washingtonpost.com
Computers Seized in Data-Theft Probe
Federal Investigators Remove PCs, Discs From Several Locations; LexisNexis Break-In Linked to Paris Hilton Phone Hacking

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, May 19, 2005 6:16 PM

The federal investigation into the massive theft of sensitive personal records  from database giant LexisNexis Inc. intensified this week with the execution of search warrants and seizure of evidence from several individuals across the country, according to federal law enforcement officials.

Three people targeted in the investigation confirmed that federal investigators had served warrants at their homes. The group included a minor who has been in contact with a washingtonpost.com reporter for three months and who said he was directly involved in the LexisNexis breach.

Another of the three, Zach Mann, 18, of Maple Grove, Minn., said FBI and Secret Service personnel came to his home Monday and removed personal computers and dozens of computer discs.

"They came looking for anything connected with LexisNexis," Mann said, before deferring further comment to his attorney, who confirmed that a federal search warrant had been executed at his client's address.

Michael Brooks, a spokesman for the FBI's Cincinnati field office, confirmed that FBI and Secret Service agents served the search warrant at Mann's residence and that the warrant was related to the LexisNexis investigation. Paul Bresson, an FBI spokesman in Washington, said search warrants related to the LexisNexis investigation were served in California on Monday and Tuesday.

"They busted down the door and ran at me with guns pointed in my face," said  Jason Hawks, 23, of Winston-Salem, N.C., in a telephone interview, adding that he called 911 because he "saw people surrounding the house and I thought it was burglars at first." 

Hawks said agents pulled him outside on the front lawn and grilled him with a series of questions about the LexisNexis intrusions. He said agents showed him a short list of names and asked whether he had looked them up using a stolen account for a LexisNexis service. Hawks said he admitted to the agents that he had.

"I gave them everything they wanted to know but they still played the good cop, bad cop game," Hawks said. "They wanted to know whether I'd sold any of the information I saw, and I told them I didn't do any of that, that someone handed me a link and login and I just got caught up in it."

The minor, whose identity is not being revealed because he is a juvenile crime suspect and because he communicated with a washingtonpost.com reporter on condition of anonymity, said federal officials "raided" his home this week and seized his computer. He said investigators "got everybody" involved in the digital break-in.

Nine people in all were served search warrants by investigators, according to a senior federal law enforcement official who asked not to be identified because of his role in this and other ongoing investigations. The official said several members of the group are also believed by investigators to be involved in the much-publicized hacking in February of hotel heiress Paris Hilton's T-Mobile cell phone account, but he did not specify which members.

The law enforcement source also said the arrest Tuesday of four people in Northern California was connected to the LexisNexis investigation. But when contacted by washingtonpost.com, Special Agent Larae Quy at the San Francisco FBI field office said four individuals were detained by Hayward, Calif., authorities on drug-related charges but did not confirm a connection to the LexisNexis investigation, saying the warrants had been sealed by a court order and that she was barred from discussing anything about them.

Officials at the Washington headquarters of the Secret Service declined to comment when contacted about the investigation.

The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to. He also provided an image that appeared to be a search-results screen that only a LexisNexis account holder would be able to see. 

Officials from both companies declined to comment on the authenticity of the screen shots or on whether they could only have been taken by a person who had gained access to a restricted part of their online networks.

According to an account provided by the teenaged member of the hacker group -- and confirmed by the law enforcement source who insisted on anonymity -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.

According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said.

The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.

LexisNexis disclosed on March 9 that records on 32,000 individuals were downloaded by an unknown person or persons who gained access to the company's database using compromised user accounts. A month later, the company said it determined that 310,000 personal records had been accessed over a series of weeks and said it was taking steps to investigate the intrusions and to heighten its database security.

Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, told The Washington Post in March that employees trying to integrate LexisNexis computer security systems with those of the recently acquired Seisint found evidence of 59 incidents of improper access -- 57 against Seisint and two against LexisNexis's systems in Dayton, Ohio.

A subsequent company probe discovered that fraud artists had assumed the identities of legitimate customers and used their passwords to download data. In one case, Sanford said, a LexisNexis sales representative gave a potential customer access for a trial, and it was used to run 20 searches.

In some cases, Sanford told The Post in March, perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used.

The same hacker group that stole the LexisNexis information also was responsible for the high-profile attack on Paris Hilton's cell phone, according to the young hacker. The law enforcement source also said officials are investigating a connection between the two incidents.

Computer security flaws played a role in the Paris Hilton data theft, in which the hacker group was able to exploit a programming glitch in T-Mobile's employee-only Web site. But the young hacker said the theft of Hilton's T-Mobile account only succeeded after a member of the group convinced a worker at a T-Mobile store in California to divulge information that only employees are supposed to know.

Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions. In February, ChoicePoint Inc. said fraud artists had posed as Los Angeles businessmen to access personal information about at least 145,000 people.

Press reports soon followed that Bank of America Corp. lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators, and that credit card numbers were stolen by hackers from 103 of shoe retailer DSW Inc.'s 175 stores.

LexisNexis acquired Seisint last summer for $775 million in cash. At the time, the Florida firm was best known as the company behind the Matrix, a counter-terrorism supercomputer which enabled law enforcement and intelligence authorities to blend investigative files with billions of public records.

The disclosure of the ChoicePoint incident was due in part to a California law that requires companies doing business with California consumers to alert state residents if a security breach compromises their personal or financial data. Spurred into action by the California law, at least 23 states have passed or are debating legislation that mirrors the California statute. Several members of Congress from both parties also have introduced similar bills or are preparing to do so.

© 2005 Washingtonpost.Newsweek Interactive