[ISN] LexisNexis: Files May Have Been Breached

InfoSec News isn at c4i.org
Wed Apr 13 06:12:52 EDT 2005


April 12, 2005

LONDON (AP) - Criminals may have breached computer files containing
the personal information of 310,000 people, a tenfold increase over a
previous estimate of how much data was stolen from information broker
LexisNexis, the company's parent said Tuesday.

Last month, London-based publisher and data broker Reed Elsevier Group
PLC said criminals may have accessed personal details of 32,000 people
via a breach of its recently acquired Seisint unit, part of Dayton,
Ohio-based LexisNexis. LexisNexis is a Reed subsidiary.

Reed said it identified 59 instances since January 2003 in which
identifying information such as Social Security numbers or driver's
license numbers may have been fraudulently acquired on thousands of

Information accessed included names, addresses, Social Security and
driver license numbers, but not credit history, medical records or
financial information, the company said.

Reed spokesman Patrick Kerr said that the first batch of breaches was
uncovered by Reed during a review and integration of Seisint's systems
shortly after it purchased the Boca Raton, Fla.-based unit for $775
million in August.

Seisint provides data for Matrix, a crime and terrorism database
funded by the U.S. government, which has raised concerns among civil
liberties groups. The Matrix database was not involved in the breach,
the company has said.

Seisint's databases store millions of personal records including
individuals' addresses and Social Security numbers. Customers include
police and legal professionals and public and private sector

The company said the 59 identified instances of fraudulently obtained
information - 57 at Seisint and two in other LexisNexis units - are
largely related to the improper use of IDs and passwords belonging to
legitimate customers. It stressed that neither LexisNexis nor the
Seisint technology infrastructure was breached by hackers.

Kerr said the company has since ensured that the system is watertight
by improving login systems and security checks.

He said only 2 percent of the 32,000 people it notified about the
possible theft of their personal information in March have contacted
LexisNexis to accept its offer of free credit reports and credit
monitoring, and none has so far advised LexisNexis that they have
experienced any form of identity theft.

However, LexisNexis Chief Executive Kurt Sanford said Tuesday that of
the 32,000 who were notified, law enforcement officials have
identified 10 who investigators believe may have been victims of
identity theft. He said it is unclear whether those possible thefts
are related to the breach at LexisNexis.

Investigators said only three of those people appeared to have been
the victims of financial fraud, Sanford said.

The breach is being investigated by the FBI's cyber-crime squad in
Cincinnati. FBI spokesman Mike Brooks would say only that the agency
is pursuing leads.

Rep. Edward Markey, D-Mass., who has introduced legislation designed
to increase protections of consumer data, said LexisNexis turned a
blind eye to customer protection.

But Sanford said LexisNexis had initiated the review and notified
potential victims.

"We're going to fix this," he said. "The congressman's statement
overreaches and mischaracterizes the situation."

Reed Elsevier played down the effect of the breach on its profits,
reaffirming its target of higher earnings and at least 5 percent
growth in revenues excluding acquisitions.

The breach at Seisint is the second of its kind at a major information
provider in recent months. Rival data broker ChoicePoint Inc. (CPS)  
announced last month that the personal information of 145,000
Americans may have been compromised in a breach in which thieves
posing as small business customers gained access to its database.

In the ChoicePoint scam, at least 750 people were defrauded,
authorities say. The case fueled consumer advocates' calls for federal
oversight of the loosely regulated data-brokering business, and
Capitol Hill hearings on the topic were held last month and are
continuing this week.

Reed Elsevier specializes in the education, legal and science sectors,
publishing more than 10,000 journals, books and compact discs, as well
as almost 3,000 Web sites and portals. It also organizes 430 trade
exhibitions. The LexisNexis division specializes in legal and business

More information about the ISN mailing list