In some cases, he said, perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used.
Sanford speculated that ex-employees of companies with subscriptions to LexisNexis might account for some of the breaches.
LexisNexis Press Release: LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access (Apr 12, 2005)
LexisNexis.com: Privacy Resources for Consumers
washingtonpost.com: Protect Yourself From ID Theft
States Scramble To Protect Data (The Washington Post, Apr 9, 2005)
Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
Data Brokers Vow to Protect Personal Information (The Washington Post, Mar 16, 2005)
Data Under Siege (The Washington Post, Mar 10, 2005)
Databases Called Lax With Personal Information (The Washington Post, Feb 25, 2005)
ID Data Conned From Firm (The Washington Post, Feb 17, 2005)
As with a recent breach announced by ChoicePoint, unauthorized parties also set up accounts with LexisNexis posing as legitimate businesses, Sanford said.
In one case, a LexisNexis sales representative gave a potential customer access for a trial, and it was used to run 20 searches.
Sanford said 57 of the incidents involved Seisint unit, while two were committed against LexisNexis's systems in Dayton, Ohio. Seisint, which sells data gathered from extensive searches of public records to businesses, law enforcement agencies, private investigators and others, was bought by LexisNexis last year. LexisNexis, which also sells data, in turn is owned by London-based information publishing giant Reed Elsevier Group PLC.
Sanford pledged the company's continuing cooperation with Congress, the Federal Trade Commission and state attorneys general to address how the data marketplace should be made more secure.
The head of the FTC and the brokers support a national law requiring notification of consumers when breaches occur. The proposal, however, would allow the firms to decline to do so if they determine that identity theft is unlikely to result.
But Monday, Sen. Dianne Feinstein (D-Calif.) offered a toughened bill without the exception, which privacy advocates had labeled a loophole. California has the only notification law in the country.
Her bill also would allow consumers to put a seven-year fraud alert in the credit files, which forces credit agencies to be more careful in transferring personal data.
"It would be criminal to expose millions of additional people to the risk of their personal information falling into the hands of those who have no right to it," Feinstein said in a statement. "This is a David versus Goliath battle. We need a national notification standard now."
The Schumer-Nelson bill, meanwhile, would employ a series of security and notification measures, requiring that data brokers register and be regulated by the FTC.
Consumers would have the right to put their names on a list prohibiting transfer of their data without their permission and to limit the availability and use of Social Security numbers as identifiers.
On the House side, Rep. Joe Barton (R-Tex.), chairman of the Energy and Commerce Committee, called yesterday's disclosure by LexisNexis "alarming, but hardly unusual."
Barton has said he plans legislation, in conjunction with Rep. Edward J. Markey (D-Mass.), to restrict the use of Social Security numbers and to require notification of breaches.