By Jeremy Kirk
IDG News Service
April 25, 2006
After a high-profile security breach exposed personal data about
thousands of customers, LexisNexis found that being forthright was the
best approach, according to a company executive.
By being forthcoming with the public and victims the company survived
with minimal impact, said Leo Cronin, LexisNexis senior director for
information security, Tuesday at the Infosec Europe 2006 conference in
London. The security breach hit LexisNexis, which is owned by Reed
Elsevier PLC, early last year.
"I think that's why we were so successful in dealing with this,"
Cronin said of the decision to be open and direct about the breach.
LexisNexis is breaking its silence over the incident to help educate
and get feedback about approaches to breaches, he said.
LexisNexis faced a worst-case scenario after it acquired Seisint Inc.
of Boca Raton, Florida, in September 2004. Seisint is a data broker,
collecting personal information and providing it to law enforcement
and private companies for services such as debt recovery and fraud
Attackers went after the service's "less sophisticated customers" with
a social engineering ploy that left the identities of up to 300,000
people at risk, Cronin said.
The company's customers received an e-mail with a pornographic lure,
Cronin said. The mail also contained a worm and a keystroke logger,
which stole LexisNexis credentials, specifically for its risk
management services, he said.
"It was very coveted data," he said. "I think we didn't really realize
how much of a risk it was."
But when the damage became clear, LexisNexis made an immediate
decision to be forthcoming and transparent about the breach, he said.
"We tried to do the best job we could," he said.
The company contacted all those who were affected by the attack using
the framework of a California data security disclosure law passed in
2003 as a guide, Cronin said.
The law is catching up after the high-profile cases of last year,
including ChoicePoint Inc., a data broker that acknowledged divulging
sensitive personal information to identity thieves posing as
customers. So far in the U.S., 20 states have implemented notification
laws, and a federal law is under consideration.
After the data breach, LexisNexis took several steps to implement
stronger security, Cronin said. The company reviewed the security of
all its Web applications and created new procedures for verifying
customers with access to sensitive data, he said.
LexisNexis encouraged certain customers to sign up for antivirus
software. It revamped online security access, looking at password
complexity and expiration times. The company also implemented measures
to automatically detect anomalies in use of its products to identity
potential security problems, Cronin said.
LexisNexis learned other lessons. Passwords are dead, Cronin said, and
two-factor authentication is recommended. But front-door perimeter
attacks are less likely than the persistent weak link: people.
"Attackers are effective at going after low hanging fruit," Cronin
REFERENCES: Hackers grab LexisNexis info on 32,000 people, Mar. 9,
2005 ChoicePoint to give up some personal data sales, Mar. 4, 2005
ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005
InfoSec News v2.0 - Coming Soon!