LexisNexis in the Security Hot Seat

In April 2005, Leo Cronin, chief information security officer of data provider LexisNexis Group, got the kind of news that every manager in his position dreads: Personal records for 310,000 individuals had been stolen from the company’s databases in 59 separate incidents.
Even bigger data thefts have hit the headlines since then, including the loss of data on 26 million U.S. veterans last month.

Nevertheless, for LexisNexis, a $2.7 billion subsidiary of publishing company Reed Elsevier that provides specialized legal and business data to customers, the compromise was a potentially serious blow. Cronin, 47, says the company has taken specific steps to minimize the risk of the company’s data being pilfered again.

And like other security professionals, Cronin says that what’s needed is a “defense-in-depth” strategy, an industry term that refers to applying security measures ubiquitously across the computing infrastructure.

One key layer for Lexis-Nexis: Its $2 million project to deploy intrusion prevention system (IPS) appliances, which not only detect network attacks but are designed to automatically neutralize them.

What lessons did you learn from having data on 310,000 individuals stolen?

The big message we took away is that we absolutely have to be concerned about our customers’ environments when it comes to accessing our services. Providing a fortress around LexisNexis and making sure nobody can spearhead an attack against our data center—that’s one thing. But the fact that someone could go in and manipulate a customer’s environment to steal [a password and user ID] … to get access to our service is an issue we need to absolutely worry about.

And we are doing a lot of things within Lexis to lock that down, for example, by restricting where certain customer user IDs can be used from on the Internet. We are looking very hard at two-factor authentication systems [which require both a password and a specialized hardware device to log on to a network], very much like what banks are doing.

What’s a typical misconception businesspeople have about data security?

The assumption that it’s there—that when I go out and hook my computer up to the Internet, somehow someone was thinking about safety. When in reality, where we’ve come from, is that nobody was thinking of safety. Microsoft was thinking about selling more Windows operating systems. The [telecommunications] carriers were interested in getting people on the Internet. And at the end of the day, I don’t think anyone was really thinking about the safety aspect of it.

Read the full story on eWEEK.com: LexisNexis in the Security Hot Seat