|
LexisNexis Uncovers More Consumer Data Breaches
April 12, 2005
by
Bill Rigby and Theo Kolker
NEW YORK/AMSTERDAM (Reuters) - Data
broker LexisNexis said on Tuesday that personal information on
310,000 U.S. citizens may have been stolen from its computer
systems, 10 times more than its initial estimate last month.
An investigation by LexisNexis -- owned
by Anglo-Dutch publisher Reed Elsevier -- determined that its
databases had been fraudulently breached 59 times using stolen
passwords, leading to the possible theft of personal information
such as addresses and Social Security numbers. LexisNexis, which
said in March that 32,000 people had been potentially affected by
the breaches, will notify an additional 278,000 individuals whose
data may have been stolen.
Of the initial group contacted, only 2
percent asked the company to conduct an investigation of their
credit records. LexisNexis has found no cases of identity theft,
such as using a stolen Social Security number to apply for a
fraudulent credit card.
"We need to write to them and
offer the same kind of support and investigation we offered the
original 32,000," a Reed Elsevier spokeswoman said.
"Of the original group, it's
somewhat encouraging that none of them has suffered identity
theft."
Law enforcement authorities are
assisting the company's investigations, which come as lawmakers in
Washington consider tighter regulation of data brokers.
SIFTING
THROUGH DATA
Recent break-ins at LexisNexis and
ChoicePoint have heightened concerns about identity theft, a crime
that costs U.S. consumers and businesses $50 billion annually,
according to government estimates.
ChoicePoint in February announced that
identity thieves had gained access to some 145,000 consumer
profiles, while Bank of America said that same month that it had
lost a shipment containing sensitive details of 1.2 million U.S.
government customers.
Reed Elsevier moved to soothe
investors' fears by reaffirming its earnings forecasts, saying the
financial implications of the breach were expected to be manageable
within the context of LexisNexis's overall growth.
Its shares were down more than 1
percent in London and Amsterdam at 1500 GMT. The
breach, uncovered after a billing complaint by a customer at
LexisNexis's Seisint unit, led to the discovery of an identity and
password that had been misappropriated.
The information accessed included
names, addresses, Social Security numbers and driver's license
numbers, but not credit histories, medical records or financial
information, LexisNexis said.
Data-collection services provided by
Seisint, based in Boca Raton, Florida, allow police and financial
firms to sift through vast amounts of personal information -- from
the color of someone's eyes to the type of car they drive.
One Seisint database called the Matrix,
which allows state law enforcers to quickly zero in on criminal
suspects, has come under criticism from civil-liberties groups.
LexisNexis bought Seisint in July 2004
for $745 million.
(Additional reporting by Andy Sullivan
in Washington)
Security
Breach at LexisNexis Now Appears Larger
April 12, 2005
by Heather
Timmons
New
York Times
LONDON, April 12 - Reed Elsevier, owner
of the LexisNexis databases, said Tuesday that Social Security
numbers, driver's license information and the addresses of 310,000
people may have been stolen, 10 times more than it originally
reported last month.
The company said there were 59 separate
instances in which unauthorized users "may have fraudulently
acquired personal identifying information" through Seisint, a
unit of LexisNexis. Seisint compiles information from government
records and holds personal data about most American citizens. Its
data is used by employers making hiring decisions, landlords
choosing tenants and by debt collectors among others.
Unauthorized Seisint users often used
log-in names and passwords that were assigned to legitimate
customers, the chief executive of the LexisNexis Group, Kurt
Sanford, said in an interview. LexisNexis found that the thieves
were using the log-in names assigned to former employees of Seisint
customers or were correctly guessing uncomplicated ID and password
combinations or accessing customers' systems through a virus, Mr.
Sanford said.
The announcement, along with reports
earlier this year from ChoicePoint,
another data broker, and Bank
of America that personal information may have been stolen, added
fuel to calls to regulate the $5 billion-a-year data-brokering
industry. The Senate Judiciary Committee is currently holding
hearings about the protection of personal data.
"This shows how we don't have a
handle on how large and pervasive a problem identity theft really
is," Senator Charles E. Schumer, Democrat of New York, said in
an e-mail message. "When a company like LexisNexis so badly
underestimates its own ID theft breaches, it is clear that things
are totally out of hand."
Senator Schumer and Senator Bill
Nelson, Democrat of Florida, said they were introducing a bill in
Congress calling for a ban on the sale of Social Security numbers
and for tighter controls for companies like ChoicePoint and Seisint.
Several other pieces of legislation have been introduced over the
last three months aimed at protecting consumer privacy and
regulating data brokers.
Not surprisingly, data brokering
executives, including Mr. Sanford, oppose some of the legislation,
particularly the ban on the sale of Social Security numbers.
"No matter how perfect security
is, it's not going to stop identity theft in the United
States," because of the amount of information that is already
available on the Internet and in public databases, Mr. Sanford said.
Instead, he said, more steps should be taken to control how credit
is granted, particularly the way that credit cards are used and
issued.
Reed Elsevier, a publisher based in
London, said it would notify all 310,000 individuals affected, and
offer free fraud insurance and credit bureau reports for a year. It
is also trying to improve its password system. LexisNexis began
investigating security at Seisint in February, after customers
complained about unexpectedly high monthly bills. Those bills were
generated by unauthorized use of the customers' accounts.
Reed Elsevier said the announcement
would have no immediate impact on its bottom line. But its share
price fell 1.03 percent on Tuesday, closing at 530 pence in London.
No similar problems have occurred in Europe because European Union
regulations do not allow companies to buy and sell an individual's
personal data.
American security experts contend that
the Reed Elsevier announcement will be followed by others.
"This is just the tip of the iceberg," said Stanton S.
Gatewood, the University of Georgia's chief information security
officer and a lecturer on the issue of data security.
"For so long, we've depended on
companies like LexisNexis, and the government, to secure our
information," Mr. Gatewood said. "But I'm here to tell you
they're no more secure than anything else."
On March 9, Reed Elsevier gave the
first sign there was a security problem with Seisint, which it
purchased for $775 million in July 2004. The company said then that
data from 32,000 individuals may have been fraudulently obtained,
and that it would contact them by letter.
So far, 2 percent of the individuals
contacted have responded, Reed said, and none of those have
experienced any form of identity theft.
Tom Zeller Jr. contributed reporting for this article.
Indian
call centre staff in $350,000 Citibank theft
US
customers tricked into revealing PIN numbers...
April
11 2005
by Andy McCue
silicon.com
The Indian offshore
outsourcing industry has been rocked by the revelation that call
centre workers in Pune have been arrested for allegedly looting
$350,000 from the accounts of Citibank's US customers.
The three staff are
former employees at Indian business process outsourcing (BPO) firm
Mphasis, which runs call centre services for Citibank's US customers
in Bangalore and Pune. Nine other gang members were also arrested.
The former Mphasis
staff used their positions dealing with Citibank's customers to
trick four of them into giving out the PIN numbers to their
accounts, allowing the staff to transfer funds into the bank
accounts of other gang members.
The fraud was only
discovered when the customers noticed the money missing from their
accounts and Citibank subsequently traced it back to the Mphasis
operations in Pune.
Mphasis said it
"regretted" the incident, but maintained that its security
procedures are adequate.
A statement said:
"While we are unhappy with the incident itself, we are at the
same time quite pleased that detection systems worked. While such
incidents unfortunately do happen everywhere, timely and exemplary
enforcement ensures that no-one needs fear that culprits or
potential culprits can get away and the reputation and credibility
of the entire system is actually preserved and enhanced."
But research analyst
Forrester claimed the breach will have "far-reaching"
negative connotations for the offshore BPO industry and said that
the high turnover of Indian call centre staff makes it increasingly
difficult to adhere to security processes and sufficiently check
backgrounds.
A Forrester research
note said: "While the center in Pune was BS 7799 and CMM Level
5 certified, the breach still occurred. Clients and prospects should
not be lulled into security complacency by the laundry list of
certifications or process changes that suppliers roll out. Customers
are going to have to implement their own aggressive requirements,
such as eliminating writing instruments in their offshore centers
and auditing bi-monthly to ensure that the vendor is following
mandated processes."
Forrester also
claimed offshore call centre growth could drop by as much as a third
because of security concerns, regulatory pressure and a consumer
backlash.
No-one at Citibank was available for
comment. (In such
situations, the standard response is to: Admit Nothing. Deny
Everything. Demand to See the Proof. Refuse to Accept it.)
Identity
Thieves' Secret Weapon
April 15, 2005
New York Times
But for a single innovative law in
California, the nation's consumers might not even be hearing some of
the more outrageous news about mass heists of supposedly secure
computer information from reputedly trustworthy sources: LexisNexis
gently announces about 32,000 suspected thefts of identity data,
which soon balloon to 310,000. ChoicePoint, a data broker and credit
reporting agency with access to 19 billion records, lets 145,000
consumers know their personal data may have been stolen.
These are among hundreds of thousands
of warnings to vulnerable Americans surfacing mainly because
California has a law requiring that consumers be notified when their
personal data are pilfered. There is no such federal law, even
though identity theft produces $50 billion a year in personal and
business losses. As California's consumers play the canary in the
data mines, consumer and law enforcement organizations are putting
pressure on loosely regulated data brokers to let the rest of us in
on their failures. But this is hardly the way to safeguard the
American consumer.
Recent Senate hearings show that no one
really knows how deeply hackers and in-house thieves are tapping
into our personal records. There was the purloining of Ford Motor
Credit reports on 30,000 consumers so street thieves could empty
bank accounts and run up purchases. Computer backup tapes were lost
at the Bank of America with the Social Security numbers and other
vital data of 1.2 million federal workers.
Worthy proposals, starting with
upfront, nationwide notification of security breaches, are being
offered by senators from some of the most victimized states: Dianne
Feinstein of California, Bill Nelson of Florida and Charles Schumer
of New York. The nation also needs tight regulation of the security
and business practices of data brokers and credit agencies, and a
ban on the easy access and sale of Social Security numbers without
individual consent. Consumers, not data dealers, deserve controlling
interest in their vital information.
Indifferent lawmakers cannot say they
have not been warned.
Comment: Nearly every citizen of the United States,
Canada and various European countries have important, private
information now lodged in commercial data banks. This information
includes dates of birth, Social Security (or Social Insurance in
Canada) numbers, bank account numbers and contents, real estate
holdings and criminal records. This information is easily available
to anyone wishing to pay the fees involved and there
is absolutely nothing the resulting victims can do about it
because various agencies of the United States government actively
participate in this gathering and subsequent sharing of such
information. At any time, any American or other citizen can have his
credit card accounts drained, money transferred out of his or her
bank account or have the contents of their medical records gleefully
acquired by the legion of quack medicine companies that proliferate
in America. The Republicans make daily use of these data banks for
political reasons so there is not the faintest possibility
that any legal action can, or will, be taken to at least secure
these vast storehouses of the most intimate and valuable data. A
technically adept individual could easily shut down all of these
“Credit Reporting” systems but doing so would enrage the
Government agencies involved in their use and retaliation would be
swift and certain. Holding stock in these companies is tantamount to
full encouragement of their practices so concerned stockholders
might wish to dump the stock in companies that snoop
and buy something less odious.
|
