Slashdot Mirror
LexisNexis Breach Worse Than Believed
Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation.
More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought.
LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."
From the article:
Your network's security is inversely proportional to your users' gullibility.
____
~ |rip/\/\aster /\/\onkey
How do you know if they have info about you contained in their database? Or does it have info on EVERYBODY?
Why on earth would lexisnexis (or any other site providing a service) need a customer's SSN? Ok, some tax sites I can understand if you are electronically filing, but for anything else?
Don't blame me, I voted for Kodos
Just when I thought it was safe to come out of my concrete bunker, I see 300,000 people's identities stolen. [puts tin foil hat back on, slams steel door]
I can see the letter now. Dear clients, We got owned. We got owned in a big way. Your identity is probably stolen now.
Increased security will only take us so far considering the increasing reliance of all companies on databases.
Businesses need to quit making personal information so valuable, which means an end to instant credit. This, of course, would have some pretty far reaching implications for the hot-tub and big screen TV market but you take the good with the bad.
You'd have to be stupid to pull something like this then rush out and use the information you just got.
Wait 8-9 years, then we'll see whose identity information is being misused when this incident is just a distant memory and people are scratching their heads over how their information "got away".
If I have been able to see further than others, it is because I bought a pair of binoculars.
The one aspect of the Social Security system I wanna see changed is the use of the same string for both username and password. So much of the threat of identity theft is because SSNs are so powerful. If the identifying number and associated secret were separate bits of information, 98.43% of the entities that have had breaches of this nature would not have had the passphrase in the first place, only the unique identifier.
Why does it seem that I'm the only one who finds this to be utterly ridiculous? First and last name (even with middle name or initial) is simply not sufficient to separate one Frank Jacobs from another. A unique identifier is needed. Yet when I ask students for their SSN, as is *required* in my industry, many of them get all pissy about it, as they've had it drilled into their heads all their lives that anybody asking for your SSN is a devil worshiping credit card thief, and probably a yankee to boot. (It especially amuses me when I've got their credit card info on screen in front of me, yet they're getting all sketchy about giving out their SSN.)
And now, feel free to do what so many people do in person or over the phone every day, and explain to me how it's illegal for me to be asking for that information, blah, blah, blah. We always get a kick out of that one.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
These breaches really making me think... I'd like to run a server out of my home, and collect personal information from users (it's an online business). A host (no pun intended) of questions arise.
- What kind of training do I need to learn how to keep my data safe?
- What do I do if I find an intrusion?
- What if I detect intrusion attempts? Should I report them?
- Should I use FreeBSD, which has a better security history than Linux?
Those are just a few of the things that come immediately to mind, except that maybe I shouldn't run my own server...Any ideas?
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
Somewhere between -5 and 5 months ago/from now.
The FTC is already requiring the credit agencies to give you a free report every year, with implementation rolling out since 1 Dec 2004 depending on where you live. Some states have required this for years.
Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.
I've always said that a combination of Google and Google news alerts is the poor man's Lexis-Nexis, and now we see that it's not just cheaper, it's safer.
All those folks who paid Lexis-Nexis' fees to save time are suddenly going to be wasting a lot of time dealing with identity theft. I may come out ahead not only in saved money, but in saved time, too. For once, being cheap has paid off.
See what I've been reading.
I sure don't think so. As long as computer systems and their security are incredibly complex mechanisms that only a fraction of the people on the planet can operate, we're going to be in this boat. Sit down and think for a minute. In the past (long before computers) confidential and valuable information or posessions were stored by trusted sources. Banks, legal firms, certain museums, etc... They all were more than capable of protecting valuable information or posessions from theft. The occasional break in would happen, but not anywhere near the frequency that we see computer systems being compromised. And who was responsible for security in those insititutions? Did we have security staff that went to college and were learned in maths and science? Were the lawyers who protected secrets expert lock smiths and did they have break-in drills to hone their security? No.
So how did we survive all those centuries without the need for the kind of security practices we see as a requirement today? I'll [tt]ell you how... the systems that secured the information or posessions were built with security in mind. A bank vault, for instance, isn't going to be made out of glass, ceramic or some other easily penetrable substance (like certain biological orifices). When it came to the legal profession in the past, there were stronger barriers to entry. Those barriers, for the most part, ensured the integrity of the people who entered into the profession. Again, for legal professionals of the past, confidentiality was assured as far as can be since we are all human.
The plain truth that no one wants to acknowledge is that computers are not secure by nature. The OS or hardware platforms all have faults (with the possible exception of OpenVMS on Alphas). What is needed is a completely new hardware and OS platform that is built completely with security in mind. A system where the hardware platform has restrictions built in that only allow proper access through only one channel. Just a vault only has one door, so too should a system, that is storing sensitive data. This should be implemented in hardware BEFORE the OS.
Why isn't this happening? Because it's not profitable enough. There isn't enough demand for this kind of system yet, and there won't be demand until the businesses are made to acknowledge that these kinds of break ins are unacceptable.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I took a class in grad school on the general legal environment in engineering (mostly IP issues), but for part of our legal research, we were given access to Lexus Nexus by one of their sales reps. Part of us being given access was that we had to listen to the rep talk about the company. I questioned whether ornot the responsability of keeping such a large database with such personal info in it was a nitemarish liability, and was told by the rep that if anyone wanted to sue them "I'ts a company full of lawyers- good luck".
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
You forgot the most important part - 7 , HIDE THE DAMN CHOCOLATE!.
Have you used Lexis-Nexis? Identity loss notwithstanding, the amount of important data available in one place is fantastic. While one might be able to gather bits and peices (or eventually the entire set) L-N has it ready. Not to mention ready access to all of the "archives" sections of newspapers and wire services from around the world, ready to be searched. I regret the day I have to leave University and my included L-N access.
For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.
These fiends must be immediately caught and billed!
One line blog. I hear that they're called Twitters now.
I was set for life. With a new identity, I would get retirement for years and live happily on the beach. Then I got notice that I had died just a few days ago. So now I have a new identity, but I'm dead. Wonder if I can get my old job back....
Among the most important, IMO, are:
1) More news coverage. As we've seen with many things in the past few years, only if it's on the news a lot will US citizens get upset. It's a sad commentary on the education of our population, but it's true. See also: Terri Schaivo.
2) Legislation. Time and time again, corporations (and indeed entire industries) prove that when their bottom line is involved, they will not self-police.
While other things in the world are certainly news-worthy, I hope this one doesn't get overlooked. If you're upset, write your senator or representative. Urge them to support Dianne Feinstein's legislation on tougher data-leak laws. I would, but I live in DC, which means I'm taxed but have no representation.
akad0nric0
This sentence no verb.
DAN?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I sometimes think that Lexis Nexis is the Matrix
I thought the Matrix was the matrix. But I get so confused with all this personal data floating around everywhere.
you're all figments of my deranged imagination
I'd agree that once a year isn't enough. However, the mandate is that EACH credit service give you a free report once year. There's no requirement that you get them all at the same time. So you can spread out the requests to each service throughout the year.
Why did L/N need to know their subsribers SSNs?
It's not their subscribers' SSNs, it's the SSNs included in the data they sell to their subscribers. Their subscribers might be, say, a bank. The bank is trying to decide whether John Doe is worth the risk of a car loan. The bank gathers the info from John Doe, then compares it to what someone like L-N has to say about Mr. Doe. Without critical identifiers like SSNs, it's pretty hard to compare Jane Smith to all of her identically named counterparts around the world.
Don't disappoint your bird dog. Go to the range.
I heard on the radio saying all you have to do is go in a corporate office, drop a CD somewhere with a label that says CONFIDENTIAL Salary Information with a a company logo, and gauranteed, whomever finds it will stick the CD in their computer with whatever bug you have on it... and if the computer is on the network, you are in...
Almost every Harvard student was High School Valedictorian- After a year of college, half are in the bottom of the class
To reduce the identity theft immensely, one or more of the following MUST be legislated:
1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)
2. Make data aggregation illegal (ooooh, sorry credit bureaus)
3. Make IRS the focal point of multi-keyed 2nd-generation SSN registration centre (sorry SSA, you screwed up, big-time!)
4. Customer "optionally" generate a NEW SSN for each business or financial institutions. (remember, data aggregation should be illegal)
5. Credit Bureau would function just fine (just a bit laggard with aggregation effort).
Once imposed, identity theft would (I guarantee this) be reduced to insignificant amount.
UNTIL THEN, nothing is currently being done to reduce the water flow from the Dutch Boy's leaking dikes.
It doesn't take much brain to resolve this crisis, just time and money. The Congress has absolutely no clue on how to fix this mess... Write your congressman today with these suggestions.
My department was aware of this breach a few months back, before it broke. Our concern definately wasn't the SS #s -- it was the home addresses. Problem was that a number of state and federal officials, judges, DAs, and other folks with long lists of people who may harbor grudges against them for performing their jobs, suddenly had their contact information wiidely available. The breach happened before courtroom security issues took such a dramatic front-page turn, but recent events highlight the additional danger these folks have always faced when dealing with criminal prosecutions.