Shostack + Friends Blog Archive


What's Wrong With Lexis-Nexis?

It seems that Lexis Nexis’s breach was because of bad passwords:

The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers.

I don’t mean to be snide. No, that’s a lie. I do. It’s 2005. You’re making all this data available via a password? Are your auditors telling you that’s ok? E-Trade is giving RSA tokens to customers. AOL is making them available. AOL. AOL which charges $24 a month. And then an extra $9.95 one time fee for the token, and $1.95 a month for support.

That’s $1.95. As the ad says, “Less than the price of a cup of Starbucks coffee.”

Now, I don’t know what Lexis/Nexis charges for access to their services, but sentences like “RiskWise services are priced per transaction and is determined by transaction volume, data sources, integration and custom development” tend to cause me to think it may be a little more than $24 a month. I hate using words like negligence or culpability, or maintaining an attractive nuisance, but only because my lawyer friends tell me I keep messing up their meanings, and I know how annoyed I get when they mess up things like “mixing function” or “TCP encapsulation.”

2 comments on "What's Wrong With Lexis-Nexis?"

  • Lexis Nexis Breach

    As Adam had pointed out the Lexis Nexis breach was due to ” misappropriation by third parties of
    IDs and passwords from legitimate customers”. With Bruce Schneier blogging that
    ChoicePoint is saying “Please Regulate My Industry”, will their be a requwe…

  • Chris Walsh says:

    Note that a bad guy stealing a good guy’s ID and PW and using it can be indistinguishable from a bad guy obtaining an ID and PW and giving it to another bad guy who then uses it.
    In short, how does Lexis/Nexis know that they don’t have evildoers among their customers, who simply sold or gave away their credentials? I have no reason not to believe them, but given recent history I’d like to hear more about the evidence they have which tells them these credentials were stolen.

Comments are closed.