[Dataloss] LexisNexis finds disclosure meant less pain in data theft

[Richard Forno]

LexisNexis finds disclosure meant less pain in data theft
At InfoSec conference, the company found that being open about breach paid
off

http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/04/25/
77752_HNinfosecdatatheft_1.html

By Jeremy Kirk, IDG News Service

April 25, 2006
After a high-profile security breach exposed personal data about thousands
of customers, LexisNexis found that being forthright was the best approach,
according to a company executive.

By being forthcoming with the public and victims the company survived with
minimal impact, said Leo Cronin, LexisNexis senior director for information
security, Tuesday at the Infosec Europe 2006 conference in London. The
security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early
last year.

"I think that's why we were so successful in dealing with this," Cronin said
of the decision to be open and direct about the breach. LexisNexis is
breaking its silence over the incident to help educate and get feedback
about approaches to breaches, he said.

LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of
Boca Raton, Florida, in September 2004. Seisint is a data broker, collecting
personal information and providing it to law enforcement and private
companies for services such as debt recovery and fraud detection.

Attackers went after the service's "less sophisticated customers" with a
social engineering ploy that left the identities of up to 300,000 people at
risk, Cronin said.

The company's customers received an e-mail with a pornographic lure, Cronin
said. The mail also contained a worm and a keystroke logger, which stole
LexisNexis credentials, specifically for its risk management services, he
said.

"It was very coveted data," he said. "I think we didn't really realize how
much of a risk it was."

But when the damage became clear, LexisNexis made an immediate decision to
be forthcoming and transparent about the breach, he said. "We tried to do
the best job we could," he said.

The company contacted all those who were affected by the attack using the
framework of a California data security disclosure law passed in 2003 as a
guide, Cronin said.

The law is catching up after the high-profile cases of last year, including
ChoicePoint Inc., a data broker that acknowledged divulging sensitive
personal information to identity thieves posing as customers. So far in the
U.S., 20 states have implemented notification laws, and a federal law is
under consideration.

After the data breach, LexisNexis took several steps to implement stronger
security, Cronin said. The company reviewed the security of all its Web
applications and created new procedures for verifying customers with access
to sensitive data, he said.

LexisNexis encouraged certain customers to sign up for antivirus software.
It revamped online security access, looking at password complexity and
expiration times. The company also implemented measures to automatically
detect anomalies in use of its products to identity potential security
problems, Cronin said.

LexisNexis learned other lessons. Passwords are dead, Cronin said, and
two-factor authentication is recommended. But front-door perimeter attacks
are less likely than the persistent weak link: people.

"Attackers are effective at going after low hanging fruit," Cronin said.

REFERENCES:
Hackers grab LexisNexis info on 32,000 people, Mar. 9, 2005
ChoicePoint to give up some personal data sales, Mar. 4, 2005
ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005