DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

He’s not after your heart, just your data

Posted on July 19, 2009 by Dissent

Linda McGlasson, Managing Editor at BankInfoSecurity.com, wrote this piece on the LexisNexis breach first reported by Robert McMillan of IDG News Service. It is reproduced from Information-Security-Resources.com:

Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family.

The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft.

Earlier in May, the U.S. Attorney General’s office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy.

The 11 had ties to the Bonnano organized crime family.

“The former Seisint customer involved in this matter should have provided notice to potentially affected individuals,” says a Lexis-Nexis representative (Seisint is a company owned by Lexis-Nexis). “However, because the customer is no longer in business, we provided the notice.”

The alleged suspect, Lee Klein, one of the 11 charged in the indictment, “was an employee of a former Seisint customer who misused his employer’s Accurint access. As such, we notified all individuals whose information could have been viewed in connection with the limited searches that law enforcement believed were unauthorized. We provided notice in accordance with the law because the customer was no longer in business,” the Lexis-Nexis representative says.

Accurint is used by law enforcement and other entities to verify identity and locate people. Lexis-Nexis says 13,329 letters were sent to individuals on behalf of Seisint’s former customer in connection with this investigation.

How it Happened

According to the indictment, Klein worked for the criminal “crew” of Thomas Fiore, an associate of the Bonanno organized crime family.

The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement.

Klein allegedly provided Fiore with “corporation names, addresses and account numbers to facilitate the manufacture and negotiation of counterfeit checks.”

In addition, the indictment alleges that members of the criminal crew used threats of force and violence, including conspiracy to commit murder, to advance the objectives of the enterprise.

Security Experts React to Mob Ties

“Although sensational in its headline ‘Mob Steals Data,’ we perhaps should focus on how the data was accessed and what was contained in the information,” says Information-Security-Resources.com Cyber-Security Editor and privacy expert Kevin Nixon, CISSP, CISM, CGEIT. “We are experiencing some most extraordinary events related to global businesses, economics and confidential information movement via the merger and acquisition of companies, networks, databases and entire systems.”

Analyst Nick Holland sees this case is indicative of the way that data breaches are becoming the work of organized crime syndicates, both overseas and domestically. “The relative ease with which sensitive data can be acquired by either high tech (malware) or low tech (placing a criminal within an organization) means makes it attractive for organized criminals that have the resources to execute such attacks,” says Holland, of the Aite Group.

The Bonanno crime family was making money from the sale of unauthorized identification documents (including social security numbers and health and life insurance applications). “If the mafia considers that selling sensitive information is a legitimate line of business, then clearly the days of just amateurs committing breaches are well behind us,” Holland observes.

The increased presence of organized crime in computer-related crime is troubling to say the least, says information security expert Avivah Litan, an analyst at the Gartner Group. “This is something I’ve been hearing from law enforcement and prosecutors for some time, that organized crime is becoming involved in identity theft. It’s not just the Russian mob or the new mafia that is becoming involved in this, it’s the old mafia too. Why? Because it is a much simpler crime, they can put down their guns and there’s no blood involved,” Litan notes.

One of the “old school” tactics that the organized crime figures use, says Litan, is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, “He’s not after your heart; he’s after your data.”

Not Just Stealing Data

The wide array of crimes listed in the indictment shows Litan that they’re not just stealing data. “The law enforcement and cybercrime experts are telling us that they’re involved in a wide variety of criminal activities. It’s not just identity theft; they’re doing all the bad stuff because they’re bad guys.”

The vast majority of data breaches involve sensitive information going missing, but not resulting in actual fraud, says Tom Wills, senior analyst, Security, Fraud & Compliance at Javelin Research. “If a clear linkage can be established in any single case, that will help to sharpen the security industry’s set of solutions for mitigating identity fraud, which today is a series of blunt tools at best,” Wills observes.

Nixon sees more trouble ahead for businesses like Lexis-Nexis and consumers with data breaches. “Unless our federal lawmakers enact legislation to require all entities to regularly notify individuals or companies that information which when combined with other data can be used against them, data theft will most certainly continue to rise and even more rapidly escalate as various personal data is required to be filed electronically as a cost saving feature,” he says.

Everyone must become more aware of the danger that small bits of information collected over time can eventually add up to a significant threat. “Financial institutions that have a customer relationship with clients are bound by the Gramm-Leach-Bliley Act to provide an annual notice to clients to opt out of sharing information,” Nixon notes.

He also points out that the Fair Accurate Credit Transactions Act of 2003 (FACTA) requires every entity that exchanges information with a credit agency to provide the same opt out notices. “FACTA requires this because the government realized that even verification of a potential employee’s past salary structure and even addresses of where those potential employees had previously worked, was required to be elevated to the same level of financial information since the non-financial data was being combined in a credit agency database with highly sensitive financial data,” Nixon says.

In May, LexisNexis announced it is part of a separate investigation into alleged credit card fraud, perpetrated by former customers of the company, according to a company statement. That fraud occurred from June 2004 to October 2007. The U.S. Postal Inspection Service released a statement that said 40,000 letters will be sent to consumers and 300 victims have been identified in an investigation concerning the breach.

Category: Breach IncidentsBusiness SectorOf Note

Post navigation

← Bits ‘n Pieces
Sac City Bank employee pleads guilty →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.