ID Thieves Tap Files at 2nd Big Data Firm

Identity thieves have struck again, using stolen passwords to tap personal data on more than 30,000 Americans kept by information broker LexisNexis, the company said Wednesday.

The disclosure came at a bad time for an industry suddenly in the glare of unfavorable publicity. Although apparently unrelated to a larger security breach at ChoicePoint Inc. made public last month, the LexisNexis case heightened concern about businesses that keep files on consumers and prompted calls for tighter regulation.

“If criminals can breach these security arrangements, there is danger that terrorists may also be able to,” Sen. Patrick J. Leahy (D-Vt.) said in a statement Wednesday.

At a Senate Banking Committee hearing today on identity theft, Leahy plans to ask for an audit of security arrangements the federal government has with databases run by ChoicePoint and LexisNexis.

The House Energy and Commerce subcommittee on commerce, trade and consumer protection also is joining the fray, setting hearings for next week on the ChoicePoint infiltration. Several members of Congress have said they intend to introduce legislation calling for closer monitoring of information brokers by the Federal Trade Commission.

ChoicePoint and LexisNexis compete in the booming business of providing personal data on millions of Americans to merchants, employers and government agencies.

Their services also are valuable to identity thieves who, posing as legitimate customers, use them to acquire Social Security numbers and other personal information to open fraudulent credit card accounts.

LexisNexis, a Dayton, Ohio-based company best known for its huge database of newspaper and magazine articles and case law, is owned by London-based Reed Elsevier, whose shares dropped $1.05 on Wednesday to $41.50 on the New York Stock Exchange.

The security breach, which occurred about two months ago, was uncovered during an audit of database company Seisent, which LexisNexis bought in September. The infiltration was discovered about two weeks ago and reported to law enforcement, said a person close to the situation who spoke on condition of anonymity.

LexisNexis said the identity thieves used stolen passwords to get access to personal files containing names, addresses, Social Security numbers and driver’s license numbers. Neither the company nor the Secret Service, which is investigating the theft, said whether any of the people whose records were taken had become fraud victims as a result. Neither would say how many criminals were involved or whether they suspect any were inside the company.

Of about 30,300 personal files that were compromised, 11,680 were those of California residents, LexisNexis said.

LexisNexis said all individuals whose files might have been fraudulently accessed would be notified and provided with “ongoing credit monitoring” to help prevent the information from being used improperly.

“We take seriously our responsibilities associated with safeguarding public and nonpublic information,” Kurt Sanford, chief executive of the company unit that serves government and corporate customers, said in a statement.

LexisNexis’ relatively quick disclosure of the infiltration of its files contrasts with the response of ChoicePoint, which was criticized for waiting about five months before making public its recent security breach.

“It seems like LexisNexis saw what happened to ChoicePoint and ChoicePoint stock and clearly decided to be a lot more proactive,” said Avivah Litan, research analyst for Gartner Inc. LexisNexis executives declined to comment.

The ChoicePoint thieves got access to data on as many as 145,000 people by posing as businesses with legitimate uses for the information. Shares of the Alpharetta, Ga.-based company have dropped nearly 16% since the breach became public Feb. 15.

Edmund Mierzwinski, consumer program director for the advocacy organization U.S. Public Interest Research Group, said security breaches would continue to occur in the absence of fundamental change in how information brokers do business.

“All the thieves have to find is a way to pose as a customer of one of these services,” Mierzwinski said. “Then once they are in, they’re in the mother lode.”