April 13, 2005
LexisNexis Data Breach May Be Worse Than Thought
LONDON (AP) -- Criminals may have breached computer files containing the personal information of 310,000 people, a tenfold increase over a previous estimate of how much data was stolen from information broker LexisNexis, the company's parent said Tuesday.
Last month, London-based publisher and data broker Reed Elsevier Group PLC said criminals may have accessed personal details of 32,000 people via a breach of its recently acquired Seisint unit, part of Dayton, Ohio-based LexisNexis. LexisNexis is a Reed subsidiary.
Reed said it identified 59 instances since January 2003 in which identifying information such as Social Security numbers or driver's license numbers may have been fraudulently acquired on thousands of people.
Information accessed included names, addresses, Social Security and driver license numbers, but not credit history, medical records or financial information, the company said.
Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during a review and integration of Seisint's systems shortly after it purchased the Boca Raton, Fla.-based unit for $775 million in August.
Seisint provides data for Matrix, a crime and terrorism database funded by the U.S. government, which has raised concerns among civil liberties groups. The Matrix database was not involved in the breach, the company has said.
Seisint's databases store millions of personal records including individuals' addresses and Social Security numbers. Customers include police and legal professionals and public and private sector organizations.
The company said the 59 identified instances of fraudulently obtained information - 57 at Seisint and two in other LexisNexis units - are largely related to the improper use of IDs and passwords belonging to legitimate customers. It stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers.
Kerr said the company has since ensured that the system is watertight by improving login systems and security checks.
He said only 2 percent of the 32,000 people it notified about the possible theft of their personal information in March have contacted LexisNexis to accept its offer of free credit reports and credit monitoring, and none has so far advised LexisNexis that they have experienced any form of identity theft.
However, LexisNexis Chief Executive Kurt Sanford said Tuesday that of the 32,000 who were notified, law enforcement officials have identified 10 who investigators believe may have been victims of identity theft. He said it is unclear whether those possible thefts are related to the breach at LexisNexis.
Investigators said only three of those people appeared to have been the victims of financial fraud, Sanford said.
The breach is being investigated by the FBI's cyber-crime squad in Cincinnati. FBI spokesman Mike Brooks would say only that the agency is pursuing leads.
Rep. Edward Markey, D-Mass., who has introduced legislation designed to increase protections of consumer data, said LexisNexis turned a blind eye to customer protection.
But Sanford said LexisNexis had initiated the review and notified potential victims.
"We're going to fix this," he said. "The congressman's statement overreaches and mischaracterizes the situation."
Reed Elsevier played down the effect of the breach on its profits, reaffirming its target of higher earnings and at least 5 percent growth in revenues excluding acquisitions.
The breach at Seisint is the second of its kind at a major information provider in recent months. Rival data broker ChoicePoint Inc. (CPS) announced last month that the personal information of 145,000 Americans may have been compromised in a breach in which thieves posing as small business customers gained access to its database.
In the ChoicePoint scam, at least 750 people were defrauded, authorities say. The case fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings on the topic were held last month and are continuing this week.
Reed Elsevier specializes in the education, legal and science sectors, publishing more than 10,000 journals, books and compact discs, as well as almost 3,000 Web sites and portals. It also organizes 430 trade exhibitions. The LexisNexis division specializes in legal and business information.