FEMA Signs Identity Verification Deal With Hacked Data Broker

Effort to reduce fraud in disaster aid programs could present new opportunities for criminals.

LexisNexis, a data broker reportedly hacked by identity thieves, has won a $15 million contract to check the identities of citizens applying for federal disaster aid.

The day before the government shut down, the Federal Emergency Management Agency awarded LexisNexis owner Reed Elsevier the potentially five-year deal to help victims of natural disasters suchh as the recent Colorado and New Mexico floods. 

At the same time, a service that traffics in personal information was revealed one week ago to have breached two systems at LexisNexis, likely to oblige ID thieves, according to an investigative report by cybersecurity researcher Brian Krebs.

LexisNexis has acknowledged the intrusion but said it does not have evidence consumer data was breached.

Under the FEMA deal, LexisNexis is required to "authenticate" the online profiles of citizens who register through DisasterAssistance.gov to "ensure that the applicant is who s/he says s/he is and has not stolen wallet information,” contract filings state.

According to fraud analysts interviewed by Krebs, financial organizations rely on LexisNexis for knowledge-based authentication -- screening that quizzes a user about information only the valid user is likely to know, such as a parent’s middle name.

Gartner researcher Avivah Litan described the data for Krebs: “There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, ‘What was your previous address?’ or ‘Which company services your mortgage?’ They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.”

People who answer incorrectly are more often legitimate applicants -- not the identity thieves, Krebs wrote. “These days, the people who fail these questions are mainly those who don’t remember the answers,” Litan told Krebs. “But the criminals seem to be having no problems.”

On DisasterAssistance.gov, the applicant will take a four-question quiz that is based on the information in LexisNexis' data clearinghouse, according to the contract papers. For example, "a quiz question might be, 'which of the following five addresses have you lived at in the last ten years?'" LexisNexis also must verify, among other things, that applicant Social Security numbers do not belong to dead people and correspond to the named person.

The accused identity theft peddler, known as SSNDOB, has provided customers with more than 1 million unique Social Security numbers and nearly 3.1 million date of birth records since opening in early 2012, according to Krebs. Customers have paid for this data, along with driver’s license records and unauthorized credit and background reports on more than 4 million Americans. 

FEMA plans to use LexisNexis' property ownership and occupancy records associated with applicant names and Social Security numbers to determine eligibility, according to the work order. Earlier this year, a woman who collected more than $12,000 in Hurricane Sandy relief later was arrested for submitting false residency claims and tampering with records, followed by a man who pulled a similar stunt to obtain $2,000, according to New Jersey On-Line

Due to the lapse in federal funding, FEMA representatives were not in the office and were prohibited from responding to email inquiries. 

In reference to the breach’s potential impact on anti-fraud efforts, LexisNexis officials said in a statement, “We have identified an intrusion targeting our data but to date have found no evidence that customer or consumer data were reached or retrieved in that intrusion. Immediately upon becoming aware of this matter, we contacted the FBI and initiated a comprehensive investigation working with a leading third party forensic investigation firm. Because this matter is actively being investigated by law enforcement, we can’t provide further information at this time.”