recommended reading

FEMA Signs Identity Verification Deal With Hacked Data Broker

LexisNexis, a data broker reportedly hacked by identity thieves, has won a $15 million contract to check the identities of citizens applying for federal disaster aid.

The day before the government shut down, the Federal Emergency Management Agency awarded LexisNexis owner Reed Elsevier the potentially five-year deal to help victims of natural disasters suchh as the recent Colorado and New Mexico floods. 

At the same time, a service that traffics in personal information was revealed one week ago to have breached two systems at LexisNexis, likely to oblige ID thieves, according to an investigative report by cybersecurity researcher Brian Krebs.

LexisNexis has acknowledged the intrusion but said it does not have evidence consumer data was breached.

Under the FEMA deal, LexisNexis is required to "authenticate" the online profiles of citizens who register through DisasterAssistance.gov to "ensure that the applicant is who s/he says s/he is and has not stolen wallet information,” contract filings state.

According to fraud analysts interviewed by Krebs, financial organizations rely on LexisNexis for knowledge-based authentication -- screening that quizzes a user about information only the valid user is likely to know, such as a parent’s middle name.

Gartner researcher Avivah Litan described the data for Krebs: “There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, ‘What was your previous address?’ or ‘Which company services your mortgage?’ They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.”

People who answer incorrectly are more often legitimate applicants -- not the identity thieves, Krebs wrote. “These days, the people who fail these questions are mainly those who don’t remember the answers,” Litan told Krebs. “But the criminals seem to be having no problems.”

On DisasterAssistance.gov, the applicant will take a four-question quiz that is based on the information in LexisNexis' data clearinghouse, according to the contract papers. For example, "a quiz question might be, 'which of the following five addresses have you lived at in the last ten years?'" LexisNexis also must verify, among other things, that applicant Social Security numbers do not belong to dead people and correspond to the named person.

The accused identity theft peddler, known as SSNDOB, has provided customers with more than 1 million unique Social Security numbers and nearly 3.1 million date of birth records since opening in early 2012, according to Krebs. Customers have paid for this data, along with driver’s license records and unauthorized credit and background reports on more than 4 million Americans. 

FEMA plans to use LexisNexis' property ownership and occupancy records associated with applicant names and Social Security numbers to determine eligibility, according to the work order. Earlier this year, a woman who collected more than $12,000 in Hurricane Sandy relief later was arrested for submitting false residency claims and tampering with records, followed by a man who pulled a similar stunt to obtain $2,000, according to New Jersey On-Line

Due to the lapse in federal funding, FEMA representatives were not in the office and were prohibited from responding to email inquiries. 

In reference to the breach’s potential impact on anti-fraud efforts, LexisNexis officials said in a statement, “We have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved in that intrusion. Immediately upon becoming aware of this matter, we contacted the FBI and initiated a comprehensive investigation working with a leading third party forensic investigation firm. Because this matter is actively being investigated by law enforcement, we can’t provide further information at this time.”

Threatwatch Alert

Spear-phishing / Stolen credentials / User accounts compromised

Gmail Scam Tricks Users With Convincing Login Page

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.