Operators of a criminal identity theft service broke into the computers of LexisNexis and two other major providers of Social Security numbers, birth dates and other personal information on millions of Americans before the breach was discovered earlier this year, according to a published report Wednesday.
Hackers used a software tool to retrieve personal data collected by LexisNexis, Dun & Bradstreet and Kroll Background America Inc., a company that performs employment background checks, wrote Brian Krebs, a computer security blogger.
The personal data was pilfered by the operators of ssndob.ms, a website that has marketed itself on underground cybercrime forums as a reliable and affordable provider of Social Security numbers, birthdays and other personal data on any U.S. resident, Krebs wrote.
LexisNexis said Wednesday in a statment that it has contacted the FBI and “initiated a comprehensive investigation working with a leading third party forensic investigation fim. In that investigation, we have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved.”
A LexisNexis spokesman declined to say when the intrusion was discovered or whether the company could assure clients that personal data was not stolen.
Krebs said an FBI spokesman confirmed the agency is investigating the breach.
Based in New York City, LexisNexis employs about 3,400 at its Miami Twp. campus. It also has operations in Atlanta.
Krebs wrote that “a tiny unauthorized program called ‘nbc.exe’ was placed on (LexisNexis) servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months.”
Krebs said the hackers’ program was designed to open an “encrypted channel of communications from within LexisNexis’s internal systems” to a botnet controller. A botnet is a network of computers infected with harmful software or “malware” and controlled by hackers.
The botnet was tiny, fewer than a dozen computers in “strategically placed” locations, he said.
This summer, ssndob.ms was itself attacked by multiple hackers and its database plundered, Krebs wrote. Krebs said his review of the ssndob database showed that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up personal data and obtaining unauthorized credit and background reports on more than 4 million Americans.
Krebs wrote that he traced the sources of the stolen information to the botnet controlling servers at LexisNexis, Dun & Bradstreet and Kroll Background America.
Mark Rasch, owner of Bethesda, Md.-based cybersecurity firm Rasch Technology & Cyberlaw, said big data aggregators are constantly under attack, and there are many different kinds of attacks.
What sets this intrusion apart is that hackers were able to infiltrate an internal LexisNexis network and install at least one file within that network, Rasch said.
Also, the hackers were using botnets to pull data from multiple data aggregators, he said. And they were targeting data that is intended to be used for identity theft and fraud.
“The question for LexisNexis is: Can you assure the public that no personal information was taken?” Rasch said.
In an interview with the Dayton Daily News, Krebs said, “They have a tremendous amount of information in their network, and I think for companies like that it’s safe to assume that they’re always under attack.”
This is not the first time LexisNexis has been hacked. In 2005, the company acknowledged that identity thieves misused passwords to tap the personal records of more than 300,000 Americans, fraudulently acquiring data from company databases, according to national reports.