Right of Reply: LexisNexis

Response to our recent article on database breaches


It's official: ChoicePoint, LexisNexis rooted many times

Washington Correspondent Thomas Greene's recent story, "It's official: ChoicePoint, LexisNexis rooted many times" (April 13, 2005) alleges that LexisNexis "covered up" previous database breaches because there was as yet no law requiring that individuals be notified. The story contains a number of substantial inaccuracies and Mr. Greene's interpretation of the events seem designed to imply something sinister was afoot, rather than report the facts.

These facts are reflected in the written and oral testimony before U.S. Senate hearing mentioned in the story and contained in a public statement by Reed Elsevier, which is the parent company of LexisNexis and publicly listed. It's appropriate to set the record straight so that anyone who read the information in your report knows the truth.

First, "a cover up" cannot occur if a company is unaware of the very incidents it is alleged to have covered up. Nor is there a "cover up"; if the incidents discovered are announced publicly and voluntarily within a matter of weeks of identifying and confirming the events occurred.

On March 9, 2005, Reed Elsevier, announced that a review of our recently acquired Seisint unit revealed in February 2005 (not February 2004 as reported by Mr. Greene) some incidents of potentially fraudulent access to information about U.S. individuals. In response, LexisNexis notified approximately 30,000 individuals in March 2005 that their information may have been fraudulently accessed and the company is providing them with services, at no charge to them, to monitor for and prevent identity theft.

Also on March 9, Reed Elsevier publicly indicated LexisNexis was going to continue its review "to determine the extent of any other incidents" in Seisint business.

On April 11, LexisNexis and Reed Elsevier issued a statement that it had completed its review of search activity going back to January 2003. It had found that unauthorized persons, primarily using IDs and passwords of legitimate Seisint customers, may have acquired personal-identifying information of 280,000 individuals in the U.S. in other incidents over the prior two years. LexisNexis has begun notifying these individuals.

In my testimony I acknowledged some of these incidents pre-dated the California statute (which went into effect July 2003) reported in the story. Therefore, the information that Mr. Greene believes was "covered up" by LexisNexis at some point in the distant past was not in fact known by LexisNexis until the review of the last several weeks. LexisNexis acquired Seisint in September 2004.

Finally, Mr. Greene writes, "Unfortunately, when no California residents are affected by such an incident, the public has no guarantee that the truth will emerge." However, the record should reflect that LexisNexis indicated in March 2005 that we would notify individuals in all U.S. states even though there are no statutes requiring this.

It's difficult to see how Mr. Greene's interpretation of these events could possibly be correct or how he got so many things so wrong in his story. In fact, his false characterization of LexisNexis as dishonest is libelous per se.

Finally, let me add that though we have only recently purchased Seisint, as its new owners, we accept that it is our responsibility to address any questions about its security. We are doing so swiftly and decisively to prevent any future incidents.

The Register observes the Press Complaints Commission Code of Practice. If you want an opportunity for reply to inaccuracies, please contact Drew Cullen


Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading

Biting the hand that feeds IT © 1998–2022