ID Thieves Break Into LexisNexis DatabaseID Thieves Break Into LexisNexis Database

Using passwords and identifications from legitimate customers, thieves broke into databases owned by information company LexisNexis and stole personal information on about 32,000 U.S. citizens, the company's corporate parent said Wednesday.

The incident was the second breach of personal data announced in the last month by a major data broker. ChoicePoint Inc. in February said scam artists had tricked the Alpharetta, Ga., company into handing over 145,000 records containing Social Security numbers and other personal information on people in 50 states.

In the LexisNexis case, the names, addresses and Social Security and drivers' license numbers of 32,000 individuals were stolen from the company's recently acquired Seisint unit, Anglo-Dutch publishing company Reed Elsevier Group PLC said in a statement. LexisNexis officials were assisting U.S. law enforcement officials in investigating the incident.

"LexisNexis very much regrets this and will take actions to enhance security to enable it to maintain its position as an industry leader in the responsible use of data and the protection of individual privacy," Reed Elsevier said.

Boca Raton, Fla.-based Seisint, which Reed Elsevier bought last year for $775 million, provides information used in recovering debts, detecting fraud, verifying identities and screening job applicants. The company also supplies data to Matrix, a U.S. government-funded crime and terrorism database project.

The corporate parent said the break in arose from the "misappropriation by third parties of IDs and passwords from legitimate customers." Reed Elsevier officials were not available for further comment.

The LexisNexis breach prompted some security experts to reiterate support for federal legislation that would regulate security for data brokers. Very few regulations exist today. California, for example, is the only state that requires companies to notify potential victims when security breaches compromise consumers' personal data.

"If this doesn't wake up Congress, I don't know what will," Avivah Litan, analyst for Gartner Inc., said. "It's critical that legislation is enacted to protect consumers from identity theft in the future. This data is so loosely guarded that there's too many ways crooks can get access."

Litan said data brokers have placed more importance on selling information and making it easily accessible to customers than in protecting the data from criminals. Much of the information gathered on consumers is taken without their knowledge from public sources.

"The only incentive (to protect data) is a big stick," Litan said. "We need multimillion-dollar penalties. These companies need to be shaken up."

LexisNexis has taken, or plans to take, additional steps to beef up security, Reed Elsevier said. Those actions include enhancing ID and password administration procedures and requirements for customers, dedicating additional resources to protect consumer privacy, and working with law enforcement on new practices and techniques for thwarting criminal activities.

LexisNexis, based in Dayton, Ohio, provides legal, news, public records and business information, including tax and regulatory publications.

The financial implications from the break-in are expected to be "manageable" for LexisNexis, Reed Elsevier said. The outlook for Seisint and the LexisNexis risk management business remained "very positive," with 2005 and longer-term financial targets of at least 5 percent revenue growth and double-digit adjusted earnings per share growth at constant rates of exchange.

Reed Elsevier shares fell more than 2 percent, or 93 cents, on the New York Stock Exchange Wednesday to $41.62.

In the ChoicePoint case, law enforcement officials have identified at least 750 consumers nationwide who have found that some attempt has been made to compromise their identities, as a result of the theft last fall. The case has angered consumer advocate groups and has drawn the attention of federal lawmakers who have scheduled hearings on security in the data-brokering business.

ChoicePoint provides personal and financial data on consumers mostly to businesses, government agencies, nonprofit organizations, law enforcement, insurance companies and financial institutions. The company has about 19 billion public records in its databases, covering nearly every U.S. citizen.