Forgot your password?
typodupeerror
Security IT

Consumers Data Stolen from LexisNexis 298

Posted by samzenpus
from the todays-info-stolen-from dept.
LE UI Guy writes "Reuters is currently running a story regarding LexisNexis being tapped into by identity thieves who accessed up to 32,000 customer profiles. Information hit included names, addresses, Social Security and driver's license numbers. This comes on the heels of rival ChoicePoint being breached for 145,000 profiles last month in a similar case. Better check yourself." Update: 03/10 02:40 GMT by J : ChoicePoint's name corrected (and, it may be more than 145,000, they don't know).
This discussion has been archived. No new comments can be posted.

Consumers Data Stolen from LexisNexis

Comments Filter:
  • Well... (Score:5, Funny)

    by Anonymous Coward on Wednesday March 09, 2005 @09:34PM (#11895704)
    Anyone got a torrent of it?
  • Man (Score:5, Funny)

    by Anonymous Coward on Wednesday March 09, 2005 @09:34PM (#11895708)
    I am sure glad I don't drive a lexus.
  • by DA-MAN (17442) on Wednesday March 09, 2005 @09:36PM (#11895721) Homepage
    Jesus! I've seen this mistake on the national news and now on slashdot. I thought the geeks would realize there is a difference.

    Let me make it clear, CheckPoint makes security software, rfid badges and firewalls. They are not the ones who sell all of your information to credit card companies. CheckPoint has no info that you didn't give them. ChoicePoint is the one that fucked up!!!
    • by jchernia (590097) on Wednesday March 09, 2005 @10:25PM (#11895980)
      Well of course they are not equal, you made the assignment that way.

      You made the common rookie programmer error of assigning what you wanted to test.

      What I think you meant to say was

      ChoicePoint != CheckPoint

      Though if you are communicating to us in Java you want

      !ChoicePoint.equals(CheckPoint)

      Hope that helps.

      • What I think you meant to say was

        ChoicePoint != CheckPoint

        Though if you are communicating to us in Java you want

        !ChoicePoint.equals(CheckPoint)



        In perl, I just write /~]{***^^^^)/*[]#/$./g

        No chance of going wrong there.

    • For the record, they don't make rfid tags, that's a different company found at www.checkpointsystems.com. They are often confused with Check Point Software though.
    • by Anonymous Coward on Wednesday March 09, 2005 @11:05PM (#11896255)
      You are absolutely right. Checkpoint is the company that sells defective firewalls based on Linux, and won't give you a patch unless you buy a support contract. They also won't give you a refund for a defective product.

      Oh yeah. You have to be running Windows to do any administration of the firewall.

      I'm quite glad they are getting mistaken.

      Dear Checkpoint,

      You sent us a non-functional firewall last year, and wouldn't help us make it work. When our support contract kicked in you told us it was a problem on your end, and we needed to download a patch. Everything worked after that.

      Please note that I've told my company all about this, and I'll make sure that our company of over 100,000 never buys a product from you again. Fuck you and your useless crap.

      Sorry for the rant, but Checkpoint deserves it for shipping out defective software.

      PS - Mod this up if you don't like Linux being used to make money for a company that won't even back up their own modifications.
    • There's also a "Checkpoint Systems" that makes some sort of point of sale kind of stuff. The way things are going, they'll probably wind up in some hack or another eventually. :)
    • I'm so glad you're not programming for the national missles defense force or designing Boeing 747 computers or designing medical heart rate monitors.

      Such a FUCKED UP logic, if I've ever seen any.
  • by ip_freely_2000 (577249) on Wednesday March 09, 2005 @09:36PM (#11895725)
    Make the CEO, CTO and Customer Support manager provide their own personal information in their own databases.
  • by Nuclear Elephant (700938) on Wednesday March 09, 2005 @09:36PM (#11895728) Homepage
    This comes on the heals of rival Check Point being breached for 145,000 profiles last month in a similar case. Better check yourself.

    Can someone post the list?
    • by Anonymous Coward
      Here it is:

      Last First Phone Numbers Email Addresses
      A, Christina
      323-314-1960
      Abraham, Josh
      http://mail.sidekick.dngr.com/compose?to=jo s habrah am%40mac.com
      A., Marco
      http://mail.sidekick.dngr.com/compose?to=ma rcodema rco%40tmail.com
      A., Marco
      http://mail.sidekick.dngr.com/compose?to=ma rcodema rco%40tmail.com
      Alastra, Tommy
      http://mail.sidekick.dngr.com/compose?to=TA lastra% 40aol.com
      Abraham, Josh
      http://mail.sidekick.dngr.com/compose?to=jos habrah am%40attwireless.blackberry.net
      Abrhams, Johnnie
      1-917-648-2434
      Adri
  • Checkpoint? (Score:4, Informative)

    by Anonymous Coward on Wednesday March 09, 2005 @09:37PM (#11895735)
    Checkpoint ( www.checkpoint.com ) makes firewall software. THEY HAD NO CUSTOMER INFROMATION STOLEN. please update the story and make sure the facts are correct - its pretty freaking rude to say a company lost data, especially an innocent company.

    Choicepoint lost the data. not Checkpoint.
  • Here come the lawyers!!!

    Visualize Whirled P.'s
  • by Doc Ruby (173196) on Wednesday March 09, 2005 @09:38PM (#11895740) Homepage Journal
    Check yourself? What does that mean? Check that you haven't been stolen? What if you haven't - what can you do to stop it from happening after you check?

    These corporations are destroying the value of our essential property: our identities. They demand we give our personal info, without enforcing our copyrights to prevent its being disseminated, then let it get stolen by people who will use it to damage us. When someone rips me off with some personal info they stole from some negligent data warehouse, the warehouse should be liable for my damages, including the work to recover my losses, and the defamation that will inevitably ripple through the endlessly interlinked online infosystems forever. And when compromised, they should pay my identity theft insurance premiums. This free value we deliver to them has a cost when it's abused, and such insecurity abuse is now obviously standard practice.
    • by laughingcoyote (762272) <barghesthowl&excite,com> on Wednesday March 09, 2005 @09:48PM (#11895788) Journal

      No...remember, copyright is only for the benefit of corporations too. You don't have the right to prevent the distribution of data that pertains to you, that right only extends to the latest pop song, that they've already chosen to release publicly, and then expect to tell said public what they may or may not do with it.

      But that brings up an interesting point...isn't someone currently getting sued by Apple for collecting data on them without their authorization and distributing it? Are only corporations allowed to protect sensitive data, and punish those who distribute it without authorization? If "trade secrets" exist, surely "personal secrets" do too?

      • by Doc Ruby (173196) on Wednesday March 09, 2005 @10:13PM (#11895925) Homepage Journal
        We might be entering a time when the only chance of protecting one's rights is to incorporate, and assign all assets (IP and real) to it. Incorporation might become the modern blessing once expected of christening.
        • We might be entering a time when the only chance of protecting one's rights is to incorporate, and assign all assets (IP and real) to it. Incorporation might become the modern blessing once expected of christening.

          And the first legal dispute you get into, and your 'corporate assets' get liquidated by the courts.

          Oh, sorry, only one corporation per human. You lost yours. Bummer. Off to the mines.
          • How is one's corporate assets any less safe than one's personal assets in court? In fact, it's quite the other way around. And where is this "one corporation per human" rule? When taking risks, of course the assets will be shuffled to some more-protected corporation, giving the risk-taking corporation's limited liability more teeth. Just like any other corporation.
            • by gstoddart (321705) on Wednesday March 09, 2005 @11:55PM (#11896518) Homepage
              How is one's corporate assets any less safe than one's personal assets in court?

              Corporations may be bought and sold.

              Tommy Hilfiger no longer owns his name, it's a corporation.

              When, as the grandparent suggested, you get a corporation as your birthright, it sounds awfully eerie to me. *shrug* Maybe the foil hat is too snug.
              • One's personal assets may be bought and sold, too. They're just harder to devalue for tax purposes (among other tricks) than are corporate assets. And personal assets are more easily frozen than are corporate assets. I'd prefer a future in which humans have rights, and corporations have inferior rights. But that's very clearly the opposite of the actual trend. Coping might mean dignifying a disgusting values priority, but it's certainly feasible.
      • I don't think only corporations have the right.

        If you're information was leaked, I don't see why you couldn't sue Lexis/Choice/BofA.

        The problem is whether you are suing for:
        1) Damages
        2) Liability
        3) Criminal behavior

        Damages? That depends on how much got stolen from you
        Liability? I have no clue
        Criminal behavior? I suppose that falls under 'negligence' but I don't know how they award damages for this.
      • Copyright simply does not protect facts, only expression, so no luck there. Trade secrets are probably out b/c you freely gave up the info. Probably have a plain old negligence suit, though, if you can show you were damaged.
    • by Anonymous Coward

      These corporations are destroying the value of our essential property: our identities. They demand we give our personal info, without enforcing our copyrights to prevent its being disseminated, then let it get stolen by people who will use it to damage us. When someone rips me off with some personal info they stole from some negligent data warehouse,

      Your personal data, which are considered "facts", have no copyright and are not eligible for such. Collections of facts, however, are copyrightable. In on

      • That might all have been workable law before. But it's clear that now we have problems that people without the right (in the strict sense of "inalienable ability") to copy my personal info are doing so, and violating other of my rights with their abuse. So we need the copyright law to be amended to cover personal info collected by the transmitter, like "this address and this social security number are collected under their relation to this person". When I copy my info to a recipient for a single transaction
    • These corporations are destroying the value of our essential property: our identities. They demand we give our personal info, without enforcing our copyrights to prevent its being disseminated

      There's an idea (not sure if this is what you were implying): copyright your personal data. When you have to give info to someone, make them agree to a licence to use your info. "You are hereby granted a limited, non-exclusive right to this information. You may use this information internally within your company for
      • It would not work at the moment, because your personal data does not meet the creativity criterion of copyright. It is simply a fact.

        It isn't a bad idea, even out of the domain of the techno-geek libertarian; I write somewhat more extensively about this here [jerf.org] and some of the followup consequences, but the short version relevant to your post is that the necessary legal machinery can be built out of existing components that already exist; no truly novel law needs to be written, but no currently existing laws
    • I think more of us need to 'just say no'. I'm surprised by how often I'm able to avoid giving my SSN just by saying, "No."

      Cell phone. Gas company. Phone company. Cable company. Long distance. ISPs. Electric company. Video rental.

      (They've got to be kidding, right?) They absolutely do NOT need it. The worst case is I've had to put a lousy $100 down up front to 'secure' my account. It's $100 well spent to have my SSN in a few less places.

      • SSNs need to be renewable. So once there's a risk that one SSN has become insecure, we can get new ones. That would cut down the number of unauthorized copies, through periodic cycling. Even more secure passwords, like PINs and logins, get cycled. They might need to add a couple of digits to SSNs, but it's already longer than the average "7 digits" people are said to remember easily. Meanwhile, playing one's personal info close to one's vest is a better strategy than blabbing it all over the place.
      • by Afrosheen (42464) on Thursday March 10, 2005 @02:05AM (#11897218)
        No shit. I had this happen the other day, buying something at an electronics store.

        Cashier, while checking out: "Your email address?"

        Me: "No."

        Cashier: "No?"

        Me: "Ok, put 'no at no dot com"

        Cashier, smirking: "Done."
        • ...Me: "Ok, put 'no at no dot com"

          Probably would have been better to use no@example.com (or org, or net) . The example.com/org/net domains are reserved for use in documentation and are not available for registration.

    • These corporations are destroying the value of our essential property: our identities.

      Amen. It would be so much better if the law were written so that they can collect all the information they want, but... they could only give it out when we authorize them to do so on a case by case basis. Want to apply for a credit card ? Then give the card issuer the ability (via a token or something) to access the data. No more freebies! Remember, its you and me that the data describes (supposidly) so we should have con

      • What might be useful would be a single repository for one's personal info, like a safety deposit box for heirlooms at an insured, audited, secure bank. Personal data, once illegal to "cache", would be retrieved on demand by recipients with identity credentials and unique passwords. Access could be denied to any single recipient by locking them out, and the access history could be audited.

        Of course, this is all fantasy. The actual trend is for unchecked proliferation of personal data, with zero accountabili
  • by loggia (309962) on Wednesday March 09, 2005 @09:39PM (#11895742)
    With phishing, spyware, database theft... people picking thru your trash...

    How long before ANYONE'S identity has not been stolen?

    Seriously.

    Why not just put a fraud alert on everyone's credit reports and let's get it over with. You want to apply for credit? You'll have to jump through a few more hoops...

    The system as it is now is painfully broken.
  • by Anonymous Coward on Wednesday March 09, 2005 @09:40PM (#11895747)
    are the worse at security on everything? Not just the OS, but everything about it. They spend 5x as much money and STILL they do not get it right.

    • Microsoft isn't just a software company, they are a culture. The people that are attracted to Microsoft value the appearance of convenience to real utility, and they value the appearance of convenience over real security. In the end they don't get utility, security, or convenience.
  • by Anonymous Coward on Wednesday March 09, 2005 @09:41PM (#11895753)
    How long it will take someone to build a complete (may be 90%)databese of all americans thet will include SSN, DL#, Home address & Phone # etc. If this is the rate of privacy the thefts.

    How much it will be worth it and to whome it will worth it.
    • "No entry found for whome."

      from dictionary.com

      "whom
      pron.

      The objective case of who."

      Also, the word "whom" is pretty much only used by people who want to sound smarter.
      • by stg (43177)
        I liked "databese" more. I guess that would be a very fat database, which makes sense since it would have to be very large to have everyone's data.
      • From the Oxford English Dictionary:

        "whom, pron.

        Forms: [snip] 4-7 whome [snip]

        1551 TURNER Herbal I. Kv, We haue no herbe in Englande that I knowe to whome all thes hole descriptions do agre."

        From the same page:

        "The objective case of WHO: no longer current in natural colloquial speech."

        So while he might've been able to get away with 'to whome' 450 years ago, I don't ever recall 'worth' being a verb (at least not with his intended meaning). As a whole, the grammar (or lack thereof) of that post is

    • In Westlaw it's called "People Search." Type in a name and some other information, such as what state the person lives in and Westlaw will give you the persons current address, past addresses, social security number, phone numbers, what elections they voted in, pretty much everything. I had a chance to play around with it about a month ago and was able to find all of the above information about myself. I was pretty blown away. You could even find the above info on Congressman and other high ranking gover

  • by zymano (581466) on Wednesday March 09, 2005 @09:42PM (#11895757)
    Looks like Windows 2000/NT servers. [netcraft.com]

    Unpatched ?
    • Re:Windows Servers (Score:5, Informative)

      by odin53 (207172) on Wednesday March 09, 2005 @10:05PM (#11895881)
      The article says that the data stolen was collected by Seisent, which is a company that LexisNexis/Reed Elsevier acquired recently. Because of this, I doubt that looking up the netcraft report for www.lexisnexis.com will tell you much about where that data is stored.

      If you look up Seisint [netcraft.com], you'll see Linux/Solaris servers.
  • by Sheetrock (152993) on Wednesday March 09, 2005 @09:42PM (#11895759) Homepage Journal
    It can't be theft if the data is still there, right?
    • Actually, if you think about it, the data is really *taken* because the SSN is of little use as a secret personal identifier once more than one person knows about it. So yeah, I would equate that more easily with theft.

      </overanalysis>
  • by chiph (523845) on Wednesday March 09, 2005 @09:44PM (#11895769)
    I am a man, not a number!

    Signed, #6
  • by CRepetski (824321) on Wednesday March 09, 2005 @09:44PM (#11895770)
    The Washington Post has another article about this:
    http://www.washingtonpost.com/wp-dyn/articles/A199 82-2005Mar9.html [washingtonpost.com]

    Most organizations have some sort of regulatory body. Does the data harvesting industry have this?

    Perhaps this should turn some heads in Congress now that we've got multiple cases of this insecurity. The question is, is Congress going to be able to do anything about it or will it be the same situation as with government computer security: Right now they just say "your security is bad" but that doesn't always fix the problem.

  • by SunFan (845761) on Wednesday March 09, 2005 @09:44PM (#11895772)

    I know only the name of my phone company, for example, but I have no clue who they contract with for data processing or billing or marketing. How can we ever really find out if a security problem at one company affects us? These back-end companies are generally companies that serve niche markets and practically no one has heard of them.

  • by mithras the prophet (579978) on Wednesday March 09, 2005 @09:56PM (#11895825) Homepage Journal
    Did anybody else think -- what the hell is LexisNexis doing with peoples' Social Security numbers? But it turns out that this is a subsidiary that gathers up consumer data. So it's not that you have to key in your SSN before doing a Lexis search these days.

    Though I'm sure Ashcroft^H^H^H^H^H Gonzales would like that idea...
  • The solution: Opt In (Score:5, Interesting)

    by sulli (195030) * on Wednesday March 09, 2005 @10:01PM (#11895853) Journal
    Of course the bastards will do everything in their power to prevent it, but the answer is federal regulations requiring the explicit permission of the affected parties before any data on any individual is sold to anyone.

    I don't want a bunch of strangers reading my dossiers (and I have had exactly this - I was affected by the ChoicePoint scam). If I had to approve every offering or sale of my data, I would have easily been able to block said scam.

    • Sad thing is that the marketers and creditors have a lot more pull with Congresscritters than "We the People" do these days. :-(

      Check out the recent bankruptcy law changes that are basically a thinly veiled gift to banks and credit card companies.

      It sucks. All of our data should be opt-in only, but who knows how bad it'll have to get before that happens.
    • This has affected you, and you seem to be a well-spoken individual. Would it be possible for you to setup a website dedicated to getting a law of that sort passed?

      If the site is put together properly and has a good forum system, then is posted on Slashdot, it should be able to get something done. Just make certain you have the contact information for senators and representatives in each state (they all have fairly easy numbers to find), contact info for Bush, some easy to fill-in templates to message these
  • Ephemeral data (Score:3, Interesting)

    by 1davo (692334) on Wednesday March 09, 2005 @10:03PM (#11895868) Journal
    Perhaps we need to keep our identity data offline.

    Our data should only live for the time it takes to make an online transaction; and not a femto-second longer.

    I want a "Mission Impossible" ID that self-destructs!

    How hard would this be to imple%$^? pfffttt __end_smoke_fx;

  • Legal comeback? (Score:2, Interesting)

    by danbond_98 (761308)
    What kind of comeback do people have if their data is misused as a result of this? I know in the UK the Data Protection Act would cover this kind of thing, but are there powers in the US to prosecute LexusNexus should their failure to protect your data cause you loss?
  • This comes on the heals of rival Check Point being breached...

    The company that was breached was Choice Point, not Check Point. Big difference as Check Point is a computer security company best known for their firewalls.
  • > select @thekey:=sha(sha(sha('thekey')));

    > select des_decrypt(socialsecurity,@thekey) from thetable where something='id';

    > '123-45-678'
    Or...

    SQL injection to dump the entire DB and see it all in plaintext.

    Is having plaintext data stolen worth not paying for an extra quad Xeon DB server to handle the additional encryption load?
  • by cfulmer (3166) on Wednesday March 09, 2005 @10:14PM (#11895930) Homepage Journal
    It was information on 32,000 (anybody want to bet it was 32,768?) members of the public, not customers. To bad, in a way -- Lexis is used most by lawyers, judges, congresspeople and so on -- had the Lexis customer data been hacked and say all the judges on the 5th Circuit or the Ohio congressional delegation had their identities stolen as a result, you'd probably see reform a whole lot faster.
    • I had lexis for a while. now westlaw, but for the lexis service, I have no recollection of giving them my SS#. We had to give firm name, lawyers who would use it, credit card unless we wanted to pay by check. But SS# ... not that. Aside from a credit card number, everything they got on me is already in the phone book. The problem here is with their subsidiary which is trying to collect information without people's assent. The subsidiary should be sued to hell by anyone who is affected. The irony would
  • Rivals? (Score:2, Informative)

    by psaindon (786791)
    I'm not sure how the two are really comparable as rivals. LexisNexis (along with their rival in the legal profession, http://www.westlaw.com/ [westlaw.com] ) Provide excellent (as well as very expensive with searches running at over $70 per minute) coverage of court cases, codes, laws, public records, etc, which are all immensely helpful to legal types. Sure they have public records containing some personal information, but very little that isn't already available as public information (so things such as deeds, crimina
  • It's good to see they were not to be outdone by their rivals.

    Ever the entrepreneur I figure I can start my own identity company by making a certain purchase with cash.
  • by Anonymous Coward
    DSW's parent company, Retail Ventures, just issued the warning that thieves may have stolen credit card information for thousands of customers by hacking into the company's corporate database.

    It only affects credit card customers who used their cards the past three months at more than 100 stores nationwide. There are at least eight locations in North Texas.

    http://www.msnbc.msn.com/id/7137966/ [msn.com]
  • They're flippin' evil. I'm sure I'm not the only one out there who's revolted by the fact that private corporations are the only effective sources of legal (read: public domain) data and other such public information. Shouldn't the government offer a LexisNexis-type service for free?

    From the Wikipedia entry [wikipedia.org] on Lexis-Nexis; all emphasis mine:

    "LexisNexis is a popular searchable archive of content from newspapers, magazines, legal documents and other printed sources. Primary customers are lawyers and jou
    • Public records are free if you go down to the local courthouse and look up the information yourself.

      It's the digitizing of the information that costs money. LexisNexis (and many others) pay somebody $8-$10 and hour looking up public casefiles, writing the information down (or typing it into a laptop) and sending it back to headquarters.

      People are willing to pay (handsomely) to have this information at their fingertips when they need it, especially when it comes from a courthouse in another state.

      I suspec
    • LexisNexis must die anyhow. They're flippin' evil. I'm sure I'm not the only one out there who's revolted by the fact that private corporations are the only effective sources of legal (read: public domain) data and other such public information. Shouldn't the government offer a LexisNexis-type service for free?

      You make no sense. Why is LexisNexis evil for providing one-stop access to all that information? You say yourself "Shouldn't the government offer a LexisNexis-type service for free?" Doesn't th
  • by toupsie (88295) on Wednesday March 09, 2005 @10:38PM (#11896044) Homepage
    I'm changing my name to Holden McGroin. Let's see you try using that name in your ripoffs!
  • Tip Of The Iceberg
  • by dbIII (701233) on Wednesday March 09, 2005 @11:14PM (#11896299)
    They should not be storing this information, it should only be for government use. Realisticly the implications are the same as the theives getting your credit card number, expiry date and PIN.

    In this Homeland paranoia age where everything that is in the database must be right, you certainly don't want to see government ID numbers getting used in fraud. How do you go about getting a new Social Security number when the existing one is being used in fraud?

  • And if I recall, Adrian Lamo was thrown in prison because of discovering vulnerabilities such as this... he even used LexisNexis accounts.
  • Consumers Data Stolen
    The data belonged to "consumers" so it should be Consumers' Data Stolen. If you don't understand this, my seven-year-old daughter can explain it to you.
  • Thou shall not use my personal data without my expressed permission.

    Penalty is defined by the Copyright laws.

    Use it wisely, that is, if you can get my permission.
  • The story says "...ChoicePoint being breached for 145,000 profiles..." and the use of the word "breached" in particular makes it sound like hackers broke into their system when in fact ChoicePoint is in the business of selling personal information and just happened in this instance to have such inadequate vetting mechanisms that they sold the information on 145k people to clever identity theives. Read more about this story at the Berkeley IP blog (bIPlog) [boalt.org].

"We learn from history that we learn nothing from history." -- George Bernard Shaw

Working...