ZIFFPAGE TITLEThe Customer Conundrum

By CIOinsight  |  Posted 09-05-2005

Lexis-Nexis: Ground Zero for War vs. Data Thieves

I don't think I'm being paranoid. I think I'm being realistic," says Allan McLaughlin, senior vice president and CTO of LexisNexis Group, the New York City-based data aggregator. "But you can't be too careful anymore," he continues. "Worst-case scenario: There are vendors selling security products that, on the face, look strong, but are actually designed to be weak. They're made by somebody malicious, designed to weaken your security. It's like putting a screen door on a submarine. Before you know it, you're sunk. I'm not paranoid. The world has changed."

It would be easy to chalk up McLaughlin's high anxiety to one too many viewings of The Matrix. But his perspective on security is more informed than most. Just this past March, McLaughlin, and his company, experienced the sinking feeling of learning that the personal records—including names, Social Security numbers, and driver's license numbers—of 310,000 individuals had been stolen from the LexisNexis databases.

The discovery came just a month after the world had learned that LexisNexis' biggest competitor in the data-aggregation market, ChoicePoint Inc., had compromised the personal information of 145,000 people. Like ChoicePoint, LexisNexis collects all kinds of information on millions of individuals. The information—ranging from public data such as

real estate records and published telephone numbers to nonpublic information such as Social Security numbers, financial data and criminal records—is used by everyone from direct marketers to law-enforcement agencies. Add to that LexisNexis' databases of legal filings, newspapers articles, and periodicals (for which it is better known), and you've got a healthy $2.1 billion information services business.

That's why LexisNexis has suddenly become a great big target for identity thieves and idle teen hackers alike. The kind of data it collects and sells is highly valuable, both to the black-market operators who promote identity theft by trafficking in personal information as well as to the company's 4.5 million legitimate customers.

COMPANY PROFILE
Company: LexisNexis Group

Corporate Headquarters: New York City

CTO: Allan McLaughlin

Revenues: $2.1 billion (trailing 12 months)

Parent Company: Reed Elsevier

Unfortunately for LexisNexis, not all of those legitimate customers take security as seriously as McLaughlin does. And that provides an open invitation to the enterprising hacker. A full complement of a person's name, address and credit card number can fetch $100 on the Web. More detailed information is even more valuable. The Federal Trade Commission estimates that about ten million Americans have their personal information stolen each year, costing businesses a jaw-dropping $48 billion annually.

This particular saga began in February, when a group of young hackers sent out a blast of junk e-mail promising an attached file of pornographic images. According to published reports, someone in a police department in Port Orange, Fla., and someone in a constable's office in Denton County, Tex., took the bait.

By clicking on the link, the two victims downloaded key-logging software onto their computers that recorded every keystroke and every click of their mouse. And when they later logged into their LexisNexis accounts, which police use to obtain background information on criminal suspects, their passwords and user names were captured by the hackers.

McLaughlin was made aware of the activity weeks later, when one of the two police departments (he won't say which) noticed an unusual amount of activity on their account and contacted a sales rep. "They basically said, 'Gee, I don't remember running up this bill. Can you help me understand it?'" says McLaughlin. He was lucky the customer caught the mistake. "You'd be amazed at how many businesses don't look at their invoices," he adds.

Kurt Sanford, CEO of U.S. corporate and federal markets at LexisNexis, was brought on the case immediately. Given the bad press ChoicePoint had received a month earlier for failing to notify people in a timely manner that their data had been compromised, Sanford took the bull by the horns: He called the Secret Service and the Federal Bureau of Investigation, notified the press, and began an internal investigation into a recently acquired subsidiary called Seisint Inc., which managed the database that had been breached. (LexisNexis itself is a division of Anglo-Dutch publisher Reed Elsevier.)

At first blush, it appeared that the fraudsters had made off with about 30,000 names. But after an exhaustive month-long search through the Seisint databases, LexisNexis found that ten times that number of names had been stolen, in 59 separate incidents, over a two-year period. LexisNexis issued another press release, began notifying the people whose personal data had been taken, and launched a public relations effort in hopes of mitigating the damage to its image.

But the real work had only begun. The hardest lesson learned by LexisNexis in the aftermath of the theft was that it isn't enough to protect your internal network. In our brave new networked world, companies must also take responsibility for the security of their customers and business partners, as either can provide a point of entry for an eager hacker. "I mean, nothing against the customers. They all do really good things," says McLaughlin. "But it's naïve to think you can trust the security of your customers' environments."

LexisNexis has embarked on an aggressive campaign to tighten up customer security. But it is an effort that does not always align itself with the business goals of the company. And there is a limit to how much LexisNexis can ask of its customers and still expect their continued patronage. "We have been thinking a lot about that," says Tammy Wright, vice president of sales operations at LexisNexis. "It's a line that hasn't been tested yet in our industry."

ZIFFPAGE TITLEThe Customer Conundrum

The Customer Conundrum

In February, Leo Cronin, senior director of information security at LexisNexis, was in the middle of a tennis match when he got the call from McLaughlin, his boss. "Allan told me there were a couple of issues with Seisint, and I would have to go down to [Seisint headquarters in] Boca Raton to check it out," Cronin recalls. The database showing the anomalies was called Accurint, an information service specifically designed for government officials, financial institutions and law enforcement agencies that includes detailed personal and non-public information. Customers with access to Accurint are required to undergo a thorough vetting process before they are permitted to subscribe. And the fact that customers had billing questions about this specific database was of particular concern to LexisNexis.

For years, LexisNexis had been focused on shoring up security inside its own network. "We were very preoccupied with perimeter security—you know, viruses and worms," Cronin says. "We were putting in network security architecture, intrusion and detection software, that kind of thing." What they weren't doing was worrying about how they could address their vulnerabilities on the edges of the network—and particularly, how they could make their customers more secure. They learned that lesson the hard way. "If you look at the network, it's clear that it's there to serve the applications, which are there to serve the customer," says Cronin. "So we need to treat that as an extension of the network."

But that network includes more than 4.5 million LexisNexis customers and business partners, a large chunk of which comes from one of the most technologically challenged industries in the world: government. Both local and federal government agencies are notoriously backward when it comes to technology in general. Indeed, the Government Accountability Office issued this scathing assessment of federal information security in July: "Pervasive weaknesses in the 24 major agencies' information security policies and practices threaten the integrity, confidentiality, and availability of federal information and information systems."

For evidence of that on the local level, look no further than Denton County, Tex., the probable point of origin for the Lexis-Nexis data theft. It was at a constable's office in this county of 500,000, in the north-central part of the state, that the unforgivable security sin of clicking on an unknown attachment took place. It can happen to anyone, of course, but it is clear that when it comes to sophisticated and targeted attacks of this nature, the Denton County constable's office is overmatched. "We continually try to educate people," says Kevin Carr, director of IS for Denton County. "And we have a fairly intelligent workforce. But it's real easy to send an e-mail that looks legitimate and get the information from anyone you want. Next thing you know, you've got a Trojan or a worm."

The Secret Service thought so highly of Denton County's information security that when they came to town to investigate, they didn't even bother to interview Carr. In fact, Carr was only vaguely aware of the LexisNexis data theft: "I've heard here and there about some things that happened around here," he said. And there are very few IT security resources for the likes of Denton County. The International Association of Chiefs of Police, a 20,000-member professional organization, admits that there is only so much they can do. "We make sure this stuff is part of education and training," says Matt Snyder, administrator of the IACP technology center. "But realistically, we are touching a small percentage of organizations. The small agency is always going to require additional assistance."

Compounding the monumental task of securing even the most clueless of customers, LexisNexis has an additional problem. It's one thing for a bank to encourage customers to protect against identity theft, because a bank's customers are the actual people at risk from identity theft. But in LexisNexis' case, its customers are not the same people whose names and identities are at risk. So its customers have little incentive to spend their own money and time fixing what amounts to a gaping security hole in LexisNexis' own network.

"The bottom line on privacy is that there is a big flaw in this business model," says Marc Rotenberg, executive director of the Electronic Privacy Information Center, a consumer advocacy group in Washington, D.C. "The customers of these data aggregation companies are not the ones that bear the risk. This industry needs to find a way to align the benefits of data collection and sale with the individuals whose personal information is being collected and sold."

ZIFFPAGE TITLEThe Plan

The Plan

In April, shortly after the news of the data theft became public, CEO Kurt Sanford was called before Congress to testify on securing personal data. He told the Senate Judiciary Committee that LexisNexis had provided a consolidated credit report and credit monitoring services to the people whose names were stolen from the Accurint database. They are also offering credit counselors and $20,000 worth of identity theft insurance to anyone who ultimately becomes a victim of fraud as a result of the theft. "We have learned a great deal," Sanford told Congress.

Less than a month after the theft took place, the company rolled out a new initiative called the LexisNexis Customer Security Program. The program is designed to push more of the burden for the security of LexisNexis' information out to its customers. It consists of four relatively simple changes: stronger log-in requirements, monthly user verification, IP address restriction (allowing access from predesignated IP addresses only), and restricted access to full Social Security numbers and driver's license information. (See "Four-and-a-Half Million Fingers," page 48.)

Some of the changes are mandatory for all LexisNexis customers, while others, such as IP address restriction, are voluntary. Some are already in place. Others roll out later this year. For the most part, the impact on customers has been minimal. (This magazine, which uses the LexisNexis newspaper and periodical database, was asked to change its password and to add a security question and answer as part of the effort. It took less than five minutes to complete the change.) "We want to make it as painless as possible," says Wright. "Security hasn't always been this big a part of the job, but once it crossed the line outside of our walls and to our customers, that's when I got involved."

Many of LexisNexis' customers are already well aware of the threat of identity theft, either through the constant media coverage the topic receives, or because of the nature of their businesses. Ron Morano is a collections strategist at Creditor's Interchange Inc., a third-party collection agency based in Buffalo, N.Y. He uses LexisNexis to get phone numbers, home addresses and mortgage information on people who are behind on their loan payments, and he often finds himself trying to collect on accounts that are overdue because their owners have been the victims of identity theft. "I'm more than aware of it," Morano says.

But even with his intimate knowledge of identity theft, Morano still finds the additional security to be a nuisance. "We've limited our Accurint searches to one IP address, and that disables access from any other computer," he explains. "It has become more of an inconvenience."

Wright downplays the effects of asking customers to tighten security on LexisNexis' behalf. "A lot of our customers are already required to do this stuff because of the regulated industries they're in," she says. "The majority of our customers are delighted, and some have even gone to great lengths on their own." LexisNexis is even considering helping them take the next step. The company is currently working with antivirus and antispyware companies to potentially provide some kind of bulk discount to its customers. An effort of this kind would not cost LexisNexis a great deal of money, says Cronin, given the eagerness of software vendors to gain new business.

ZIFFPAGE TITLEAftershocks

Aftershocks

In late May, FBI and Secret Service agents served warrants at the homes of several hackers in Minneapolis, Winston-Salem, N.C., and elsewhere, seizing computers and disks they believe to be related to the LexisNexis case. According to a report in the Washington Post, the hackers gained access to the Accurint database, created a number of sub-accounts, looked up themselves, friends and celebrities, and then began selling Social Security numbers to data thieves. The investigation is ongoing, but one suspect told the newspaper that the Feds "got everybody."

Though the criminal investigation seems to be wrapping up, the shock waves from the break-in continue to reverberate throughout the LexisNexis ecosystem. "Have you seen what's happened to ChoicePoint's stock price?" asks Mark Marcon, a financial analyst with Milwaukee-based Robert W. Baird & Co., which downgraded ChoicePoint in June to neutral from outperform. ChoicePoint's stock lost more than a quarter of its value in the months following the disclosure of its security breach. Because LexisNexis is part of a much larger holding company, it's hard to say what effect the theft has had on investors.

Still, parent company Reed Elsevier's shares have been in steady decline since March. "These guys do a lot of business with the government, so it's important to have a good public image," says Marcon. "It's one of many factors that go into valuing a company."

Just ask John Perry, CEO of CardSystems Solutions, the credit card transaction processing company from whom 40 million credit card records were stolen in June. He told Congress that because of the security breach, his company faced "imminent extinction"—the result of its two biggest customers, Visa and American Express, having canceled their contracts with the Atlanta-based company. "CardSystems is being driven out of business," he said.

ZIFFPAGE TITLEHigh Profile

High Profile

Yet another negative side effect of a highly publicized data breach is that it significantly increases the size of the bull's-eye on LexisNexis. The media coverage has made more people aware of the company and the type of information it sells. "What keeps me up at night?" asks LexisNexis' Cronin. "This whole thing has raised the profile of the company, so we need to be even more vigilant now. People are trying to make us their little project."

The government has also taken notice. It's not every day that Kurt Sanford has the uncomfortable experience of testifying before Congress, defending an industry that has flown well beneath the radar and, thus far, been loosely regulated. But the heat is being turned up on ChoicePoint, LexisNexis and the data-aggregating industry in general. Privacy advocates are calling for wholesale changes to the personal information business. "I think, at the very least, their business model should require them to incorporate the risks as well as the benefits of collecting and selling personal data," says EPIC's Rotenberg, who believes that companies such as LexisNexis need to be legally and financially responsible for the loss of personal data. "It's like a car company saying they can sell automobiles and not worry about whether the brakes work."

The argument against tight regulation of data aggregators is less convincing. Critics of federal intervention believe that the flow of personal information is the lifeblood of the free-market economy, and that to restrict the flow could severely inhibit the ability to approve credit and market products effectively. "Regulation is always good at protecting people's privacy," says LexisNexis' Wright. "But individual consumer transactions fuel our economy." Yet as the public clamor over identity theft rises, it's becoming increasingly likely that heavier regulation is in LexisNexis' future.

On the positive side, it has been easier for CTO McLaughlin to get budget approval of new security spending. He won't say just how much the data theft has cost the company thus far, "but it's not cheap." In talking with him, you can't help but get the feeling that no matter how much he spends on security, it will never be enough. "You can't ever stop," he says. "Whether you like it or not, you have to spend more money to try to stay one step closer. Because it's impossible to stay one step ahead."