LexisNexis finds disclosure meant less pain in data theft

After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive.

By being forthcoming with the public and victims the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year.

"I think that's why we were so successful in dealing with this," Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said.

LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Florida, in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection.

Attackers went after the service's "less sophisticated customers" with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said.

The company's customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said.

"It was very coveted data," he said. "I think we didn't really realize how much of a risk it was."

But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. "We tried to do the best job we could," he said.

The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said.

The law is catching up after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration.

After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said.

LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said.

LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people.

"Attackers are effective at going after low hanging fruit," Cronin said.

REFERENCES:
Hackers grab LexisNexis info on 32,000 people, Mar. 9, 2005
ChoicePoint to give up some personal data sales, Mar. 4, 2005
ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005