Out-Law / Your Daily Need-To-Know

LexisNexis, the legal and business information firm, said yesterday that criminals may have fraudulently accessed information held by a subsidiary on around 310,000 US citizens – not 30,000 as originally estimated.

Senators and Congressmen reacted angrily to the news, vowing to push through legislation to tackle the growing threat of identity theft.

LexisNexis, a subsidiary of publisher Reed Elsevier, said that the incidents took place at its recently acquired Seisint unit – a data broker which sells information to credit agencies, law enforcement and private investigators – after criminals impersonated legitimate customers of the firm.

In March, LexisNexis warned that fraudsters had obtained information, including names, addresses, social security and drivers' license numbers, relating to 30,000 people.

Further investigation has now revealed that there have been 59 incidents of fraudulent access, affecting around 310,000 individuals.

Details of victims' credit history, medical records or financial information of individuals, are not collected by LexisNexis or its subsidiary, and have therefore not been affected by the breaches, said LexisNexis.

The firm also stressed that the LexisNexis or Seisint technology infrastructure has not been hacked into or penetrated nor was any customer data residing within that infrastructure accessed or compromised.

The company confirmed that it would notify all those involved and provide them with ongoing credit monitoring, fraud insurance and practical support to ensure that any identity theft was quickly detected and addressed.

Of the 30,000 initially notified by LexisNexis, only 2% have accepted the help offered by the company and so far none of this group have advised that they have experienced any form of identity theft.

"We regret that consumers, who traditionally are the primary beneficiaries of our risk management products and services, may have been affected by these events," said Kurt Sanford, CEO, Corporate and Federal Markets, LexisNexis. "We have taken a number of significant actions in recent weeks to further guard against these types of fraudulent intrusions at our customer sites and to enhance our security procedures and policies overall."

The disclosure follows in the wake of several other highly publicised consumer privacy breaches.

These include the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America and the loss of 145,000 customers' personal information to identity thieves at data broker ChoicePoint.

Politicians reacted angrily to the admission by LexisNexis, calling for action against identity thieves and greater regulation of data-brokering companies.

"What bank robbery was to the Depression Age, identity theft is to the Information Age," said Democratic Senator Charles Schumer. "Identity theft has become so pervasive and so out-of-hand, that we must make a real effort to prevent it before it happens. When a company like Lexis-Nexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand."

Various proposals have already been put forward, including a bill by Democratic Senator Dianne Feinstein forcing companies to notify consumers affected by security breaches and another by Democratic Senators Schumer and Bill Nelson that would tighten up laws regulating data merchants and the sale and display of social security numbers.

Elsewhere, the American Civil Liberties Union used the incident to warn against the creation of a new national database of personal information, which it says will be the result of proposals contained in the REAL ID Act of 2005.

The Act, which was passed by the House of Representatives in February, is due to be debated in the Senate shortly.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.