Reported:
17 February 2008Occurred:
09 March 2005
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Outcome: Leakage of Information
- Vertical: Information Services
The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.
In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.
As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.
Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
