Business information provider LexisNexis is alerting customers that their personal information may have been obtained by a Mafia-connected criminal group.
This is not the first breach that LexisNexis has suffered, but it appears to be the most serious. In a notification about the breach sent to the New Hampshire State Department of Justice and obtained by InternetNews.com, LexisNexis claimed that company employee Lee Klein abused his access to a software product of Seisent, a unit of LexisNexis.
According to the grand jury indictment (available here in PDF format), filed in the U.S. District Court of Southern Florida in Fort Lauderdale, Klein acted as part of a team led by Thomas Fiore, an associate of the Bonanno crime family.
The indictment alleges that Fiore organized criminal activities and the payment of tribute to Bonanno members. It also said that Klein was responsible for obtaining data, personally identifiable information (PII), on individuals and corporations that could be used to create counterfeit checks, obtain consumer goods illegally, and identify wealthy people and members of law enforcement for assault and intimidation.
Other members of the group carried out the intimidation and also collected on usurious debts, organized high-stakes poker games with wealthy participants, and even obstructed a federal arson investigation, according to the indictment.
The charges mark only the latest indication that the Internet and the increasing digitization of consumer information may be facilitating crime. Frank Abagnale, the fraudster who inspired the movie “Catch Me If You Can” and who now advises law enforcement, said that fraud is 4,000 times easier now than when he did it decades earlier, thanks to digital technology.
But because of earlier breaches, LexisNexis must bear some of the responsibility, a security expert told InternetNews.com.
“We view privacy, security and compliance as a continuous process,” a LexisNexis representative said in an e-mail to InternetNews.com. “We have dedicated substantial resources within our company to maintaining and increasing the strength and quality of our security policies and practices and will continue to do so.”
Randee Golder, Lee Klein’s attorney in previous cases, told InternetNews.com that she could not comment on a pending investigation but did comment on the grand jury indictment.
“Those are unproven allegations — that’s all a grand jury indictment is,” she said.
LexisNexis had plenty of warning in the form of earlier breaches, but the other LexisNexis breaches do not appear to be related to the Mafia.
This year, Yomi Jagunna (also known as Donald S. Elam), ran a business that also had access to a Seisent product and was indicted in the U.S. District Court of New Jersey in Newark for credit card fraud, bank fraud, and identity theft. In one case, Jagunna and his unnamed associates attempted to transfer $675,000 out of a victim’s account, according to the charges.
From 2004 to 2007, according to earlier LexisNexis breach notifications, criminals with access to LexisNexis and its ChoicePoint databases obtained PII and used that information to set up mailboxes and to obtain credit cards, perpetrating credit card fraud.
In 2007, someone obtained the credentials of two members of law enforcement and used them to obtain access to PII, while the credentials of a member of local New Hampshire law enforcement agent were used to access PII, according to LexisNexis breach notifications.
What to do
The news also may serve to further highlight how companies can better protect their data, security experts said.
For instance, organizations need to have a role-based approach to access. They need to know who is accessing what data and they need to be able to change privileges when people’s jobs change, according to Brian Cleary, vice president of products and marketing at access governance software provider Aveksa.
“In this economic climate, it’s not just the Mafia that is interested in [PII],” he told InternetNews.com. “Other networks also want to leverage that data for fraud and for other forms of organized crime.”
Individuals may behave badly on their own, he added. “It could be individuals within an organization that are looking to profit from it on any criminal market,” he said.
IT organizations are already struggling with the problem of insider threats. Today, Cisco highlighted the issue in its midyear threat report.
Aveksa’s Cleary said that with the right software framework, risks can be mitigated, but not eliminated.
“The software can run a set of controls against a request for new access or changes to access,” he said.
Still, Cleary admitted that IT does not usually have the resources to face this threat alone.
“IT organizations have been told to deliver business assurance but also to reduce the number of dollars spent. Those are two opposing objectives,” he said. “I suggest that IT organizations think more of a collaborative approach,” which could entail working with audit teams and business leaders to improve security.
Many IT teams are focused on compliance, but they should be working on best practices, delivering security that goes beyond what compliance demands, he added.
“We have customers that don’t have regulations to follow that are concerned with the possible loss of brand value and reputation, and they put these controls in place without the requirements of regulations,” Cleary said.