recommended reading

FEMA Signs Identity Verification Deal With Hacked Data Broker

LexisNexis, a data broker reportedly hacked by identity thieves, has won a $15 million contract to check the identities of citizens applying for federal disaster aid.

The day before the government shut down, the Federal Emergency Management Agency awarded LexisNexis owner Reed Elsevier the potentially five-year deal to help victims of natural disasters suchh as the recent Colorado and New Mexico floods. 

At the same time, a service that traffics in personal information was revealed one week ago to have breached two systems at LexisNexis, likely to oblige ID thieves, according to an investigative report by cybersecurity researcher Brian Krebs.

LexisNexis has acknowledged the intrusion but said it does not have evidence consumer data was breached.

Under the FEMA deal, LexisNexis is required to "authenticate" the online profiles of citizens who register through to "ensure that the applicant is who s/he says s/he is and has not stolen wallet information,” contract filings state.

According to fraud analysts interviewed by Krebs, financial organizations rely on LexisNexis for knowledge-based authentication -- screening that quizzes a user about information only the valid user is likely to know, such as a parent’s middle name.

Gartner researcher Avivah Litan described the data for Krebs: “There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, ‘What was your previous address?’ or ‘Which company services your mortgage?’ They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.”

People who answer incorrectly are more often legitimate applicants -- not the identity thieves, Krebs wrote. “These days, the people who fail these questions are mainly those who don’t remember the answers,” Litan told Krebs. “But the criminals seem to be having no problems.”

On, the applicant will take a four-question quiz that is based on the information in LexisNexis' data clearinghouse, according to the contract papers. For example, "a quiz question might be, 'which of the following five addresses have you lived at in the last ten years?'" LexisNexis also must verify, among other things, that applicant Social Security numbers do not belong to dead people and correspond to the named person.

The accused identity theft peddler, known as SSNDOB, has provided customers with more than 1 million unique Social Security numbers and nearly 3.1 million date of birth records since opening in early 2012, according to Krebs. Customers have paid for this data, along with driver’s license records and unauthorized credit and background reports on more than 4 million Americans. 

FEMA plans to use LexisNexis' property ownership and occupancy records associated with applicant names and Social Security numbers to determine eligibility, according to the work order. Earlier this year, a woman who collected more than $12,000 in Hurricane Sandy relief later was arrested for submitting false residency claims and tampering with records, followed by a man who pulled a similar stunt to obtain $2,000, according to New Jersey On-Line

Due to the lapse in federal funding, FEMA representatives were not in the office and were prohibited from responding to email inquiries. 

In reference to the breach’s potential impact on anti-fraud efforts, LexisNexis officials said in a statement, “We have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved in that intrusion. Immediately upon becoming aware of this matter, we contacted the FBI and initiated a comprehensive investigation working with a leading third party forensic investigation firm. Because this matter is actively being investigated by law enforcement, we can’t provide further information at this time.”

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.