Up to 10 times as many people as originally thought may have had their profiles stolen from a LexisNexis database in the United States, publisher and data broker Reed Elsevier Group PLC said today.
LONDON — Up to 10 times as many people as originally thought may have had their profiles stolen from a LexisNexis database in the United States, publisher and data broker Reed Elsevier Group PLC said today.
The company reported last month that criminals may have accessed personal details of 32,000 people via a breach of LexisNexis’ recently acquired Seisint unit. It now says that figure is closer to 310,000 people.
Reed said it had identified 59 incidents since January 2003 in which unauthorized persons, predominantly using IDs and passwords of legitimate Seisint customers, may have fraudulently acquired personal identifying information on those thousands of people.
Information accessed included names, addresses, Social Security and driver license numbers, but not credit history, medical records or financial information, the company said.
Reed spokesman Patrick Kerr said the company uncovered the first batch of breaches during a review and integration of Seisint’s systems shortly after it purchased the Boca Raton, Florida-based unit for $775 million in August.
“That’s when this situation started becoming obvious,” Kerr said.
Seisint, which provides data for Matrix, a crime and terrorism database project funded by the U.S. government that has raised concerns among civil liberties groups — stores millions of personal records including individuals’ addresses and Social Security numbers. Customers include police and legal professionals and public and private sector organizations.
The company said the 59 identified incidents — 57 at Seisint and two in other LexisNexis units — largely related to the misappropriation by third parties of IDs and passwords of legitimate customers and stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers.
Kerr said that only 2 percent of the 32,000 people it notified about the possible theft of their personal information in March have contacted LexisNexis to accept its offer of free credit reports and credit monitoring, and none has so far advised LexisNexis that they have experienced any form of identity theft.
“We are not being complacent, we know there’s still work to do but this so far is encouraging,” Kerr said.
He added that the company has since ensured that the system is “watertight” by improving login systems and security checks.
Reed said it has now concluded its own inquiry into the breaches, but U.S. law enforcement authorities are continuing their investigation.
“That will hopefully throw up answers to the questions that people have about who did this and how,” said Kerr.
The company played down the impact of the security breach on its profits, reaffirming its target of higher earnings and at least 5 percent growth in revenues excluding acquisitions.
The breach at Seisint is the second of its kind at a major information provider in recent months. Rival data broker ChoicePoint Inc. announced last month that the personal information of 145,000 Americans may have been compromised in a breach in which thieves posing as small business customers gained access to its database.
In the ChoicePoint scam, at least 750 people were defrauded, authorities say. The incident in the United States fueled consumer advocates’ calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings on the topic were held last month and are continuing this week.
Reed Elsevier specializes in the education, legal and science sectors, publishing more than 10,000 journals, books and compact discs, as well as almost 3,000 Web sites and portals. It also organizes 430 trade exhibitions.
Reed shares fell 1.2 percent to $9.97 on the London Stock Exchange.