I received a letter from LexisNexis today which said that “personally identifiable information about you may have been viewed by an individual who should not have had access to such information…”
The person? Yomi Jagunna, identity thief extraordinaire.
A minute later I’m on the phone with Lexis, restraining myself from asking “What the hell?”
Unlike the letter I received, the Lexis rep tells me that it was a former Lexis employee who was going around selling people’s information.1
Me: “Information like that? I don’t remember giving anything particularly sensitive information to Lexis…”
Rep: “I’ll transfer you to a 800-number that will give you more information.”
I’m transferred to the 800-number and get much closer to the “What the hell?” point.
Me: “So what information was ‘possibly’ shared?”
New Rep: “Well, LexisNexis is an information provider, so they search public records like car titles and…”
Me: “I know what Lexis is. What did these people have access to?”
New Rep: “Well, possibly your name, address…social security number…”
Me: “What what?”
New Rep: “Lexis provides this information for legitimate business purposes!”
Me: “What legitimate business purpose does a private company have in brokering my social security number when they can’t even keep it out of the hands of identity thieves?”
New Rep: “Uh…do you have any more questions sir?”
Me: “No thank you. Have a nice day.”
Fail. The breach apparently occured sometime between 2002 and 2008 – when I was in high school or undergrad – but the letter claims that the USAO did not allow Lexis to inform me about the potential identity theft until now.
The Justice Department’s press release on Jagunna’s guilty plea is here: Queens Man Admits Supplying Social Security Numbers to Fraud Ring (PDF).
MSNBC reported the story in 2005:
LexisNexis theft much worse than thought
The company reported last month that intruders may have accessed personal details of 32,000 people via a breach of its legal and business information service LexisNexis’ recently acquired Seisint unit. It now says that figure is closer to 310,000 people.
See also LexisNexis to limit access to personal data.
1 The news reports make it seem less likely that it was an actual Lexis employee. Maybe the rep got her facts confused?
Well, look on the bright side.
Can you believe there is a trusted site, that is requiring people to use this company to verify credentials and identity, for people to continue to use the site.
I wonder how much they pay for affiliate programs, if this site is selling off their ‘money maker’s personal information… it must be good. Except for the people who make the site’s money.
I would have been contacting 30 lawyers if that stuff happened to me. Besides, how can a company who deals with people’s personal information… not be on a secure server?