Shostack + Friends Blog Archive


59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said.

(From CNN, or see the statement here.)

So, let’s review. A slew of people are trolling Lexis-Nexis’ databases. They’re not stealing identities. So what are they doing?

One thing that springs to mind is that Lexis Nexis is providing the back end data for CAPPS-II, Secure Flight, and probably ‘Trusted Traveller.’ (No Place To Hide, pp 225.) So if a terrorist got hold of this data, then they might have 5,200 or so names, addresses, social security numbers, and everything else needed to impersonate people so that they’d be seen as ‘clean’ by Secure Flight. That could be worth a lot more than the few tens of thousands of dollars you might steal.

Before the biometric cheerleading squad jumps out, please remember that we don’t know if any of those 59 accounts that were used had update or corrections privileges into the database.