LexisNexis has completed an extensive review of data search activity at its recently acquired Seisint unit, as well as across its other businesses.
Reed Elsevier announced that LexisNexis had initiated a review on March 9, after it identified a number of incidents of potentially fraudulent access to information at its recently acquired Seisint unit. The in-depth review analyzed data search activity for the past two years. LexisNexis has concluded that unauthorized persons, primarily using IDs and passwords of legitimate Seisint customers, may have acquired personal-identifying information, such as Social Security numbers (SSN) or Driver’s License numbers (DLN), of individuals in the U.S. in some 59 incidents. LexisNexis has alerted law enforcement authorities and is proactively assisting in investigations.
In addition to the 30,000 individuals already notified, LexisNexis will begin notifying approximately 280,000 additional individuals whose information may have been acquired during these recently identified incidents. LexisNexis will offer free support services to individuals who receive the notification, to monitor and protect them from possible fraud associated with identity theft, including credit bureau reports, credit monitoring for one year and fraud insurance. In addition, LexisNexis will provide fraud counseling services or specialized assistance on a case-by-case basis to any individual who has been the victim of identity theft related to these instances.
“We have undertaken and completed this extensive review to ensure we have a clear understanding of the extent to which information on individuals may have been fraudulently acquired. We are taking action to notify individuals where we found some indication that they might have some risk of identity theft or fraud, even if that risk did not appear to be significant,” said Kurt Sanford, CEO, Corporate and Federal Markets, LexisNexis. “We regret that consumers, who traditionally are the primary beneficiaries of our risk management products and services, may have been affected by these events. We have taken a number of significant actions in recent weeks to further guard against these types of fraudulent intrusions at our customer sites and to enhance our security procedures and policies overall.”
The substantial majority of instances involved IDs and passwords stolen from Seisint customers that had legally permissible access to SSNs and DLNs for legitimate purposes, such as verifying identities and preventing and detecting fraud. Neither LexisNexis nor Seisint collect personal credit histories, medical records or individual financial records. At no time was the LexisNexis or Seisint technology infrastructure hacked into or penetrated nor was any customer data residing within that infrastructure accessed or compromised.
Customers whose passwords and IDs were compromised have been advised of the incidents. LexisNexis and Seisint are implementing multiple improvements to customers’ password and ID administration and security processes. In addition, LexisNexis has further limited access to SSNs by extending its more restrictive policies to the Seisint business. This included truncating SSNs displayed in non-public documents and narrowing access to full SSNs and DLNs to law enforcement and a restricted group of legally authorized organizations, such as banks and insurance companies.
In March 2005, LexisNexis sent notices to approximately 30,000 individuals advising them that personally identifiable information could have been accessed by unauthorized persons. To date, a small number of those individuals have contacted the company to accept its offer of free credit reports and credit monitoring. Of that group, no individual has advised LexisNexis of having experienced any form of identity theft.
murdok | Breaking eBusiness News
Your source for investigative ebusiness reporting and breaking news.