recommended reading

FEMA Signs Identity Verification Deal With Hacked Data Broker

LexisNexis, a data broker reportedly hacked by identity thieves, has won a $15 million contract to check the identities of citizens applying for federal disaster aid.

The day before the government shut down, the Federal Emergency Management Agency awarded LexisNexis owner Reed Elsevier the potentially five-year deal to help victims of natural disasters suchh as the recent Colorado and New Mexico floods. 

At the same time, a service that traffics in personal information was revealed one week ago to have breached two systems at LexisNexis, likely to oblige ID thieves, according to an investigative report by cybersecurity researcher Brian Krebs.

LexisNexis has acknowledged the intrusion but said it does not have evidence consumer data was breached.

Under the FEMA deal, LexisNexis is required to "authenticate" the online profiles of citizens who register through DisasterAssistance.gov to "ensure that the applicant is who s/he says s/he is and has not stolen wallet information,” contract filings state.

According to fraud analysts interviewed by Krebs, financial organizations rely on LexisNexis for knowledge-based authentication -- screening that quizzes a user about information only the valid user is likely to know, such as a parent’s middle name.

Gartner researcher Avivah Litan described the data for Krebs: “There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, ‘What was your previous address?’ or ‘Which company services your mortgage?’ They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.”

People who answer incorrectly are more often legitimate applicants -- not the identity thieves, Krebs wrote. “These days, the people who fail these questions are mainly those who don’t remember the answers,” Litan told Krebs. “But the criminals seem to be having no problems.”

On DisasterAssistance.gov, the applicant will take a four-question quiz that is based on the information in LexisNexis' data clearinghouse, according to the contract papers. For example, "a quiz question might be, 'which of the following five addresses have you lived at in the last ten years?'" LexisNexis also must verify, among other things, that applicant Social Security numbers do not belong to dead people and correspond to the named person.

The accused identity theft peddler, known as SSNDOB, has provided customers with more than 1 million unique Social Security numbers and nearly 3.1 million date of birth records since opening in early 2012, according to Krebs. Customers have paid for this data, along with driver’s license records and unauthorized credit and background reports on more than 4 million Americans. 

FEMA plans to use LexisNexis' property ownership and occupancy records associated with applicant names and Social Security numbers to determine eligibility, according to the work order. Earlier this year, a woman who collected more than $12,000 in Hurricane Sandy relief later was arrested for submitting false residency claims and tampering with records, followed by a man who pulled a similar stunt to obtain $2,000, according to New Jersey On-Line

Due to the lapse in federal funding, FEMA representatives were not in the office and were prohibited from responding to email inquiries. 

In reference to the breach’s potential impact on anti-fraud efforts, LexisNexis officials said in a statement, “We have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved in that intrusion. Immediately upon becoming aware of this matter, we contacted the FBI and initiated a comprehensive investigation working with a leading third party forensic investigation firm. Because this matter is actively being investigated by law enforcement, we can’t provide further information at this time.”

Threatwatch Alert

Social Media Takeover

Qatar News Agency Says Hackers Published Fake Stories

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.