Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security

LexisNexis Breach Worse Than Believed 238

Rollie Hawk writes "Worldwide law and news sifter LexisNexis has some bad news of its own this time. Actually, "bad" might sharply understate the situation. More than a month after disclosing information on a database breach that led to 32,000 customer IDs being stolen, the results of an internal review showed that in fact the damage was nearly ten times worse than previously thought. LexisNexis is already "offering free support services, including credit bureau reports, credit monitoring for one year and fraud insurance" to the nearly 300,000 additional victims it will soon be contacting, according to a Reed Elsevier statement to the Regulatory News Service. So far, no identity thefts have been reported by earlier victims, at least some of whom had private information such as addresses and Social Security numbers unwittingly divulged."
This discussion has been archived. No new comments can be posted.

LexisNexis Breach Worse Than Believed

Comments Filter:
  • Social Engineering (Score:5, Insightful)

    by TripMaster Monkey ( 862126 ) * on Tuesday April 12, 2005 @12:17PM (#12213739)


    From the article:


    The thieves, who obtained information including addresses and Social Security numbers, did not hack into the computer system. Instead, they were able to fool the company into giving out password information, CNN reported.


    Your network's security is inversely proportional to your users' gullibility.

  • by edmicman ( 830206 ) on Tuesday April 12, 2005 @12:20PM (#12213779) Homepage Journal
    How do you know if they have info about you contained in their database? Or does it have info on EVERYBODY?
  • Why? (Score:5, Insightful)

    by i.r.id10t ( 595143 ) on Tuesday April 12, 2005 @12:20PM (#12213788)
    Why on earth would lexisnexis (or any other site providing a service) need a customer's SSN? Ok, some tax sites I can understand if you are electronically filing, but for anything else?
    • Re:Why? (Score:3, Interesting)

      by Peyna ( 14792 )
      The information was taken from Seisint [seisint.com], which LexisNexis recently acquired.

      Former Seisint customer's data may have been revealed; LexisNexis' regular customers are not part of this group.
    • Re:Why? (Score:5, Funny)

      by geoffeg ( 15786 ) <`gro.htols' `ta' `geffoeg'> on Tuesday April 12, 2005 @12:32PM (#12213940) Homepage
      Me thinks you don't understand the expanse of data that lexis nexis has on people. They not only have your SSN but they probably have data on how many times you've bitched about people knowing your SSN. :)
      I sometimes think that Lexis Nexis is the Matrix, it just hasn't become fully sentient.
      • Once you get it out of the hands of all those damn dirty lawyers, LexisNexis will immediately reach complete sentience and will reveal its true nature as the Matrix.

        IAALS (and I approve this message)
      • Oh My Data! (Score:3, Interesting)

        by hetairoi ( 63927 )
        I sometimes think that Lexis Nexis is the Matrix

        I thought the Matrix [washingtonpost.com] was the matrix. But I get so confused with all this personal data floating around everywhere.

      • You know that LexisNexis (through their Seisint division), already has a project called Matrix [myway.com]:

        Seisint, which provides data for Matrix, a crime and terrorism database project funded by the U.S. government that has raised concerns among civil liberties groups - stores millions of personal records including individuals' addresses and Social Security numbers. Customers include police and legal professionals and public and private sector organizations.

        You have to wonder why they chose Matrix. Was "Big Broth

    • Re:Why? (Score:5, Interesting)

      by The Good Reverend ( 84440 ) <michael@mQUOTEichris.com minus punct> on Tuesday April 12, 2005 @12:35PM (#12213983) Journal
      Do you know what Lexis Nexis does? Among many other things, they provide personal information, including names, addresses, phone numbers, and state/federal public records (bankruptcies, mortgage records, court filings, etc.). Many of these records have social security numbers associated with them, just like they do if you go to your county hall of records.

      Customers didn't have their SSNs stolen, some people with records in the system (which includes everyone in the US) did. While I think this really is bad, you'd be amazed who already has your SSN, your address history, and all sorts of other personal information. It's not hard to get.
      • The less secrets you have, the better you feel about people having your personal information. The more secrets you know about others, the better you feel about having their personal information. =)
    • Why on earth would lexisnexis (or any other site providing a service) need a customer's SSN?
      I've noticed that some DB designers have an almost religious aversion to surrogate keys [r937.com]. Maybe they used chose natural key such as SSN is a lazy workaround?
      • Re:Why? (Score:3, Insightful)

        by mikael ( 484 )
        To collate and merge all the information from the different databases, they need a global unique identifier for each database that never changes between each database ie. your SSN, since at different times your name may be spelled differently/abbreviated, your address may have changed (parents home/college dorm/rented flat/mortgaged house), and your data of birth (as well as many dates) may be scrambled by six digit compression ie. is 04/05/02 is The fourth of April 2002, or the 2nd April 2004, or the 5th F
    • From what I understand they have *EVERYTHING* on you. SSN, credit history, police records, hell they probably even know how many times a day you go to the bathroom. In short, for a nominal fee you can get all the information you need to steal a person's entire identity from companies like this. And this is somehow legal.
  • Man... (Score:5, Funny)

    by Bananatree3 ( 872975 ) on Tuesday April 12, 2005 @12:20PM (#12213791)
    Just when I thought it was safe to come out of my concrete bunker, I see 300,000 people's identities stolen. [puts tin foil hat back on, slams steel door]
  • by elasticwings ( 758452 ) on Tuesday April 12, 2005 @12:21PM (#12213797)
    I can see the letter now. Dear clients, We got owned. We got owned in a big way. Your identity is probably stolen now.
  • by HMA2000 ( 728266 ) on Tuesday April 12, 2005 @12:23PM (#12213823)
    Increased security will only take us so far considering the increasing reliance of all companies on databases.

    Businesses need to quit making personal information so valuable, which means an end to instant credit. This, of course, would have some pretty far reaching implications for the hot-tub and big screen TV market but you take the good with the bad.
    • If the businesses are going to make the information valuable, then their responsibility to protect it should be greater. There is a wide gap between the damage that can be done through ID-theft and the repercussions a company experiences when they let it out into the world. The only solutions to this problem that I've heard so far is for the general public to deal with it themselves, as if the companies *and* the government are telling us, "sucks to be you." I don't think this is right.
      • If the businesses are going to make the information valuable, then their responsibility to protect it should be greater. There is a wide gap between the damage that can be done through ID-theft and the repercussions a company experiences when they let it out into the world.

        But if your information leaks out, then the business holding it isn't directly harmed. If I'm not mistaken, there as yet is no legal obligation for the data warehouses to safeguard all of that personal information. Credit issuers and t

  • by Qzukk ( 229616 ) on Tuesday April 12, 2005 @12:23PM (#12213832) Journal
    You'd have to be stupid to pull something like this then rush out and use the information you just got.

    Wait 8-9 years, then we'll see whose identity information is being misused when this incident is just a distant memory and people are scratching their heads over how their information "got away".
    • That depends on how well they covered their tracks. This is already a high profile compromise. The only additional risk of using the data now is that LexisNexis will also be interested in finding the culprits. Most people don't get into identity theft as a retirement planning investment. Chances are, we'd see some of this information used this year.

    • But this type of information has details which get stale quickly. What good is the SSN, Name, birthday when you can't provide a current address because the victim moved. Or died. Or married.

      It's a race condition. Whoever did this would be wise to move soon, if they haven't already. How long was the period between when they thought it was 30k and 300k? A few weeks? Consider that a lead in the race.

  • Just threaten to legislate that the owners of said databases have to keep all their own personal information in them. They'd probably try harder.
  • The recent "change in ownership" of LexisNexis, for an "undisclosed sum"...

    They plan to pull a "but Bhopal happened before we owned them, boo-hoo, leave us alone you bullies".
  • The one aspect of the Social Security system I wanna see changed is the use of the same string for both username and password. So much of the threat of identity theft is because SSNs are so powerful. If the identifying number and associated secret were separate bits of information, 98.43% of the entities that have had breaches of this nature would not have had the passphrase in the first place, only the unique identifier.

    Why does it seem that I'm the only one who finds this to be utterly ridiculous? First and last name (even with middle name or initial) is simply not sufficient to separate one Frank Jacobs from another. A unique identifier is needed. Yet when I ask students for their SSN, as is *required* in my industry, many of them get all pissy about it, as they've had it drilled into their heads all their lives that anybody asking for your SSN is a devil worshiping credit card thief, and probably a yankee to boot. (It especially amuses me when I've got their credit card info on screen in front of me, yet they're getting all sketchy about giving out their SSN.)

    And now, feel free to do what so many people do in person or over the phone every day, and explain to me how it's illegal for me to be asking for that information, blah, blah, blah. We always get a kick out of that one.
    • You think that's bad. I just got a resume with an applicant's SSN on it.

      So now I know their name, address, phone, SSN, previous employment history, hobbies and habits.

      Hmm, coincidentaly due to a spelling error, I just thought of a great interview question:
      Would you say you're an applican, or an applican't?

    • But since some large portion of the orgs that use SSNs use them as secrets, they would also be asking for your secret under a uid/password system.

      So now you've still got tons of busted systems out there that have seen your secret. Plus, someone has to manage passwords. That's annoying enough at our 500 person company.

      Public key cryptography could do it without requiring you to expose your secret every time someone wants to ID you, but then someone would have to manage those public keys. That could be less
    • (It especially amuses me when I've got their credit card info on screen in front of me, yet they're getting all sketchy about giving out their SSN.)

      I'm much more paranoid about my SSN than I am about my credit card number.

      Of course I try to protect both but if someone fraudulently uses my card I get my money back from the CC company and cancel the card. If someone misuses my SSN to apply for a card in my name there is much less that I can do about it to try and stop them.

    • "The one aspect of the Social Security system I wanna see changed is the use of the same string for both username and password. So much of the threat of identity theft is because SSNs are so powerful."

      You'd probably want to fix the underlying problem of people not caring about security of your personal data, while you implement that change. Otherwise, the secret password would just be "required" for everything, stored and published everywhere, just like the current SSN (which used to be a secret password,
    • My old card used to say (yes, in all caps) "NOT FOR PURPOSES OF IDENTIFICATION". Odd that we use it for identification. The card and numbers are to be used solely for the Social Security administration, not while applying for a job, not while subscribing to Cable Internet, and not while authenticating my login to my bank account. It IS illegal, but unenforced, unfortunately.

      If you've got someone's SSN on screen, why ask for it?
  • Seriously. They have no reason to be storing drivers licence numbers and Social Security numbers in their databases. They're selling an online service, and just like any online store, all they need is your billing name and address, credit card # and expiration date. Throw in a username and password so the user can easily return... are they using SSNs and drivers licence numbers as a way of authentication? If so... why?
    • They provide a slew of services. My company pays them for bankruptcy scrubbing. The primary identifier used is the SSN. We send them name, address, ssn all that and they send us back hits where the people have filed bankruptcy, when they filed, etc. They are huge.
    • No, that is the stuff they are selling. Records about thee and me.

      How many times you've applied for a credit card. How much and when was your mortgage application. How many parking tickets you have. Any and all newspaper articles where your name turns up.

      Just as with television...We are not the consumer. We are the product. We are being bought and sold daily.

  • by JerkyBoy ( 455854 ) on Tuesday April 12, 2005 @12:30PM (#12213906) Homepage Journal

    These breaches really making me think... I'd like to run a server out of my home, and collect personal information from users (it's an online business). A host (no pun intended) of questions arise.
    1. What kind of training do I need to learn how to keep my data safe?
    2. What do I do if I find an intrusion?
    3. What if I detect intrusion attempts? Should I report them?
    4. Should I use FreeBSD, which has a better security history than Linux?
    Those are just a few of the things that come immediately to mind, except that maybe I shouldn't run my own server...

    Any ideas?
    • These are all good questions to be sure, lets answer them one at a time:

      1. What kind of training do I need to learn how to keep my data safe?

      For most, you need nothing more than the initiative to learn. There are plenty of well-written books out there on security, encryption, and the like. Although some look down on them as script kiddie manuals, I like the "Hacking (windows/linux/whatever) Exposed" series of books. They can walk you through the mechanics and means of prevention of common exploits, bo
    • On the FreeBSD question, you should use whatever you're supremely competent in administering.

      If you're not a competent admin, you could use a custom SE Linux based setup that's .gov cleared for security and *still* be insecure.

      There's people out there who can set up fairly secure Windows servers from what I hear. I'm not one of them. Since I'm very comfortable administering a Linux box, that's the most secure machine for me to run.

      So in conclusion, run the OS you know how to secure. Barring that, hire
    • "I'd like to run a server out of my home, and collect personal information from users (it's an online business)"

      Just make sure that the computer with personal information is separate from the webserver, and any information is transferred using textfiles on a USB disk or floppy.

      Then make the data-storage computer dedicated to its task (i.e. no other applications, no net access) and put everything on an encrypted disk partition (they're trivial to create in any OS)

      Don't keep any information you don't absol
      • Oh, and forgot the obvious one: be prepared to keep your data secure from police officers (both real ones and fake ones, especially on the phone) - be sure your setup is raid-proof, and find out about the relevant laws before you need to quote them.

        (Naturally, that will make your setup one step more secure than completely clueless operators such as Rackspace [truthout.org] -- does anyone actually knew who they gave their customers' servers to, other than that they claimed to be FBI? )
  • I'm really glad (Score:3, Insightful)

    by RealAlaskan ( 576404 ) on Tuesday April 12, 2005 @12:30PM (#12213919) Homepage Journal
    I'm really glad that I was always way too cheap to be a customer.

    Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.

    I've always said that a combination of Google and Google news alerts [google.com] is the poor man's Lexis-Nexis, and now we see that it's not just cheaper, it's safer.

    All those folks who paid Lexis-Nexis' fees to save time are suddenly going to be wasting a lot of time dealing with identity theft. I may come out ahead not only in saved money, but in saved time, too. For once, being cheap has paid off.

    • Re:I'm really glad (Score:5, Insightful)

      by amliebsch ( 724858 ) on Tuesday April 12, 2005 @12:43PM (#12214091) Journal
      Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.

      Um. Have you ever had to do any serious legal research? Having done so, let me tell you, the breadth of their content, along with its consistency in format, cross-referencing, editorial content, and user tools are way beyond anything that is freely available.

    • Re:I'm really glad (Score:2, Informative)

      by program21 ( 469995 )
      It's not just people who were customers of theirs; Lexis-Nexis also maintains records about people, much like ChoicePoint does. So not being a customer doesn't necessarily mean that they don't have information about you.
    • Re:I'm really glad (Score:5, Informative)

      by The Good Reverend ( 84440 ) <michael@mQUOTEichris.com minus punct> on Tuesday April 12, 2005 @12:47PM (#12214141) Journal
      Most of their data content (as opposed to news articles) comes from government agencies, is in the public domain, and is just a Google search away.

      That's simply not true. As someone uses Lexis-Nexis' public records and data content every day, as well as google, there's a lot of information that isn't available on the free internet. While a lot of it IS in the public domain, it's not centralized, and it's not updated, and it's not reliable. If you have some source publically and freely available, I'd love to know about it.
      • ... there's a lot of information that isn't available on the free internet.

        I don't do legal research, just economics. They may have some proprietary content, but nothing that I've ever needed was available there only. I understand that other people have other needs.

        While a lot of it IS in the public domain, it's not centralized,

        That's too true, though Google comes close, if you know what to look for. They can get you a lot of stuff, though every single thing they show you has a different presentat

  • LexisNexis might make it into gueness book of records as the most sued company. I was asked to use this service in university and was really baffled. They have some ridiculous charges - several dollars per minute - or was it per article retrieved? Anyone who uses this kind of thing when you can just search the web is either an idiot or is paying with other people's money. A lawyer sounds about right.
  • by eno2001 ( 527078 ) on Tuesday April 12, 2005 @12:32PM (#12213945) Homepage Journal
    I sure don't think so. As long as computer systems and their security are incredibly complex mechanisms that only a fraction of the people on the planet can operate, we're going to be in this boat. Sit down and think for a minute. In the past (long before computers) confidential and valuable information or posessions were stored by trusted sources. Banks, legal firms, certain museums, etc... They all were more than capable of protecting valuable information or posessions from theft. The occasional break in would happen, but not anywhere near the frequency that we see computer systems being compromised. And who was responsible for security in those insititutions? Did we have security staff that went to college and were learned in maths and science? Were the lawyers who protected secrets expert lock smiths and did they have break-in drills to hone their security? No.

    So how did we survive all those centuries without the need for the kind of security practices we see as a requirement today? I'll [tt]ell you how... the systems that secured the information or posessions were built with security in mind. A bank vault, for instance, isn't going to be made out of glass, ceramic or some other easily penetrable substance (like certain biological orifices). When it came to the legal profession in the past, there were stronger barriers to entry. Those barriers, for the most part, ensured the integrity of the people who entered into the profession. Again, for legal professionals of the past, confidentiality was assured as far as can be since we are all human.

    The plain truth that no one wants to acknowledge is that computers are not secure by nature. The OS or hardware platforms all have faults (with the possible exception of OpenVMS on Alphas). What is needed is a completely new hardware and OS platform that is built completely with security in mind. A system where the hardware platform has restrictions built in that only allow proper access through only one channel. Just a vault only has one door, so too should a system, that is storing sensitive data. This should be implemented in hardware BEFORE the OS.

    Why isn't this happening? Because it's not profitable enough. There isn't enough demand for this kind of system yet, and there won't be demand until the businesses are made to acknowledge that these kinds of break ins are unacceptable.
    • A system where the hardware platform has restrictions built in that only allow proper access through only one channel. Just a

      vault only has one door, so too should a system, that is storing sensitive data

      Only one opening ...

      I can see it now ...

      Microsoft WINDOW

      The Secure OS.

      Only 1 Window.

      Only 1 point of access.

      Only 1 point of failure.

      Only 1 application to protect.

      Microsoft WINDOW.

      (formerly known as MS-DOS 2.0)

      Buy it now. Or else!

    • The OS or hardware platforms all have faults (with the possible exception of OpenVMS on Alphas).

      I seem to remember it was OpenVMS on the VAX platform that had the hardware-enforced security contexts, but it could have been there on the Alpha as well. I used to admin VAXen and Alphas until Unix and WinNT took over, and I assure you that the much-vaunted security didn't mean much, although it was better than many other systems available at the time. For one thing, the OS was unfriendly enough that getting

  • arrogance (Score:5, Informative)

    by netruner ( 588721 ) on Tuesday April 12, 2005 @12:33PM (#12213953)
    I took a class in grad school on the general legal environment in engineering (mostly IP issues), but for part of our legal research, we were given access to Lexus Nexus by one of their sales reps. Part of us being given access was that we had to listen to the rep talk about the company. I questioned whether ornot the responsability of keeping such a large database with such personal info in it was a nitemarish liability, and was told by the rep that if anyone wanted to sue them "I'ts a company full of lawyers- good luck".
    • "I'ts a company full of lawyers- good luck".

      That just means that it takes a bigger stick than an most individuals can employee.
    • SCO is a company full of lawyers, and look how much good it's doing them. If they're really caught with their pants down, they are going to pay. Especially if it can be show that they've had a reckless attitude towards security (those comments you heard were probably not the only ones like that). I'd say LexisNexis will be in for a tough lesson in the legal system and the court of public opinion. Every time something like this happens, more and more people write their congressman and demand new laws be pass
  • For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.
  • Can you change your social security number? 9 digits seems enough for only one per person in the US, maybe 3 per person. I know they reuse these numbers over time. Why not have a 16 digit number, like credit cards do, so that you can change it and invalidate the old one if your identity gets stolen.

    • Why not have a 16 digit number, like credit cards do, so that you can change it and invalidate the old one if your identity gets stolen.

      The gov't would have a hard time accepting such ease in changing one's identity. Moreover, it would inconvenience creditors.
  • If you want this crap to stop being as bad as it is, we're going to have to accept some inconvience. (GASP!)

    The only reason this info is such a problem, is because companies like this have set it up as the key to instant credit. Require people making a claim of debit against a person to show proof that they have the right guy, and the problem is reduced.

    It will lead to some inconvient (GASP!) problems, so the question is wether the general public and government has the will to fix the problem. I'm not optom

  • Important note (Score:3, Insightful)

    by AndroidCat ( 229562 ) on Tuesday April 12, 2005 @12:44PM (#12214100) Homepage
    The thing to remember about the LexisNexis breach is not that someone had access to personal information about 300,000 people. Hell, LexisNexis customers do that all the time and to a lot more than that. (That's why it's all in the database, duh!) No, the important thing is that someone accessed that data, and didn't pay for it!

    These fiends must be immediately caught and billed!

  • but I don't see what exactly as IANAL. : P

    Okay, maybe there's something we could do in the way of cryptography and applying one-time pad techniques to SSNs or public cryptography. They give you their public #, you generate a # complimentary to your private #, so on. Not a solution by itself, but adding a layer of difficulty.

    We need stronger punishments upon conviction but imprisonment isn't the only answer. They need to be b*tch-slapped in perpetuity any time they operate computers, engage in anything
  • by lcsjk ( 143581 ) on Tuesday April 12, 2005 @12:47PM (#12214149)
    I was set for life. With a new identity, I would get retirement for years and live happily on the beach. Then I got notice that I had died just a few days ago. So now I have a new identity, but I'm dead. Wonder if I can get my old job back....
  • Basically this shows that LexisNexis has no ability to audit not only who's accessing their databases, but how much data they've been accessing!?!

    That's just great. Just to think, while I've been writing this post I'm sure their databases have sucked up countless bits of info... Which I'm sure is already in the hands of some information broker in some shady 3rd world country.

    When the next "9/11" happens, I'll bet a box of donuts they'll trace the money back to some granny in Idaho whose been in a coma fo
  • by akad0nric0 ( 398141 ) on Tuesday April 12, 2005 @12:58PM (#12214308)
    Among the most important, IMO, are:
    1) More news coverage. As we've seen with many things in the past few years, only if it's on the news a lot will US citizens get upset. It's a sad commentary on the education of our population, but it's true. See also: Terri Schaivo.
    2) Legislation. Time and time again, corporations (and indeed entire industries) prove that when their bottom line is involved, they will not self-police.

    While other things in the world are certainly news-worthy, I hope this one doesn't get overlooked. If you're upset, write your senator or representative. Urge them to support Dianne Feinstein's legislation [com.com] on tougher data-leak laws. I would, but I live in DC, which means I'm taxed but have no representation.
  • The high profile database compromises of the last several months have served to push this issue to the forefront of the public consciousness and fueled public frustration. This is an obvious case of negative externality and should clearly be addressed with legislation that imposes regulatory requirements on companies which engage in the business of selling information. In this case the consumer, who is a third party to the transactions between these companies and their clients, is severely harmed by the neg
    • Yeah, I love how LN is giving the people 1 year of free credit monitoring, identity theft protection, etc. Guess what - the people who stole the info will still have that info after that year runs out. That's just plain retarded. A publicity gimmick more than a real fix.

      Government should require them to pay for those services for LIFE for those people.

      With the prices LN charges for their service, they better be able to afford it, or else someone is laundering some money offshore.
  • by Dark Coder ( 66759 ) on Tuesday April 12, 2005 @03:41PM (#12216388)
    To reduce the identity theft immensely, one or more of the following MUST be legislated:

    1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)

    2. Make data aggregation illegal (ooooh, sorry credit bureaus)

    3. Make IRS the focal point of multi-keyed 2nd-generation SSN registration centre (sorry SSA, you screwed up, big-time!)

    4. Customer "optionally" generate a NEW SSN for each business or financial institutions. (remember, data aggregation should be illegal)

    5. Credit Bureau would function just fine (just a bit laggard with aggregation effort).

    Once imposed, identity theft would (I guarantee this) be reduced to insignificant amount.

    UNTIL THEN, nothing is currently being done to reduce the water flow from the Dutch Boy's leaking dikes.

    It doesn't take much brain to resolve this crisis, just time and money. The Congress has absolutely no clue on how to fix this mess... Write your congressman today with these suggestions.

You know you've landed gear-up when it takes full power to taxi.

Working...