An internal investigation at the LexisNexis division of Reed Elsevier has uncovered evidence that as many as 310,000 more people may have had their personal information exposed to unauthorized individuals who compromised the security of a massive database of public and private information, including Social Security and drivers license numbers.
An in-depth review and analysis of two years' of search activity uncovered 59 incidents of unauthorized access to information, LexisNexis said in a statement. The news follows revelations in March that intruders used the IDs and passwords of legitimate LexisNexis customers to gain access to information on 30,000 people whose information was stored in "Multistate Anti-Terrorism Information Exchange," (MATRIX), a database and information retrieval system managed by LexisNexis's Seisint division. The latest report form the company expands the number of potential victims by 280,000.
LexisNexis did not immediately respond to request for comment. Seisint collects data on individuals that is used by law enforcement and private companies for debt recovery, fraud detection and other services.
LexisNexis, of Dayton, Ohio, Monday sent letters notifying those whose information may have been viewed during the incidents, and will offer free support services to those who are notified, including credit bureau reports, fraud insurance and credit monitoring services for one year. Individuals who have been victimized will be able to receive fraud counseling services, the company said.
In most of the 59 incidents uncovered by the investigation, the hackers stole passwords and IDs from legitimate Seisint customers who were legally permitted to view the sensitive information. The company's infrastructure was not hacked or penetrated, nor was customer data accessed or compromised, LexisNexis said.
The company will be improving customers' password and ID administration and security, according to the statement.
The new disclosures from LexisNexis bring the Seisint MATRIX database compromise into a league with ChoicePoint Inc., of Alpharetta, Georgia, which agreed in February to tell 145,000 potential victims that ID thieves, in a breach of its database, may have gained access to personal information such as Social Security numbers and credit reports.
Data breaches at ChoicePoint, LexisNexis and elsewhere have made data brokers the focus of intense scrutiny.
Since disclosing its security breach, ChoicePoint has been the subject of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws, a U.S. Securities and Exchange Commission (SEC) investigation into possible insider stock trading violations by its chief executive officer and chief operating officer, and lawsuits alleging violations of the federal Fair Credit Reporting Act (FCRA) and California state law.
In March, the company said it will stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement.
Some members of Congress have also called for new laws that would regulate the type of information that can be gathered and shared.
A 2003 California state law, Senate Bill (SB) 1386, requires organizations that maintain computerized databases of personal information on state residents to notify them if the security of their private information is compromised. Experts have credited that law with prompting disclosure of the breaches at ChoicePoint and LexisNexis, even though many of those notified by the companies are not California residents.