Using stolen passwords from legitimate customers, intruders accessed personal information on as many as 32,000 U.S. citizens in a database owned by the information broker LexisNexis, the company said.
The announcement Wednesday comes on the heels of a series of similar high-profile breaches, the most serious affecting another large data broker, ChoicePoint Inc. in which scores of identities were stolen.
The ChoicePoint case, as well as other data losses including one affecting some 1.2 million federal employees with Bank of America charge cards, have prompted an outcry for federal oversight of a loosely regulated commercial sector. In the data-brokering business, sensitive data about nearly every adult American is bought and sold.
The first in a series of Capitol Hill hearings are scheduled for Thursday.
At LexisNexis, criminals found a way to compromise the log-ins and passwords of a handful of legitimate customers to get access to the database, said Kurt Sanford, the company’s chief executive, told The Associated Press.
The FBI and the Secret Service are both investigating the breach.
The database that was compromised, called Accurint, sells reports for $4.50 each that include an individual’s Social Security number, past addresses, date of birth and voter registration information, including party affiliation.
No credit history, medical records or financial information were accessed in the breach, LexisNexis parent company Reed Elsevier Group PLC said in a statement.
FBI, Secret Service investigating
The Accurint database is part of the Seisint unit, which LexisNexis bought in August. Sanford said a team examining Seisint’s data security routines in February noticed abnormal usage patterns and suspicious billing on some accounts.
He said the team told superiors, who notified law enforcement. Both internal and external investigations continue, he said.
“What we’re doing now is trying to act as quickly and responsibly as possible to lend a helping hand to consumers who might have been adversely impacted by these incidents,” Sanford said.
Sanford refused to name the law agencies involved, saying that could only compromise the investigation: “We are trying to catch the bad guys here.”
But the FBI and Secret Service confirmed they were investigating, though they declined to discuss whether any cases of identity theft have resulted from the breach or discuss any other specifics.
LexisNexis said it would be notifying affected customers in the coming days. It will provide them with ongoing credit monitoring “and other support to ensure that any identity theft that may result from these incidents is quickly detected and addressed,” it said. LexisNexis said it was also tightening up password and login procedures.
Boca Raton, Fla.-based Seisint stores millions of personal records, including information on bankruptcies, corporate affiliation, drivers licenses, neighbors and criminal records. Customers include police, lawyers and businesses.
LexisNexis paid $775 million for Seisint, which also provides data for Matrix, a crime and terrorism database project created in 2002 and funded by the U.S. government. Thirteen states originally were to participate but most later pulled out, citing citizen privacy and other concerns. Seisint was founded by a millionaire, Hank Asher, who stepped down from its board of directors last year after revelations of past ties to Bahamian drug smugglers.
Word of the Seisint breach follows the embarrassing disclosure Feb. 15 of a breach at rival data broker ChoicePoint Inc. that the company said involved as many as 145,000 Americans. In the scam, thieves posing as small business customers gained access to the company’s database and at least 750 people were defrauded, authorities say.
ChoicePoint’s vice president, Don McGuffey, is expected to testify Thursday at a Senate hearing on identity theft. The chairman of the Federal Trade Commission, a representative from the Secret Service and a Bank of America executive also are to appear before the Senate Banking, Housing and Urban Affairs Committee.
Sen. Bill Nelson, D-Fla., introduced legislation Wednesday that would impose tighter requirements on the industry. The ChoicePoint case only became known when the company heeded California law by notifying affected citizens of that state that their personal information had been compromised.
California is the only state with such a law.