Shostack + Friends Blog Archive


Lexis Nexis, Tenfold

Lexis Nexis is saying that they understated the number of victims in last month’s incident. It is not 32,000, but 310,000. Kudos to them for stepping up and admitting to it. It’s the right thing both ethically and strategically.

Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during a review and integration of Seisint’s systems shortly after it purchased the Boca Raton, Florida-based unit for US$775 million (euro580 million) in August.

“That’s when this situation started becoming obvious,” Kerr said.

The company said that the 59 identified incidents — 57 at Seisint and two in other LexisNexis units — largely related to the misappropriation by third parties of IDs and passwords of legitimate customers and stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers.

Kerr said that only 2 percent of the 32,000 people it notified about the possible theft of their personal information in March have contacted LexisNexis to accept its offer of free credit reports and credit monitoring, and none has so far advised LexisNexis that they have experienced any form of identity theft.

That’s interesting. I wonder why people aren’t taking the free monitoring service? Maybe they’re offended by the amount of data that the monitoring services ask for? Worried that they won’t keep it safe? (If these services trusted their own data and marketing, couldn’t they simply send monitoring notes to the address they have?)

[Update2: Red Herring has some good analysis, including quotes from…me! and … The New York Times, Slashdot, CNN, and Bloomberg are now covering this.]