Information publisher Reed Elsevier said scammers had abused one of its LexisNexis databases, accessing information that should have been available only to its legitimate customers.
In a statement, Reed Elsevier said third parties misappropriated the IDs and passwords of paying customers of its Seisint subsidiary.
The system broke down when crooks were able to use the passwords of legitimate customers to access LexisNexis’ records. It discovered the problem during a review of the verification, authorization and security procedures and policies for its businesses.
“Information on approximately 32,000 individuals may have been fraudulently accessed in these incidents,” the statement read. The information included names addresses, Social Security numbers and drivers’ license numbers, but not credit history, medical records or financial information. The company refused comment beyond prepared statements.
LexisNexis, a subsidiary of Reed Elsevier, acquired Seisint in September 2004 for $775 million, along with its products, Securint and Accurint. Securint provides background screening services for employers, landlords and volunteer organizations. Accurint can be used to locate individuals for things, such as debt recovery and legal investigations.
LexisNexis now operates the services as part of its own U.S. Risk Management business, and they’re used by law enforcement, homeland security, banks and other businesses to reduce credit card and insurance fraud.
The Accurint Web site touts, “You won’t believe what you can do with a quarter! Find people, businesses and their assets. Obtain deep background information. Uncover bankruptcies and criminal histories.”
Users can sign up to search “33 billion records” by filling out a form, offering a credit card number and a copy of a business or professional license.
“It could be quite easy for an individual to do that, especially if you create a legitimate business use,” Beth Givens, executive director of Privacy Rights Clearinghouse, said.
For example, someone could register with a city as a landlord to obtain an inexpensive business license.
“You don’t even have to spend money at these fee-based services, you can find a lot of Social Security numbers on public records that have been posted by government agencies, especially at the local and county level,” Givens said.
Pam Dixon, executive director of the World Privacy Forum, said privacy advocates considered Seisint “loosey-goosey” in its practices. “I thought that by NexisLexis purchasing them, it would clean it up. They must have known Seisint was loosey-goosey and done a security audit.”
Givens said she had been surprised that LexisNexis purchased Seisint. “I thought, ‘They’re purchasing a problematic product,'” she said. “And now we know.”
According to the latest FBI statistics, identity theft remains a blight on society. Of the 635,173 complaints lodged by consumers in 2004, 39 percent of them involved identity theft, most frequently use of stolen credit card numbers.
The Seisint data theft is the second major snafu to be revealed this year. On February 18, in what Dixon called “the Exxon Valdez of privacy,” ChoicePoint said it had been a victim of criminal fraud, when it was duped into releasing personal data on approximately 145,000 U.S. citizens.
On Thursday, the Senate Banking, Housing and Urban Affairs Committee will hear from ChoicePoint, Bank of America, the U.S. Secret Service and others on the rise of identity theft.
Reed Elsevier said LexisNexis would enhance ID and password administration procedures and requirements for customers; encourage its customers to respect consumers’ privacy; and stay in touch with law enforcement to devise ideas for thwarting criminal activities.
But any system that sells such personal information is at risk, Givens said.
Reed Elsevier said it’s working with the FBI and will notify customers whose data may have been accessed “in the coming days.” It will provide them with monitoring services to make sure that if the bad guys use their information, consumers can detect it quickly.
“The only positive thing is that at least they’re notifying everyone without being heckled into it, like ChoicePoint had to be,” Dixon said.
ChoicePoint went public months after it found out about the improper database access, because a California state law requires notice to consumers in such cases.
In the same statement acknowledging the stolen passwords and improper access of its records, Reed Elsevier reassured investors that it would still meet its 2005 financial targets, including at least 5 percent organic revenue growth.
Updates prior version to correct spelling of Seisint.