The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to. He also provided an image that appeared to be a search-results screen that only a LexisNexis account holder would be able to see.
Officials from both companies declined to comment on the authenticity of the screen shots or on whether they could only have been taken by a person who had gained access to a restricted part of their online networks.
According to an account provided by the teenaged member of the hacker group -- and confirmed by the law enforcement source who insisted on anonymity -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.
According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said.
The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.
LexisNexis disclosed on March 9 that records on 32,000 individuals were downloaded by an unknown person or persons who gained access to the company's database using compromised user accounts. A month later, the company said it determined that 310,000 personal records had been accessed over a series of weeks and said it was taking steps to investigate the intrusions and to heighten its database security.
Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, told The Washington Post in March that employees trying to integrate LexisNexis computer security systems with those of the recently acquired Seisint found evidence of 59 incidents of improper access -- 57 against Seisint and two against LexisNexis's systems in Dayton, Ohio.
A subsequent company probe discovered that fraud artists had assumed the identities of legitimate customers and used their passwords to download data. In one case, Sanford said, a LexisNexis sales representative gave a potential customer access for a trial, and it was used to run 20 searches.
In some cases, Sanford told The Post in March, perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used.
The same hacker group that stole the LexisNexis information also was responsible for the high-profile attack on Paris Hilton's cell phone, according to the young hacker. The law enforcement source also said officials are investigating a connection between the two incidents.
Computer security flaws played a role in the Paris Hilton data theft, in which the hacker group was able to exploit a programming glitch in T-Mobile's employee-only Web site. But the young hacker said the theft of Hilton's T-Mobile account only succeeded after a member of the group convinced a worker at a T-Mobile store in California to divulge information that only employees are supposed to know.
Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions. In February, ChoicePoint Inc. said fraud artists had posed as Los Angeles businessmen to access personal information about at least 145,000 people.
Press reports soon followed that Bank of America Corp. lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators, and that credit card numbers were stolen by hackers from 103 of shoe retailer DSW Inc.'s 175 stores.
LexisNexis acquired Seisint last summer for $775 million in cash. At the time, the Florida firm was best known as the company behind the Matrix, a counter-terrorism supercomputer which enabled law enforcement and intelligence authorities to blend investigative files with billions of public records.
The disclosure of the ChoicePoint incident was due in part to a California law that requires companies doing business with California consumers to alert state residents if a security breach compromises their personal or financial data. Spurred into action by the California law, at least 23 states have passed or are debating legislation that mirrors the California statute. Several members of Congress from both parties also have introduced similar bills or are preparing to do so.
Paris Hilton Hack Started With Old-Fashioned Con
In his cyber-security blog, Brian Krebs looks at how identity thieves can use phone number "spoofing" to gain access to senstive information. 