Feeds

Right of Reply: LexisNexis

Response to our recent article on database breaches

  • alert
  • submit to reddit

The Power of One Brief: Top reasons to choose HP BladeSystem

It's official: ChoicePoint, LexisNexis rooted many times

Washington Correspondent Thomas Greene's recent story, "It's official: ChoicePoint, LexisNexis rooted many times" (April 13, 2005) alleges that LexisNexis "covered up" previous database breaches because there was as yet no law requiring that individuals be notified. The story contains a number of substantial inaccuracies and Mr. Greene's interpretation of the events seem designed to imply something sinister was afoot, rather than report the facts.

These facts are reflected in the written and oral testimony before U.S. Senate hearing mentioned in the story and contained in a public statement by Reed Elsevier, which is the parent company of LexisNexis and publicly listed. It's appropriate to set the record straight so that anyone who read the information in your report knows the truth.

First, "a cover up" cannot occur if a company is unaware of the very incidents it is alleged to have covered up. Nor is there a "cover up"; if the incidents discovered are announced publicly and voluntarily within a matter of weeks of identifying and confirming the events occurred.

On March 9, 2005, Reed Elsevier, announced that a review of our recently acquired Seisint unit revealed in February 2005 (not February 2004 as reported by Mr. Greene) some incidents of potentially fraudulent access to information about U.S. individuals. In response, LexisNexis notified approximately 30,000 individuals in March 2005 that their information may have been fraudulently accessed and the company is providing them with services, at no charge to them, to monitor for and prevent identity theft.

Also on March 9, Reed Elsevier publicly indicated LexisNexis was going to continue its review "to determine the extent of any other incidents" in Seisint business.

On April 11, LexisNexis and Reed Elsevier issued a statement that it had completed its review of search activity going back to January 2003. It had found that unauthorized persons, primarily using IDs and passwords of legitimate Seisint customers, may have acquired personal-identifying information of 280,000 individuals in the U.S. in other incidents over the prior two years. LexisNexis has begun notifying these individuals.

In my testimony I acknowledged some of these incidents pre-dated the California statute (which went into effect July 2003) reported in the story. Therefore, the information that Mr. Greene believes was "covered up" by LexisNexis at some point in the distant past was not in fact known by LexisNexis until the review of the last several weeks. LexisNexis acquired Seisint in September 2004.

Finally, Mr. Greene writes, "Unfortunately, when no California residents are affected by such an incident, the public has no guarantee that the truth will emerge." However, the record should reflect that LexisNexis indicated in March 2005 that we would notify individuals in all U.S. states even though there are no statutes requiring this.

It's difficult to see how Mr. Greene's interpretation of these events could possibly be correct or how he got so many things so wrong in his story. In fact, his false characterization of LexisNexis as dishonest is libelous per se.

Finally, let me add that though we have only recently purchased Seisint, as its new owners, we accept that it is our responsibility to address any questions about its security. We are doing so swiftly and decisively to prevent any future incidents.

The Register observes the Press Complaints Commission Code of Practice. If you want an opportunity for reply to inaccuracies, please contact Drew Cullen

Seven Steps to Software Security

More from The Register

next story
NSA man: 'Tell me about your Turkish connections'
Spooks ask Dabbsy to suggest a nice hotel with pool
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
Motorist 'thought car had caught fire' as Adele track came on stereo
'FIRE' caption on dashboard prompts dunderheaded hard shoulder halt
Yahoo! Japan! launches! service! for! the! dead!
If you're reading this email, I am no longer alive
Plucky Rockall podule man back on (proper) dry land
Bold, barmy Brit adventurer Nick Hancock escapes North Atlantic islet
Russia sends SEX-CRAZED GECKOS to SPAAAAACE!
In space... no one can hear you're green...
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.