The Customer Conundrum
In February, Leo Cronin, senior director of information security at LexisNexis, was in the middle of a tennis match when he got the call from McLaughlin, his boss. "Allan told me there were a couple of issues with Seisint, and I would have to go down to [Seisint headquarters in] Boca Raton to check it out," Cronin recalls. The database showing the anomalies was called Accurint, an information service specifically designed for government officials, financial institutions and law enforcement agencies that includes detailed personal and non-public information. Customers with access to Accurint are required to undergo a thorough vetting process before they are permitted to subscribe. And the fact that customers had billing questions about this specific database was of particular concern to LexisNexis.
For years, LexisNexis had been focused on shoring up security inside its own network. "We were very preoccupied with perimeter securityyou know, viruses and worms," Cronin says. "We were putting in network security architecture, intrusion and detection software, that kind of thing." What they weren't doing was worrying about how they could address their vulnerabilities on the edges of the networkand particularly, how they could make their customers more secure. They learned that lesson the hard way. "If you look at the network, it's clear that it's there to serve the applications, which are there to serve the customer," says Cronin. "So we need to treat that as an extension of the network."
But that network includes more than 4.5 million LexisNexis customers and business partners, a large chunk of which comes from one of the most technologically challenged industries in the world: government. Both local and federal government agencies are notoriously backward when it comes to technology in general. Indeed, the Government Accountability Office issued this scathing assessment of federal information security in July: "Pervasive weaknesses in the 24 major agencies' information security policies and practices threaten the integrity, confidentiality, and availability of federal information and information systems."
For evidence of that on the local level, look no further than Denton County, Tex., the probable point of origin for the Lexis-Nexis data theft. It was at a constable's office in this county of 500,000, in the north-central part of the state, that the unforgivable security sin of clicking on an unknown attachment took place. It can happen to anyone, of course, but it is clear that when it comes to sophisticated and targeted attacks of this nature, the Denton County constable's office is overmatched. "We continually try to educate people," says Kevin Carr, director of IS for Denton County. "And we have a fairly intelligent workforce. But it's real easy to send an e-mail that looks legitimate and get the information from anyone you want. Next thing you know, you've got a Trojan or a worm."
The Secret Service thought so highly of Denton County's information security that when they came to town to investigate, they didn't even bother to interview Carr. In fact, Carr was only vaguely aware of the LexisNexis data theft: "I've heard here and there about some things that happened around here," he said. And there are very few IT security resources for the likes of Denton County. The International Association of Chiefs of Police, a 20,000-member professional organization, admits that there is only so much they can do. "We make sure this stuff is part of education and training," says Matt Snyder, administrator of the IACP technology center. "But realistically, we are touching a small percentage of organizations. The small agency is always going to require additional assistance."
Compounding the monumental task of securing even the most clueless of customers, LexisNexis has an additional problem. It's one thing for a bank to encourage customers to protect against identity theft, because a bank's customers are the actual people at risk from identity theft. But in LexisNexis' case, its customers are not the same people whose names and identities are at risk. So its customers have little incentive to spend their own money and time fixing what amounts to a gaping security hole in LexisNexis' own network.
"The bottom line on privacy is that there is a big flaw in this business model," says Marc Rotenberg, executive director of the Electronic Privacy Information Center, a consumer advocacy group in Washington, D.C. "The customers of these data aggregation companies are not the ones that bear the risk. This industry needs to find a way to align the benefits of data collection and sale with the individuals whose personal information is being collected and sold."