Stolen customer passwords leads to theft of 32,000 records at LexisNexis

Incident Date: March 9 2005
Incident Location: Dayton OH USA

Stolen passwords once again injured consumers when criminals used them to steal thousands of confidential records. Reed Elsevierís announced on March 9, 2005 that their recently acquired Seisint business, now part of the LexisNexis division, fell victim to the fraud when customer passwords fell into the wrong hands.

As a commercial service, LexisNexis allows customers to access their extensive database and retrieve information on U.S. individuals. This included the names, home addresses, social security numbers, and driversí license numbers of these individuals. However, no financial or medical information was stored in this particular database at the time.

Initially believing that the crime only affected 32,000 individuals, LexisNexis eventually admitted that information on approximately 300,000 individuals had been fraudulently accessed. The attack became possible when computers at two separate LexisNexis customers were infected with a worm that included keystroke logging software. Criminals then used the captured user accounts and passwords of these legitimate customers to access the data service.

The incidents were brought to the attention of LexisNexis when one of the organizations complained about being billed for the extensive unauthorized database searches. LexisNexis launched their own investigation and eventually informed law enforcement personnel.

People affected by the crime were being notified and offered free ongoing credit monitoring services at the expense of LexisNexis.

LexisNexis quickly pledged to implement new defenses to combat this type of attack in the future. These defenses came in the form of tougher minimum password standards, an invalid password lockout threshold, and account lockout after 90 days of inactivity. In addition, LexisNexis plans to monitor account usage behavior in an attempt to detect and limit possible fraud.

At the time of this incident a LexisNexisís privacy bulletin promised "To prevent unauthorized access ... we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online."

Story Sources

Title: LexisNexis investigates compromised customer IDs and passwords to Seisint US consumer data
Date: 3/9/2005
Publication: Press Release
Publication Location: Dayton OH USA
Publication URL:

Title: Surviving a data disaster: Lexis-Nexis' Leo Cronin
Author: Michael S. Mimoso
Date: 4/14/2006
Publication Location: USA
Publication URL:,289142,sid14_gci1180407,00.html?track=NL-102&ad=548026

Do you have additional information to contribute regarding this story? If so, please email with the details and source.

<-- Back to Authentication Story Index

[Home] [About Us] [News] [Research]

Copyright © 2016