On May 1, CBS News reported:
"Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access. The United States Postal Inspection Service is investigating a data breach at both companies..."
Investigative Professonals performs background checks for individuals and companies.
This breach is important for a couple reasons. First, since the breach occurred between June 14, 2004 and October 10, 2007, this is the longest post-breach delay of consumer notification I have heard: two years. CBS News also reported:
"... the data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards. Peter Rendina, a spokesman for the Postal Inspectors Service said that of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards."
Second, the breach is not only credit card theft and fraudulent credit card charges, but also credit fraud since the thieves obtained new credit in the breach victims' names. The CBS News story included the text of the consumer breach notification. Social Security numbers were stolen -- a key element of sensitive personal data for thieves to obtain new credit:
"... sensitive personally identifiable information about you may have been viewed by a few individuals who should not have had access to such information. These individuals were operating businesses that at one time were both ChoicePoint and LexisNexis (hereafter “LexisNexis”) customers, but are no longer. Please be aware that the United States Postal Inspection Service, a federal law enforcement agency investigating this matter, has already notified you directly if it has reason to believe you have been an actual victim of a crime... By utilizing fraudulently-opened mail boxes at commercial mail receiving businesses and personal information of United States residents obtained via LexisNexis, these individuals were able to apply for and obtain fraudulent credit cards...the information accessed may have included your name, date of birth, and/or social security number... the USPIS instructed LexisNexis to delay notifying you until the completion of the USPIS investigation."
Third, this is not the first breach at Choicepoint, acquired by Lexis-Nexs in 2008. After selling its reports to identity thieves in 2005 for about 160,000 consumers, Choicepoint settled with the FTC and paid fines of $10 million in civil penalties and $5 million in consumer redress. Choicepoint seems to have a history of, a) aggressively selling its reports to other companies, some of whom have been identity thieves; b) poor at customer service, and c) lax when it comes to data security. Choicepoint doesn't seem consumer friendly, and it it went out of business tomorrow, I wouldn't shed a tear.
Fourth, Lexis-Nexis offered its breach victims credit monitoring services from Experian. This is a good start, but it's not enough. (Read my review of Experian's service.) Lexis-Nexis should pay the fees for its breach victims' Security Freezes on their credit reports at all three major credit reporting agencies. Why? A Security Freeze is stronger than a Fraud Alert. A Security Freeze will stop thieves from obtaining new credit. Credit monitoring only helps consumers discover fraudulent entries in their credit reports after the fact. Security Freezes help prevent some types of fraud before it can happen.
I checked the United States Postal Inspection Service site (USPIS) for additional information about the breach and its investigation. The Press Releases section of the site featured the latest press releases from 2007. What?! There's nothing more recent?
I also checked the Investigations section of the USPIS site. That was disappointing, since the site section discusses the types of investigations the USPIS performs and not the results of on-going investigations. The USPIS site needs to do a lot more to inform consumers about the status of its investigation, especially victims of the Lexis-Nexis breach. What identity thieves were arrested? What criminals were prosecuted? Is restitution being demanded from the criminals? Neither the USPIS nor Lexis-Nexis are saying.
Two years is a long time to delay a breach notification to consumers. The results of the investigation should justify the delay and be made public. I encourage consumers to contact the USPS Inspector General and your elected officials in Congress.