Network News

X My Profile
View More Activity

LexisNexis Warns of Consumer Database Breaches

Last month, Security Fix wrote that scam artists were trying to steal the login credentials that law enforcement officers use to access their accounts at Accurint, a database operated by LexisNexis owner ReedElsevier that contains highly detailed and personal files on millions of Americans.

It would seem as though those efforts have been successful.

The company recently sent out an undetermined number of letters to consumers across the country, stating that "...a law enforcement customer's user ID may have been used in an unauthorized manner that allowed some personal information about you to be viewed..." The letter, dated May 25, said thieves had accessed the recipient's personal data, which may have included the victim's name, address, Social Security and/or drivers license number. It also offered free Equifax monitoring through a promotional code.

Sources familiar with the incident said the letters were sent after it was discovered that a number of accounts were compromised at a federal law enforcement agency, though the source declined to say which agency was targeted.

In a statement e-mailed to Security Fix, LexisNexis said: "There is an active and ongoing law enforcement investigation into this case so we won't be discussing the specifics. We have a chief security officer whose team is devoted to constantly monitoring, auditing and securing our systems and our data. From time to time we'll stop intruders trying to access the accounts of our legitimate customers and in cases where data may have been compromised by an intruder, we notify potentially affected consumers."

Security Fix received an e-mail from one reader who was sent one of these letters. This person asked that her name be withheld from this story because she was very recently an identity theft victim. Turns out that a very short time before she received the alert, someone had opened several credit card accounts in her name and used them to make purchases at a variety of retail stores.

"I'm writing in anonymously because I'm concerned with the issue of privacy now more than ever...," she wrote. "A LexisNexis employee mentioned during one phone call 'this is not in the news.' I wonder if maybe it should be?"

The woman said her parents also received similar letters, although she said they had not experienced any overt signs of fraud with their financial accounts. If their daughter had not also received the same letter, they may have not known to be on guard. Neither of them had accounts with LexisNexis or Equifax, and they initially assumed the letter was an advertiser and disregarded it.

This latest incident is hardly the fault of LexisNexis, which maintains a group of individuals dedicated to policing accounts for signs of fraud or misuse. But it seems to me that this country needs to have a serious and sustained debate over just how much we care about cyber security (I intend to expound on this idea in a series of future blog posts).

If this woman's story is scary, it should be. Here is the unfortunate reality we face today: Law enforcement officials, along with tens of thousands of people working in a variety of industries -- from health care to insurance to real estate to banking -- have unobstructed access to our most personal data, yet few of those individuals receive even rudimentary training on proper ways to ensure the physical and cyber security of their systems. Nor are they given tips on avoiding cyber scams that can hand the keys to consumer databases over to criminals. The bad guys understand this, and they are exploiting this unfortunate situation to their advantage.

Update, June 26, 5:44 p.m.: LexisNexis still isn't saying how many letters it sent out, but at least 1,800 people in Wisconsin alone were notified that their data may have been compromised. Hat tip to this site for the pointer and the link love.

By Brian Krebs  |  June 21, 2007; 9:34 AM ET
Categories:  Fraud , From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: DHS to Answer for Hundreds of Cyber Break-Ins
Next: Two Security Updates from Apple

Comments

Brian,

I'm curious to know if you and your readers bank and pay bills online.

I have actually had one experience with credit card ID theft. I argued successfully against the bill, but it was nonetheless an alarming experience.

That event -- combined with Washington Mutual's "so what?" reaction to customers who racked up late fees when WaMu's bill-paying system was offline for a long time -- scared me off of banking or paying bills online. Seems to me that these systems are designed solely for convenience, and everything else is ignored or deemed not important.

I genuinely believe now that the low-tech risks of someone getting their hands on my private information is a lot smaller than the high-tech risks of having this data stolen online.

Is there anyone who can convince me that this isn't true?

Posted by: Mo | June 21, 2007 6:34 PM | Report abuse

Mo, I believe Brian does not bank online. I do. I am comfortable with the security on my end and feel like the bank has my information in their system anyway--it was available right when I registered for online banking, it's not like I had to wait for them to add my account to their system. But it does kind of scare me. I feel like monitoring an account more often than monthly is necessary these days and doing it by phone is too cumbersome.

Posted by: sb | June 21, 2007 11:37 PM | Report abuse

You're not asking the obvious question: What if it's the law enforcement agents selling the data to criminals in the first place?

Think about it--who would have access to the records and would stand to gain from hackers getting access to them? Not everything is an outside job.

This reminds me of the holdup that prevented the anti-pretexting law from getting passed--police on multiple levels used pretexting to get information, all the way up to Homeland Security. The current law has an exemption for law enforcement, as a result--and there may as well not be a law at all.

Excellent work overall, as always, but don't be afraid to be a little more cynical. ;)

Martin Bosworth
MyPublicInfo.com (http://www.mypublicinfo.com)
ConsumerAffairs.Com (http://www.consumeraffairs.com)

Posted by: Martin Bosworth | June 22, 2007 11:04 AM | Report abuse

Perhaps something like this would help?

www.trustedcomputinggroup.org

Obviously, the "security" we have now with software isn't cutting it.

Posted by: jh | June 22, 2007 11:25 AM | Report abuse

We have to be diligent about not giving personal info to people who don't have a need to know. I was in a Sam's Club yesterday with a coupon for a Guest Pass. All I wanted to purchase was a box of individually wrapped cookies to send to my nephew at camp this summer. In order to get the pass, they wanted my name, address, phone number, SSN and drivers license number. Are they Nuts? All for a box of cookies I was going to pay cash for? When I asked what they were going to use the info for they said, 'nothing.' I asked if they had ever heard of ID theft, computer break in's or TJ Max etc and they looked at me like I was nuts. Needless to say, they did not get the info, and I will never set foot in a Sams Club again! These retailers need to know that they have no such need for that type of personal information!

Posted by: jb | June 25, 2007 8:12 PM | Report abuse

jb -- you made the right decision. sam's club has screwed up before protecting their customers' data

http://www.computerworld.com/securitytopics/security/story/0,10801,107014,00.html

Posted by: Anonymous | June 26, 2007 5:51 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company