Information broker LexisNexis Group said yesterday that the security breaches it announced last month could affect roughly 310,000 consumers -- about 10 times as many as first thought -- leading several legislators to describe the ongoing bleeding of sensitive personal data as out of control.
Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions.
LexisNexis Press Release: LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access (Apr 12, 2005)
LexisNexis.com: Privacy Resources for Consumers
washingtonpost.com: Protect Yourself From ID Theft
States Scramble To Protect Data (The Washington Post, Apr 9, 2005)
Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
Data Brokers Vow to Protect Personal Information (The Washington Post, Mar 16, 2005)
Data Under Siege (The Washington Post, Mar 10, 2005)
Databases Called Lax With Personal Information (The Washington Post, Feb 25, 2005)
ID Data Conned From Firm (The Washington Post, Feb 17, 2005)
Yesterday's announcement is a particularly harsh blow to the largely unregulated mega-brokers such as LexisNexis, ChoicePoint Inc. and Acxiom Corp., which are part of a booming marketplace for personal data that also involves smaller resellers, marketers, some private investigators and others.
"When a company like LexisNexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand," said Sen. Charles E. Schumer (D-N.Y.), who along with Sen. Bill Nelson (D-Fla.) introduced a bill to limit the sale of personal data.
More than two dozen states are examining identity theft legislation, while several members of Congress from both parties have introduced bills or are preparing to do so. The Senate Judiciary Committee is scheduled to hold a hearing this morning.
The new figures at LexisNexis, the company said, reflect internal investigations that analyzed data over the past two years and found that unauthorized people used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers, driver's license numbers, names and addresses.
Most of the breaches were at the company's Florida-based Seisint Inc. subsidiary. Company officials said they are working with law enforcement agencies investigating the cases.
"We regret that consumers, who traditionally are the primary beneficiaries of our risk management products and services, may have been affected by these events," Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, said in a statement. "We have taken a number of significant actions in recent weeks to further guard against these types of fraudulent intrusions at our customer sites and to enhance our security procedures and policies overall."
The company said affected consumers would be offered a free credit report and monitoring for a year. To date, no identity fraud or theft -- in which consumers' accounts were accessed or unauthorized purchases made -- has been attributed to the LexisNexis breaches.
In an interview, Sanford said the company discovered 59 incidents of improper access to the data.