LexisNexis Data Breach Bigger Than Estimated

By Jonathan Krim
Washington Post Staff Writer
Wednesday, April 13, 2005

Information broker LexisNexis Group said yesterday that the security breaches it announced last month could affect roughly 310,000 consumers -- about 10 times as many as first thought -- leading several legislators to describe the ongoing bleeding of sensitive personal data as out of control.

Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions.

Yesterday's announcement is a particularly harsh blow to the largely unregulated mega-brokers such as LexisNexis, ChoicePoint Inc. and Acxiom Corp., which are part of a booming marketplace for personal data that also involves smaller resellers, marketers, some private investigators and others.

"When a company like LexisNexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand," said Sen. Charles E. Schumer (D-N.Y.), who along with Sen. Bill Nelson (D-Fla.) introduced a bill to limit the sale of personal data.

More than two dozen states are examining identity theft legislation, while several members of Congress from both parties have introduced bills or are preparing to do so. The Senate Judiciary Committee is scheduled to hold a hearing this morning.

The new figures at LexisNexis, the company said, reflect internal investigations that analyzed data over the past two years and found that unauthorized people used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers, driver's license numbers, names and addresses.

Most of the breaches were at the company's Florida-based Seisint Inc. subsidiary. Company officials said they are working with law enforcement agencies investigating the cases.

"We regret that consumers, who traditionally are the primary beneficiaries of our risk management products and services, may have been affected by these events," Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, said in a statement. "We have taken a number of significant actions in recent weeks to further guard against these types of fraudulent intrusions at our customer sites and to enhance our security procedures and policies overall."

The company said affected consumers would be offered a free credit report and monitoring for a year. To date, no identity fraud or theft -- in which consumers' accounts were accessed or unauthorized purchases made -- has been attributed to the LexisNexis breaches.

In an interview, Sanford said the company discovered 59 incidents of improper access to the data.

In some cases, he said, perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used.

Sanford speculated that ex-employees of companies with subscriptions to LexisNexis might account for some of the breaches.

As with a recent breach announced by ChoicePoint, unauthorized parties also set up accounts with LexisNexis posing as legitimate businesses, Sanford said.

In one case, a LexisNexis sales representative gave a potential customer access for a trial, and it was used to run 20 searches.

Sanford said 57 of the incidents involved Seisint unit, while two were committed against LexisNexis's systems in Dayton, Ohio. Seisint, which sells data gathered from extensive searches of public records to businesses, law enforcement agencies, private investigators and others, was bought by LexisNexis last year. LexisNexis, which also sells data, in turn is owned by London-based information publishing giant Reed Elsevier Group PLC.

Sanford pledged the company's continuing cooperation with Congress, the Federal Trade Commission and state attorneys general to address how the data marketplace should be made more secure.

The head of the FTC and the brokers support a national law requiring notification of consumers when breaches occur. The proposal, however, would allow the firms to decline to do so if they determine that identity theft is unlikely to result.

But Monday, Sen. Dianne Feinstein (D-Calif.) offered a toughened bill without the exception, which privacy advocates had labeled a loophole. California has the only notification law in the country.

Her bill also would allow consumers to put a seven-year fraud alert in the credit files, which forces credit agencies to be more careful in transferring personal data.

"It would be criminal to expose millions of additional people to the risk of their personal information falling into the hands of those who have no right to it," Feinstein said in a statement. "This is a David versus Goliath battle. We need a national notification standard now."

The Schumer-Nelson bill, meanwhile, would employ a series of security and notification measures, requiring that data brokers register and be regulated by the FTC.

Consumers would have the right to put their names on a list prohibiting transfer of their data without their permission and to limit the availability and use of Social Security numbers as identifiers.

On the House side, Rep. Joe Barton (R-Tex.), chairman of the Energy and Commerce Committee, called yesterday's disclosure by LexisNexis "alarming, but hardly unusual."

Barton has said he plans legislation, in conjunction with Rep. Edward J. Markey (D-Mass.), to restrict the use of Social Security numbers and to require notification of breaches.

© 2005 The Washington Post Company