LexisNexis Warns of Consumer Database Breaches
Last month, Security Fix wrote that scam artists were trying to steal the login credentials that law enforcement officers use to access their accounts at Accurint, a database operated by LexisNexis owner ReedElsevier that contains highly detailed and personal files on millions of Americans.
It would seem as though those efforts have been successful.
The company recently sent out an undetermined number of letters to consumers across the country, stating that "...a law enforcement customer's user ID may have been used in an unauthorized manner that allowed some personal information about you to be viewed..." The letter, dated May 25, said thieves had accessed the recipient's personal data, which may have included the victim's name, address, Social Security and/or drivers license number. It also offered free Equifax monitoring through a promotional code.
Sources familiar with the incident said the letters were sent after it was discovered that a number of accounts were compromised at a federal law enforcement agency, though the source declined to say which agency was targeted.
In a statement e-mailed to Security Fix, LexisNexis said: "There is an active and ongoing law enforcement investigation into this case so we won't be discussing the specifics. We have a chief security officer whose team is devoted to constantly monitoring, auditing and securing our systems and our data. From time to time we'll stop intruders trying to access the accounts of our legitimate customers and in cases where data may have been compromised by an intruder, we notify potentially affected consumers."
Security Fix received an e-mail from one reader who was sent one of these letters. This person asked that her name be withheld from this story because she was very recently an identity theft victim. Turns out that a very short time before she received the alert, someone had opened several credit card accounts in her name and used them to make purchases at a variety of retail stores.
"I'm writing in anonymously because I'm concerned with the issue of privacy now more than ever...," she wrote. "A LexisNexis employee mentioned during one phone call 'this is not in the news.' I wonder if maybe it should be?"
The woman said her parents also received similar letters, although she said they had not experienced any overt signs of fraud with their financial accounts. If their daughter had not also received the same letter, they may have not known to be on guard. Neither of them had accounts with LexisNexis or Equifax, and they initially assumed the letter was an advertiser and disregarded it.
This latest incident is hardly the fault of LexisNexis, which maintains a group of individuals dedicated to policing accounts for signs of fraud or misuse. But it seems to me that this country needs to have a serious and sustained debate over just how much we care about cyber security (I intend to expound on this idea in a series of future blog posts).
If this woman's story is scary, it should be. Here is the unfortunate reality we face today: Law enforcement officials, along with tens of thousands of people working in a variety of industries -- from health care to insurance to real estate to banking -- have unobstructed access to our most personal data, yet few of those individuals receive even rudimentary training on proper ways to ensure the physical and cyber security of their systems. Nor are they given tips on avoiding cyber scams that can hand the keys to consumer databases over to criminals. The bad guys understand this, and they are exploiting this unfortunate situation to their advantage.
Update, June 26, 5:44 p.m.: LexisNexis still isn't saying how many letters it sent out, but at least 1,800 people in Wisconsin alone were notified that their data may have been compromised. Hat tip to this site for the pointer and the link love.
June 21, 2007; 9:34 AM ET
Categories: Fraud , From the Bunker , U.S. Government
Save & Share: Previous: DHS to Answer for Hundreds of Cyber Break-Ins
Next: Two Security Updates from Apple
Posted by: Mo | June 21, 2007 6:34 PM | Report abuse
Posted by: sb | June 21, 2007 11:37 PM | Report abuse
Posted by: Martin Bosworth | June 22, 2007 11:04 AM | Report abuse
Posted by: jh | June 22, 2007 11:25 AM | Report abuse
Posted by: jb | June 25, 2007 8:12 PM | Report abuse
Posted by: Anonymous | June 26, 2007 5:51 PM | Report abuse
The comments to this entry are closed.