The security breach which rendered about 310,000 LexisNexis accounts compromised is now under investigation by the U.S. Postal Inspection Service.
LexisNexis has already sent notification to 32,000 individuals whose personal information was stolen.
The fraudulently accessed information included names, birth dates and Social Security numbers. These were used to create phony credit card accounts.
According to a notification letter sent by LexisNexis to its customers, the hackers gained access into USPS mailboxes of businesses that included members’ information of LexisNexis using stolen customer IDs and passwords.
Cybercriminals used a spam email campaign to fool LexisNexis customers to download a keylogging Trojan which then harvested login information of users. Other users’ account information was obtained from the database of Seisent, which is owned by LexisNexis.
The hacking, which CBS said was a handiwork of a Nigerian scammer, went on for nearly three years, from June 14, 2004 to October 10, 2007.
USPS said the database of another company, Investigative Professionals, may have also been compromised. About 300 users of the credit check company and LexisNexis have been victimized.
LexisNexis said it has only recently started notifying customers at the request of the USPS. The company now offers affected customers a year’s subscription to fraud insurance and credit bureau reports.
Officials of LexisNexis said they have already tightened security to prevent unscrupulous individuals from gaining access to their database.
LexisNexis started in 1973 and is currently one of the largest online database services operating in cyberspace. It allows professionals around the globe access to thousands of publications related to news, law, technology, medicine, government, business, and finance, among others.
LexisNexis users can access the information through a lone search interface. They are required to create an account before they can use the site. Member subscriptions are estimated at 5 million.
While keyloggers are still being used by hackers to gain entry to accounts which are password-protected, many businesses have been able to protect themselves by employing a secondary authentication devices or two-factor authentication, says a senior technology consultant of the UK-based Saphos.
Graham Cluley says European and Asian companies now use tokens and smart cards which allow users to log in to their accounts using a random number, SecuritySearch.com reports. This means that, even if the hacker knows a user’s login ID and password, he still can’t access the account until he correctly verifies the random passcode.
“Organizations need to do much more to make sure that they are not the next company making the headlines with this kind of bad news story,” says Cluley. “It’s clear that the confidence of more and more people in institutions is being shaken by the parade of stories we hear about data leaks.”
According to IdentityTheft.info, some 500 million user data of government and corporate institutions all over the country have been fraudulently accessed since 2004, although the issue of security breach only started to be taken seriously in 2005.
IdentityTheft.info estimates that every resident of the United States has had his or her personal information exposed to cybercriminals.
Some of the institutions included in IdentityTheft’s list of compromised databases include the Virginia Department of Health Professions wherein personal records of 8 million patients were hacked; the Hearthland Payment Systems, where 100 million account holders where victimized; the Oklahoma Housing Finance Agency which compromised accounts of 90,000 families; the SeekingArrangement website wherein 300,000 victims were reported; and the New York City Police Department of which pension records of 80,000 members were hacked.
According to the latest State of the Net survey of the Consumer Reports National Research Center, 1 in 5 online users has fallen prey to cybercriminals over the last two years. The total cost was pegged at $8 billion. Consumer Reports says the rate has not ebbed in the 5 years that it has been monitoring the incidents.
In an international survey among security professionals at the recent e-Crime Congress in London, Websence reports that 30 percent believes senior company officials should face imprisonment for security negligence. Sixty-two percent says the company should pay fines, while 68 percent thinks affected users must be compensated.
The Federal Trade Commission gives tips to consumers to protect themselves against identity theft. Access the link here.
The FTC also tells businesses how to report data breach incidents, as well as how to notify their customers. See the link here.
IdentityTheft advises victims of identity theft to request the notifying company to provide a year’s free monitoring of their credit report.
{ 1 trackback }
{ 0 comments… add one now }