8 Sentences That Drive Employees Crazy
Online Review Fraud

LexisNexis And Other Major Data Brokers Hacked By Identity Theft Service

Lexis Nexis logo Late last week, the Krebs On Security blog reported that several major data brokers were hacked by ID Theft Service, with malware planted on their Internet-connected computers to steal consumers' sensitive personal information. These major data brokers sell information such as consumers' address, Social Security Numbers, dates of birth, credit information, and background reports -- information often used by potential employers for verification tasks.

The whole sordid affair revolves around this identity theft service's website:

"... ssndob[dot]ms... has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks..."

Ssndob[dor]ms (a/k/a SSNDOB) never revealed the sources of the information in its database, but after a series of hacks during 2013:

"... the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for exposed.su, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities... But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet... This botnet appears to have been in direct communications with internal systems at several large data brokers..."

A botnet is a group of hacked computers controlled remotely by identity thieves. Each hacked computer in the botnet has malware installed on it, which allows the thieves to direct the computer to perform certain tasks. Often, the victims are unaware of the malware and activity performed by their hacked computers.

In this instance, the tasks appear to have been to copy and transmit consumers' sensitive personal and financial information. In this instance, the hacked computers, or servers, are owned by three major data brokers: Lexis-Nexis, Dun & Bradstreet (D&B), and Kroll Background America.

Krebs On Security described the sophisticated botnet malware on the hacked servers:

"... it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using Virustotal.com... gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal)."

Consumers should know that all three companies collect consumers' sensitive personal and financial information. Reportedly, the data brokers are working with both law enforcement and technology vendors to investigate the extent of the data breaches. So, this story is far from finished.

These data breaches and data brokers -- where plenty of consumers' sensitive personal and financial information are stolen -- are huge problems because of a lot of today's business, including online activity, rests upon the assumption that only the real you knows your Social Security Number and related identifying information. The background verification systems sold by data brokers have been built upon this assumption. The Washington Post's Andrea Peterson summarized the problem:

"... anyone who has access to a comprehensive database that contains this kind of information can impersonate you."

This make data security by data brokers even more important. So, the data security failures in these breaches are huge and not to be under-estimated. Unfortunately, this is not the first data breach at LexisNexis. A 2005 data breach at LexisNexis included the theft of 310,000 records about consumers. A 2009 breach at LexisNexis affected 40,000 persons. Another, separate data breach in 2009 allegedly had ties to organized crime.

Readers of this blog may remember that during 2007, after my sensitive personal information was exposed/stolen during a 2007 data breach at IBM. IBM hired Kroll for its post-breach response. During the mid-1980's i worked for three years at Lexis-Nexis headquarters in Dayton, Ohio as a marketing manager. Attorneys, in both law firms and corporation legal departments, use Lexis-Nexis frequently for both legal and business research.

In 2007, this blog reviewed ChoicePoint. LexisNexis acquired ChoicePoint in 2008.In 2006, ChoicePoint settled with the FTC and paid about $15 million, the largest civil fine at that time for a data breach. At least 800 cases of identity theft and fraud resulted from the breach. The fine resulted from an investigation where the company sold the credit histories of 163,00 consumers to business clients that didn't have a legitimate purpose to use that information; and the company failed to provide adequate data security -- both as required by federal law.

I was surprised that Kroll's servers were hacked. Kroll's reputation is based upon it being a knowledgeable and technically savvy vendor skilled at data security.

{October 2, 2013 update: the Russian hackers also accessed stole data from the National White Collar Crime Center.]


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.