A data security breach at LexisNexis online information service resulted in thousands of customers potentially losing their identities to scammers.
LexisNexis Group notified more than 32,000 people Friday that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter.
Up to 300 people may have been defrauded, according to a CBS news report. A second online firm, Investigative Professionals, which conducts background checks, may also have been breached, USPS said.
victims number 310,000
Surviving a data disaster: Lexis-Nexis' Leo Cronin: Cybercriminals have a parasitic side, and it's not to be underestimated. If they can't bust through the network perimeter of an enterprise, they're just as likely to go through the front door aboard an unwitting and trusted customer or business partner.
LexisNexis said hackers broke into its systems between June 14, 2004 and October 10, 2007. The company said it waited to inform its customers at the request of the USPS. It is offering customers a one year subscription to a credit monitoring service that includes access to credit reports and identity theft insurance.
In 2005, LexisNexis said up to 310,000 customer identities were at risk after hackers broke into accounts using stolen IDs and passwords of legitimate customers.
At that time, the scammers used a spam email campaign to trick LexisNexis customers into downloading a keylogging Trojan. The keylogger harvested the user names and passwords giving scammers access to the accounts. The 300,000 accounts were harvested during 59 separate visits to a database managed by Seisint, a 2004 LexisNexis acquisition.
While keyloggers are still used by hackers to gain access to password protected accounts, many businesses are defeating them by implementing the use of secondary authentication devices (two-factor authentication), said Graham Cluley, senior technology consultant with UK-based Sophos.
Tokens and smart cards, used more heavily in Europe and Asia, provide a random number that the user needs to enter at login.
"That means even if username/password are stolen, hackers will not be able to breach the account as they won't have access to the randomly generated passcode," Cluley said.
It's unclear when the breach was discovered and how long it took LexisNexis to notify customers. Despite the notification, the breach serves as a reminder about how difficult it is to defend against cybercriminals, Cluley said.
"Organizations need to do much more to make sure that they are not the next company making the headlines with this kind of bad news story," Cluley said. "It's clear that the confidence of more and more people in institutions is being shaken by the parade of stories we hear about data leaks."
In its letter sent out last week, LexisNexis said it implemented a new "standards-based security control framework that drives protections for our network, access, and monitoring of product use to detect and respond to potentially fraudulent activity." The company is also now limiting access to sensitive personally identifiable information unless there is a critical business need.
"LexisNexis has implemented numerous policies, procedures and standards that set forth clear parameters for data governance across the organization and for customers," the company said.