LexisNexis break-in spurs more calls for reform

Renewed calls for legislation and industry reform follow theft of personal details of 32,000 Americans.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
6 min read
The security breach at consumer database specialist Seisint has brought renewed calls for industry reform from politicians and privacy experts.

In a series of incidents, hackers broke into Seisint's databases, gaining access to the personal data of an estimated 32,000 U.S. citizens, the Reed Elsevier Group said in a statement on Thursday. Seisint is a unit of Reed Elsevier's business information subsidiary LexisNexis. The break-in exposed names, addresses, Social Security numbers and driver's license information, the company said.

Vermont Sen. Patrick Leahy, the top Democrat on the Senate Judiciary Committee, said such data breaches cannot be allowed to continue. In a statement released by the senator's office late Wednesday, Leahy labeled the problem as a massive threat to both individual Americans and national security.

"This is the latest window on security weaknesses that jeopardize the personal information that data brokers hold about every American, and the view is a chilling one," he said. "We are vulnerable not only to run-of-the-mill thieves but also potentially to sophisticated scams, organized crime or even terrorists. If criminals can breach these security arrangements, there is a danger that terrorists may also be able to."

Leahy is scheduled to testify Thursday at a Senate Banking Committee hearing on privacy breaches of personal and financial data.

News of the Seisint breach comes just weeks after one of the company's chief rivals, ChoicePoint, confirmed that suspected criminals posing as legitimate businesses had gained access to some 145,000 of its own profiles of American consumers. Both companies sell consumer data to businesses that want information on specific individuals, to carry out a background check on a potential employee, for example.

Data breaks

High-profile breaches are finally waking lawmakers up to the need to make sure personal data is securely protected on computers.

Date: March 2005
Incident: Hackers have gained access to on databases at Seisint, owned by publisher Reed Elsevier.
At risk: Personal information of about 32,000 U.S. citizens.
Date: February 2005
Incident: Data collection company confirms that information from its consumer database has been stolen.
At risk: Names, addresses and Social Security numbers of more than 150,000 Americans.
Bank of America
Date: February 2005
Incident: Bank loses backup tapes detailing the financial records of credit cards held by federal employees.
At risk: More than 1.2 million records in SmartPay charge card program, which has annual transactions totaling more than $21 billion.
Date: February 2005
Incident: Flaws in the online W-2 service of PayMaxx expose customers' payroll records.
At risk: Discoverer of the flaws claims they affect more than 25,000 people. PayMaxx says only a small number of companies is involved.
T-Mobile: Paris Hilton
Date: February 2005
Incident: Information from heiress Paris Hilton's Sidekick is posted online. Breach comes amid reports that a flaw opens up T-Mobile voice mail.
At risk: Phone numbers and e-mail addresses of celebrities such as Eminem and Lindsay Lohan.
Date: February 2005
Incident: Desktop computers are stolen from the offices of Science Applications International Corp.
At risk: Personal information of current and past stockholders in the government contractor.
Date: January 2005
Incident: The carrier admitted that a hacker had gained access to customers' personal information.
At risk: Names and Social Security numbers of 400 T-Mobile subscribers.
George Mason University
Date: January 2005
Incident: Attackers broke into a server that held details used on identity cards at the Virginia school.
At risk: Names, photos and Social Security numbers of more than 30,000 students, faculty and staff.
California Department of Social Services
Date: October 2004
Incident: Breach of a researcher's computer at the University of California at Berkeley exposed personal data related to the state's In Home Support Services.
At risk: Contact information and Social Security numbers of up to 1.4 million providers and clients.

In response to the leaks, legislators and industry watchers have called for increased scrutiny of the data-aggregation industry's business practices.

Atlanta-based ChoicePoint is already under investigation by the Federal Trade Commission, the U.S. Securities and Exchange Commission and a number of state attorneys general.

Sen. Dianne Feinstein of California, a Democrat who last year introduced a bill, the Notification of Risk to Personal Data Act, requiring businesses to alert people if their personal information has been exposed, called for a greater push for new laws on Thursday.

"Congress needs to move forward quickly on legislation to strengthen privacy protections and show the American people that we take the crime of identity theft seriously," she said

Leahy has lobbied for new policies to regulate businesses such as Seisint. The senator pointed out that such companies have become an important part of the federal government's efforts to defend against terrorist activity.

"Data brokers are also increasingly partners with the government in important law enforcement and homeland security efforts, and their performance in protecting data is one of the important criteria in evaluating those relationships," Leahy said in his statement. "It is time for an audit of security arrangements that federal agencies have with these data brokers for the databanks that they manage for the federal government."

Privacy experts echoed Leahy's sentiments, but they said that it may be too late to protect many consumers whose information was compromised in the Seisint and ChoicePoint incidents, as well as in the massive customer record loss reported last month by Bank of America.

The creation of better laws to regulate data brokers would be a step in the right direction, said Peter Gregory, an analyst at Seattle-based VantagePoint Security. He noted that the push to introduce new guidelines only came after many consumers were unknowingly victimized.

"As usual in this sort of business, where people really don't know someone is controlling their data, laws get passed after bad things happen, and this is no exception," he said. "I wouldn't be surprised to see Congressional hearings scheduled, as these incidents highlight a symptom of a problem that's been going on for a while."

"The reality is that once a consumer gives their information to a private organization such as a bank, that organization will pass it on to other parties, and the consumer has no control of this at all," Gregory added.

Consumer data thefts often garner personal information that could be used to commit identity fraud. In the ChoicePoint leak, some 750 cases of related identity fraud have already been reported to law enforcement officials, and a California man has pleaded no contest to felony charges related to the heist.

Jay Foley, co-executive director of the Identity Theft Resource Center, a nonprofit organization, said the pool of consumer data shared among criminals grows with each data loss. He said that unless data brokers are soon held to a higher standard, identity theft is likely to continue to grow at their expense.

"The thieves know the data lies in these companies' databases, and they're going to continue to try to exploit it," Foley said. "The fact that out of the 145,000 files stolen from ChoicePoint, that there's only been 750 cases of ID theft reported so far, may be misleading. A lot of people still haven't been informed that their information was compromised, or they don't know that criminals are actively using their information to commit crimes even as we speak."

Seisint representatives did not immediately return calls seeking comment for this story.