Senators and Congressmen reacted angrily to the news, vowing to
push through legislation to tackle the growing threat of identity
theft.
LexisNexis, a subsidiary of publisher Reed Elsevier, said that
the incidents took place at its recently acquired Seisint unit – a
data broker which sells information to credit agencies, law
enforcement and private investigators – after criminals
impersonated legitimate customers of the firm.
In March, LexisNexis warned that fraudsters had obtained
information, including names, addresses, social security and
drivers' license numbers, relating to 30,000 people.
Further investigation has now revealed that there have been 59
incidents of fraudulent access, affecting around 310,000
individuals.
Details of victims' credit history, medical records or financial
information of individuals, are not collected by LexisNexis or its
subsidiary, and have therefore not been affected by the breaches,
said LexisNexis.
The firm also stressed that the LexisNexis or Seisint technology
infrastructure has not been hacked into or penetrated nor was any
customer data residing within that infrastructure accessed or
compromised.
The company confirmed that it would notify all those involved
and provide them with ongoing credit monitoring, fraud insurance
and practical support to ensure that any identity theft was quickly
detected and addressed.
Of the 30,000 initially notified by LexisNexis, only 2% have
accepted the help offered by the company and so far none of this
group have advised that they have experienced any form of identity
theft.
"We regret that consumers, who traditionally are the primary
beneficiaries of our risk management products and services, may
have been affected by these events," said Kurt Sanford, CEO,
Corporate and Federal Markets, LexisNexis. "We have taken a number
of significant actions in recent weeks to further guard against
these types of fraudulent intrusions at our customer sites and to
enhance our security procedures and policies overall."
The disclosure follows in the wake of several other highly
publicised consumer privacy breaches.
These include the loss of backup tapes containing the credit
card information of 1.2 million federal workers by Bank of America
and the loss of 145,000 customers' personal information to identity
thieves at data broker ChoicePoint.
Politicians reacted angrily to the admission by LexisNexis,
calling for action against identity thieves and greater regulation
of data-brokering companies.
"What bank robbery was to the Depression Age, identity theft is
to the Information Age," said Democratic Senator Charles Schumer.
"Identity theft has become so pervasive and so out-of-hand, that we
must make a real effort to prevent it before it happens. When a
company like Lexis-Nexis so badly underestimates its own ID theft
breaches, it is clear that things are totally out of hand."
Various proposals have already been put forward, including a
bill by Democratic Senator Dianne Feinstein forcing companies to
notify consumers affected by security breaches and another by
Democratic Senators Schumer and Bill Nelson that would tighten up
laws regulating data merchants and the sale and display of social
security numbers.
Elsewhere, the American Civil Liberties Union used the incident
to warn against the creation of a new national database of personal
information, which it says will be the result of proposals
contained in the REAL ID Act of 2005.
The Act, which was passed by the House of Representatives in
February, is due to be debated in the Senate shortly.
