After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright
was the best approach, according to a company executive.
By being forthcoming with the public and victims the company survived with minimal impact, said Leo Cronin, LexisNexis senior
director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis,
which is owned by Reed Elsevier PLC, early last year.
"I think that's why we were so successful in dealing with this," Cronin said of the decision to be open and direct about the
breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches,
he said.
LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Florida, in September 2004. Seisint is
a data broker, collecting personal information and providing it to law enforcement and private companies for services such
as debt recovery and fraud detection.
Attackers went after the service's "less sophisticated customers" with a social engineering ploy that left the identities
of up to 300,000 people at risk, Cronin said.
The company's customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke
logger, which stole LexisNexis credentials, specifically for its risk management services, he said.
"It was very coveted data," he said. "I think we didn't really realize how much of a risk it was."
But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach,
he said. "We tried to do the best job we could," he said.
The company contacted all those who were affected by the attack using the framework of a California data security disclosure
law passed in 2003 as a guide, Cronin said.
The law is catching up after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged
divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented
notification laws, and a federal law is under consideration.
After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the
security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he
said.
LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at
password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of
its products to identity potential security problems, Cronin said.
LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door
perimeter attacks are less likely than the persistent weak link: people.
"Attackers are effective at going after low hanging fruit," Cronin said.
REFERENCES:
Hackers grab LexisNexis info on 32,000 people, Mar. 9, 2005
ChoicePoint to give up some personal data sales, Mar. 4, 2005
ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
