LexisNexis Breach Is Larger
Security breaches at information broker LexisNexis gave outsiders access to the personal data files of as many as 310,000 people -- about 10 times more than originally thought, the company said Tuesday.
The disclosure increased the likelihood that lawmakers, angry about security lapses at U.S. data aggregators, would impose tighter rules on the largely unregulated industry that keeps detailed records about virtually every adult in the nation.
London-based Reed Elsevier, which owns LexisNexis, revealed the breach in March but said that 32,000 records maintained by its Seisint unit were affected. A subsequent audit found additional files at Seisint and other LexisNexis units that might have been examined illegally over a two-year period.
LexisNexis files contain addresses, driver’s license information and Social Security numbers, though not credit reports or other financial data. The company said the 59 identified breaches stemmed from the improper use of passwords belonging to legitimate customers.
It wasn’t clear whether the breaches enabled any identity thefts, and the firm stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers.
The Secret Service was investigating.
LexisNexis, which acquired Seisint last year, said it would notify all 310,000 people and give them free credit monitoring.
Tuesday’s disclosure added fuel to a fire sparked in February when ChoicePoint Inc. acknowledged that identity thieves had infiltrated its databases and compromised 145,000 records. Shortly thereafter, Bank of America Corp. said it had lost computer tapes containing personal information on credit cards used by more than 1 million federal employees.
“It has gotten out of control,” said Sen. Dianne Feinstein (D-Calif.), who on Monday introduced legislation to require data brokers to notify people nationwide if their information has been exposed to infiltrators.
California is the only state that requires notification.
Kurt Sanford, LexisNexis’ chief executive for corporate and federal markets, said the company hadn’t taken a position on Feinstein’s bill and does not categorically oppose mandatory notification.
LexisNexis and ChoicePoint compete in providing data on millions of Americans to merchants, employers and government agencies. Their services also are valuable to identity thieves who, posing as legitimate customers, use them to acquire Social Security numbers and other personal information.
Feinstein said the widening breach at LexisNexis could bring more attention to her bill and several others.
Rep. Edward J. Markey (D-Mass.) introduced a bill last month that calls upon the Federal Trade Commission to formulate a plan to regulate information brokers. He is also a sponsor of a bill to restrict the sale of Social Security numbers.
“Every new scandal is jet fuel for tougher privacy protection legislation,” Markey said. “This shows that ChoicePoint was the tip of the iceberg.”
Edmund Mierzwinski, consumer program director for the advocacy organization U.S. Public Interest Research Group, said the LexisNexis disclosure put pressure on Congress to act.
“What it takes to get legislation on these matters is state leadership and two scandals,” he said. “Enron was not enough, you also had to have WorldCom.”
Shares of Reed Elsevier rose a penny to $40.71 on the New York Stock Exchange.