If you haven’t read this story in the Washington Post, it’s worth a quick read.

It went something like this:

-A small group of hackers sent out a bunch of porn spam with a virus/keylogger attached.

-A police officer opened one of the emails, and then subsequently logged onto Seisint, a LexisNexis subsidiary. Of course, the keylogger was on the system and everything the officer did was recorded.

Then:

“The young hacker said the group members then created a series of sub-accounts using the police department’s name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.”

Then check this out:

“LexisNexis disclosed on March 9 that records on 32,000 individuals were downloaded by an unknown person or persons who gained access to the company’s database using compromised user accounts. A month later, the company said it determined that 310,000 personal records had been accessed over a series of weeks

What’s the lesson? This is basic security!! Everything that could have stopped this attack is commercially available and not even that expensive. A friggin free desktop firewall with inbound and outband protection would have obviated most, if not all of the breach. Layer that with a good AV with robust attachment filters.

Then throw in some employee training about social engineering (i.e. “don’t open attachments unless they are from a trusted, known source that you know is supposed to be sending something”, etc.).

Alex Eckelberry
(Thanks to BeSpecific)