Linda McGlasson, Managing Editor at BankInfoSecurity.com, wrote this piece on the LexisNexis breach first reported by Robert McMillan of IDG News Service. It is reproduced from Information-Security-Resources.com:
Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family.
The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft.
Earlier in May, the U.S. Attorney General’s office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy.
The 11 had ties to the Bonnano organized crime family.
“The former Seisint customer involved in this matter should have provided notice to potentially affected individuals,” says a Lexis-Nexis representative (Seisint is a company owned by Lexis-Nexis). “However, because the customer is no longer in business, we provided the notice.”
The alleged suspect, Lee Klein, one of the 11 charged in the indictment, “was an employee of a former Seisint customer who misused his employer’s Accurint access. As such, we notified all individuals whose information could have been viewed in connection with the limited searches that law enforcement believed were unauthorized. We provided notice in accordance with the law because the customer was no longer in business,” the Lexis-Nexis representative says.
Accurint is used by law enforcement and other entities to verify identity and locate people. Lexis-Nexis says 13,329 letters were sent to individuals on behalf of Seisint’s former customer in connection with this investigation.
How it Happened
According to the indictment, Klein worked for the criminal “crew” of Thomas Fiore, an associate of the Bonanno organized crime family.
The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement.
Klein allegedly provided Fiore with “corporation names, addresses and account numbers to facilitate the manufacture and negotiation of counterfeit checks.”
In addition, the indictment alleges that members of the criminal crew used threats of force and violence, including conspiracy to commit murder, to advance the objectives of the enterprise.
Security Experts React to Mob Ties
“Although sensational in its headline ‘Mob Steals Data,’ we perhaps should focus on how the data was accessed and what was contained in the information,” says Information-Security-Resources.com Cyber-Security Editor and privacy expert Kevin Nixon, CISSP, CISM, CGEIT. “We are experiencing some most extraordinary events related to global businesses, economics and confidential information movement via the merger and acquisition of companies, networks, databases and entire systems.”
Analyst Nick Holland sees this case is indicative of the way that data breaches are becoming the work of organized crime syndicates, both overseas and domestically. “The relative ease with which sensitive data can be acquired by either high tech (malware) or low tech (placing a criminal within an organization) means makes it attractive for organized criminals that have the resources to execute such attacks,” says Holland, of the Aite Group.
The Bonanno crime family was making money from the sale of unauthorized identification documents (including social security numbers and health and life insurance applications). “If the mafia considers that selling sensitive information is a legitimate line of business, then clearly the days of just amateurs committing breaches are well behind us,” Holland observes.
The increased presence of organized crime in computer-related crime is troubling to say the least, says information security expert Avivah Litan, an analyst at the Gartner Group. “This is something I’ve been hearing from law enforcement and prosecutors for some time, that organized crime is becoming involved in identity theft. It’s not just the Russian mob or the new mafia that is becoming involved in this, it’s the old mafia too. Why? Because it is a much simpler crime, they can put down their guns and there’s no blood involved,” Litan notes.
One of the “old school” tactics that the organized crime figures use, says Litan, is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, “He’s not after your heart; he’s after your data.”
Not Just Stealing Data
The wide array of crimes listed in the indictment shows Litan that they’re not just stealing data. “The law enforcement and cybercrime experts are telling us that they’re involved in a wide variety of criminal activities. It’s not just identity theft; they’re doing all the bad stuff because they’re bad guys.”
The vast majority of data breaches involve sensitive information going missing, but not resulting in actual fraud, says Tom Wills, senior analyst, Security, Fraud & Compliance at Javelin Research. “If a clear linkage can be established in any single case, that will help to sharpen the security industry’s set of solutions for mitigating identity fraud, which today is a series of blunt tools at best,” Wills observes.
Nixon sees more trouble ahead for businesses like Lexis-Nexis and consumers with data breaches. “Unless our federal lawmakers enact legislation to require all entities to regularly notify individuals or companies that information which when combined with other data can be used against them, data theft will most certainly continue to rise and even more rapidly escalate as various personal data is required to be filed electronically as a cost saving feature,” he says.
Everyone must become more aware of the danger that small bits of information collected over time can eventually add up to a significant threat. “Financial institutions that have a customer relationship with clients are bound by the Gramm-Leach-Bliley Act to provide an annual notice to clients to opt out of sharing information,” Nixon notes.
He also points out that the Fair Accurate Credit Transactions Act of 2003 (FACTA) requires every entity that exchanges information with a credit agency to provide the same opt out notices. “FACTA requires this because the government realized that even verification of a potential employee’s past salary structure and even addresses of where those potential employees had previously worked, was required to be elevated to the same level of financial information since the non-financial data was being combined in a credit agency database with highly sensitive financial data,” Nixon says.
In May, LexisNexis announced it is part of a separate investigation into alleged credit card fraud, perpetrated by former customers of the company, according to a company statement. That fraud occurred from June 2004 to October 2007. The U.S. Postal Inspection Service released a statement that said 40,000 letters will be sent to consumers and 300 victims have been identified in an investigation concerning the breach.