Slashdot Mirror

← Back to Stories (view on slashdot.org)

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service

Posted by Unknown on from the someone-forgot-to-install-rkhunter dept.

gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."

6 of 99 comments (clear)

  1. This is what IDS/IPS appliances are for... by mlts · · Score: 5, Insightful

    No real excuse for this. This is exactly what network IDS/IPS programs/appliances are for.

    Any data center dealing with sensitive information should have an IDS/IPS installation which should have shut down nbc.exe's access out to the Internet, or at least raised a red flag in Splunk or whatever logging console application in use. Most data centers have a list of authorized IPs that internal sites communicate out to, and if some machine communicates to an IP repeatedly on a sensitive network, it would be investigated, or at the minimum, looked at. Multiple machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect, and IPS offerings designed to cork until someone takes a look at it.

    Security isn't rocket science. It is using basic concepts to compartmentalize information and applications to check for known/unknown attacks, and buying/using the tools needed.

    1. Re:This is what IDS/IPS appliances are for... by Anonymous Coward · · Score: 5, Interesting

      This company and every one like it shouldn't even exist.

      They collect all this data about us without out our permission. They offer me no service.

      Just remember kiddies, things were quite fine without these services. But with the demise of local business, consolidation into massive organizations spread all over the World, these businesses were created for their use, convenience and to lower their costs. It gives then the edge on knowledge about us and how to market shit to us - and it's all shit - especially in financial services.

      I had a credit bureau problem. THEIR information was wrong and as a result, I failed the authentication. They gave me a 800 number to call and I got this woman with a heavy accent (Indian?) who asked me a bunch of personal questions.

      When I asked her what country she was in, she responded that she couldn't answer because of "Security reasons."

      So, MY security means nothing to TransUnion but where their off shored call center is does.

      Corporations are the only ones who have a right to privacy and security.

    2. Re:This is what IDS/IPS appliances are for... by DarkOx · · Score: 5, Insightful

      Right! This is the big problem. We need to be able to look at the laws that are allowing these guys to escape liability both on the accuracy side and the privacy side.

      Slapping "information may not be 100% accurate" in light type face on the bottom of a credit report should not protect them from being held responsible for libel. When they leak your PI and you have to change account numbers, etc, they should be held responsible for interference with your other contracts.

      If the courts really worked we could bankrupt them in a week; which is what they deserve.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. nbc.exe by Anonymous Coward · · Score: 5, Funny

    Dot exe. I think I see the problem.

  3. Good? by AmiMoJo · · Score: 5, Insightful

    This might be a good thing. Once we have a major "privacy apocalypse" and millions of people get screwed over something might be done about it. Otherwise there will just be endless "minor" breeches where a few hundred thousand people get ripped off and no-one really cares.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. It's worse than that... by Anonymous Coward · · Score: 5, Informative

    Lexis Nexis has a database of all united states citizens compete with full address history, SSN, DOB, associations such as relatives and neighbors, and you can cross reference and search the different relationships. They purchase the info from the government and then banks use them to verify information on credit applications by paying for the service and simply accessing a web interface via ssl over the public internet. I know this because I used to work for a large bank doing just that.