, Interesting

    The one aspect of the Social Security system I wanna see changed is the use of the same string for both username and password. So much of the threat of identity theft is because SSNs are so powerful. If the identifying number and associated secret were separate bits of information, 98.43% of the entities that have had breaches of this nature would not have had the passphrase in the first place, only the unique identifier.

    Why does it seem that I'm the only one who finds this to be utterly ridiculous? First and last name (even with middle name or initial) is simply not sufficient to separate one Frank Jacobs from another. A unique identifier is needed. Yet when I ask students for their SSN, as is *required* in my industry, many of them get all pissy about it, as they've had it drilled into their heads all their lives that anybody asking for your SSN is a devil worshiping credit card thief, and probably a yankee to boot. (It especially amuses me when I've got their credit card info on screen in front of me, yet they're getting all sketchy about giving out their SSN.)

    And now, feel free to do what so many people do in person or over the phone every day, and explain to me how it's illegal for me to be asking for that information, blah, blah, blah. We always get a kick out of that one.

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  4. Home server security? by JerkyBoy · · Score: 3, Interesting

    These breaches really making me think... I'd like to run a server out of my home, and collect personal information from users (it's an online business). A host (no pun intended) of questions arise.
    1. What kind of training do I need to learn how to keep my data safe?
    2. What do I do if I find an intrusion?
    3. What if I detect intrusion attempts? Should I report them?
    4. Should I use FreeBSD, which has a better security history than Linux?
    Those are just a few of the things that come immediately to mind, except that maybe I shouldn't run my own server...

    Any ideas?
    --


    Always do right. This will gratify some people and astonish the rest. -- Mark Twain
  5. Re:Why? by The+Good+Reverend · · Score: 5, Interesting

    Do you know what Lexis Nexis does? Among many other things, they provide personal information, including names, addresses, phone numbers, and state/federal public records (bankruptcies, mortgage records, court filings, etc.). Many of these records have social security numbers associated with them, just like they do if you go to your county hall of records.

    Customers didn't have their SSNs stolen, some people with records in the system (which includes everyone in the US) did. While I think this really is bad, you'd be amazed who already has your SSN, your address history, and all sorts of other personal information. It's not hard to get.

  6. Re:Of course it hasn't been used yet. by qwijibo · · Score: 3, Interesting

    That depends on how well they covered their tracks. This is already a high profile compromise. The only additional risk of using the data now is that LexisNexis will also be interested in finding the culprits. Most people don't get into identity theft as a retirement planning investment. Chances are, we'd see some of this information used this year.

  7. Re:Social Engineering by andy1307 · · Score: 4, Interesting

    How long before "someone" calls up people to tell them their SSN was stolen in the Lexis-Nexis break-in and asks them to verify their SSN/address so that they can receive "free" credit protection. I'm willing to bet at least 10% of people called will give away their own information.