LexisNexis, the world’s largest information database for legal and public records, is one of three major providers of social security numbers, birth dates and other personal information hacked by online operators of a criminal identity theft service.
Earlier this month a tiny unauthorized program, installed on two LexisNexis servers on April 10, 2013, was discovered. The company claims that a FBI investigation has “to date found no evidence that customer or consumer data were reached or retrieved,” though the targeted data is presumably intended for use in identity theft and fraud.
The program was carefully engineered to avoid detection. Virustotal.com, which scrutinizes files for signs of malicious behaviour by 46 of the top anti-malware and anti-virus tools, gave it a clean bill of health. According to Greg Alterson of risk management consultancy company Neohapsis, it is common for large organizations to fail to detect network intruders for months. Security is an after-thought.
This is not the first security breach for the company. LexisNexis had over 300,000 personal records, including social security numbers and driver’s license information, stolen in 2005. One of the teenage hackers charged claimed that LexisNexis security was “really bad.” A LexisNexis spokesperson declined to say when the current intrusion was discovered or whether the company could assure clients that personal data was not stolen.
According to KrebsOnSecurity, SSNDOB.ms [Social Security Number Date Of Birth] website admins were responsible for the security breach. SSNDOB, a reliable and affordable underground cybercrime service for customers to look up Social Security numbers, birthdays and other personal data on any U.S. resident for a fee, tapped into the internal systems of LexisNexis and other large data brokers. Pat Peterson, CEO of messaging security firm Agari says, “While we don’t yet know whose data has been compromised, millions of Americans are now at risk as the criminals knit the stolen data together with their attacks to go after identity theft and bank accounts.”