I don't think I'm being paranoid. I think I'm being realistic," says Allan McLaughlin, senior vice president and CTO of LexisNexis Group, the New York City-based data aggregator. "But you can't be too careful anymore," he continues. "Worst-case scenario: There are vendors selling security products that, on the face, look strong, but are actually designed to be weak. They're made by somebody malicious, designed to weaken your security. It's like putting a screen door on a submarine. Before you know it, you're sunk. I'm not paranoid. The world has changed."
It would be easy to chalk up McLaughlin's high anxiety to one too many viewings of The Matrix. But his perspective on security is more informed than most. Just this past March, McLaughlin, and his company, experienced the sinking feeling of learning that the personal recordsincluding names, Social Security numbers, and driver's license numbersof 310,000 individuals had been stolen from the LexisNexis databases.
The discovery came just a month after the world had learned that LexisNexis' biggest competitor in the data-aggregation market, ChoicePoint Inc., had compromised the personal information of 145,000 people. Like ChoicePoint, LexisNexis collects all kinds of information on millions of individuals. The informationranging from public data such as
real estate records and published telephone numbers to nonpublic information such as Social Security numbers, financial data and criminal recordsis used by everyone from direct marketers to law-enforcement agencies. Add to that LexisNexis' databases of legal filings, newspapers articles, and periodicals (for which it is better known), and you've got a healthy $2.1 billion information services business.
That's why LexisNexis has suddenly become a great big target for identity thieves and idle teen hackers alike. The kind of data it collects and sells is highly valuable, both to the black-market operators who promote identity theft by trafficking in personal information as well as to the company's 4.5 million legitimate customers.
Company: LexisNexis Group
Corporate Headquarters: New York City
CTO: Allan McLaughlin
Revenues: $2.1 billion (trailing 12 months)
Parent Company: Reed Elsevier
Unfortunately for LexisNexis, not all of those legitimate customers take security as seriously as McLaughlin does. And that provides an open invitation to the enterprising hacker. A full complement of a person's name, address and credit card number can fetch $100 on the Web. More detailed information is even more valuable. The Federal Trade Commission estimates that about ten million Americans have their personal information stolen each year, costing businesses a jaw-dropping $48 billion annually.
This particular saga began in February, when a group of young hackers sent out a blast of junk e-mail promising an attached file of pornographic images. According to published reports, someone in a police department in Port Orange, Fla., and someone in a constable's office in Denton County, Tex., took the bait.
By clicking on the link, the two victims downloaded key-logging software onto their computers that recorded every keystroke and every click of their mouse. And when they later logged into their LexisNexis accounts, which police use to obtain background information on criminal suspects, their passwords and user names were captured by the hackers.
McLaughlin was made aware of the activity weeks later, when one of the two police departments (he won't say which) noticed an unusual amount of activity on their account and contacted a sales rep. "They basically said, 'Gee, I don't remember running up this bill. Can you help me understand it?'" says McLaughlin. He was lucky the customer caught the mistake. "You'd be amazed at how many businesses don't look at their invoices," he adds.
Kurt Sanford, CEO of U.S. corporate and federal markets at LexisNexis, was brought on the case immediately. Given the bad press ChoicePoint had received a month earlier for failing to notify people in a timely manner that their data had been compromised, Sanford took the bull by the horns: He called the Secret Service and the Federal Bureau of Investigation, notified the press, and began an internal investigation into a recently acquired subsidiary called Seisint Inc., which managed the database that had been breached. (LexisNexis itself is a division of Anglo-Dutch publisher Reed Elsevier.)
At first blush, it appeared that the fraudsters had made off with about 30,000 names. But after an exhaustive month-long search through the Seisint databases, LexisNexis found that ten times that number of names had been stolen, in 59 separate incidents, over a two-year period. LexisNexis issued another press release, began notifying the people whose personal data had been taken, and launched a public relations effort in hopes of mitigating the damage to its image.
But the real work had only begun. The hardest lesson learned by LexisNexis in the aftermath of the theft was that it isn't enough to protect your internal network. In our brave new networked world, companies must also take responsibility for the security of their customers and business partners, as either can provide a point of entry for an eager hacker. "I mean, nothing against the customers. They all do really good things," says McLaughlin. "But it's naïve to think you can trust the security of your customers' environments."
LexisNexis has embarked on an aggressive campaign to tighten up customer security. But it is an effort that does not always align itself with the business goals of the company. And there is a limit to how much LexisNexis can ask of its customers and still expect their continued patronage. "We have been thinking a lot about that," says Tammy Wright, vice president of sales operations at LexisNexis. "It's a line that hasn't been tested yet in our industry."