µØº¸µó¤é³ø­ì¤å, ¥t¦³·s»D»¡ Lexis-Nexis ¸ê°T¤½¥q©M¬ü°ê³Â¬Ùªº¤j¾Ç Tufts University ¤À§O¥¢¥h³¡¥÷¬ü°ê´¶Ã¹¤j²³ ©M ®դͪº­Ó¤H¸ê®Æ.ux?5V{
©½t¥Í³N¼Æ¬ã¨sªÀ -- ³N¼Æ¬ã¨s¡@¡@ ![^mN

Security Breach Hits Credit Cards!5XdN
By  Robin Sidel and Christopher Conkeyh3gxzf
Wall Street Journal , April 14, 2005  %D]CYA
©½t¥Í³N¼Æ¬ã¨sªÀ -- ³N¼Æ¬ã¨s¡@¡@ #g
HSBC Notifies 180,000 People Who Shopped At Ralph Lauren; Other Banks May Be Affected 

British financial giant HSBC PLC is notifying at least 180,000 people who used MasterCard credit cards to make purchases at Polo Ralph Lauren Corp. that criminals may have obtained access to their credit-card information, and that they should replace their cards. 

The situation -- which involves a General Motors-branded MasterCard that is one of the most widely held credit cards in the U.S. -- is the latest in a string of high-profile incidents in which personal data were stolen from retailers or financial institutions. Although HSBC and MasterCard declined to discuss when or how the apparent theft occurred, people with knowledge of the matter identified the retailer as Polo Ralph Lauren. A Polo spokeswoman declined to comment. 

The incident, which is thought to have taken place more than a month ago, is likely to further highlight the issue among regulators and politicians who are considering new rules to deal with identity theft. 

Although HSBC so far appears to be the only financial institution to disclose that it is alerting cardholders of the incident, credit cards issued by other banks also could be vulnerable. Under current rules, however, banks aren't necessarily required to alert their cardholders to the potential fraud. 

In a statement, Visa USA Inc. said it was aware of a "data security breach" and is "working with the merchant, law enforcement and the affected member financial institutions to monitor and prevent card-related fraud." 

HSBC said it was sending letters to 180,000 holders of cards branded by MasterCard and GM. The British bank manages six million GM-MasterCard branded cards in circulation. GM referred calls to HSBC. 

Stephen Cohen, an HSBC spokesman in New York, said the bank is "alerting cardholders as quickly as possible because we take the security of their accounts very seriously." He also said the bank is continuing to evaluate its other cards to determine if they may have been affected. 

The HSBC letter, which was sent to cardholders last week, reads in part: "A national retailer's computer system has had a security breach and your credit card account number may be among those that were compromised." It was signed by "GM Cardmember Services" and noted that HSBC issues the card and provides administrative and processing services for it. The letter went on to say that "we are unaware of any fraudulent activity on your account." 

A spokeswoman for MasterCard, an association that has thousands of banks as members, said it has "taken the necessary steps to inform all the [credt-card] issuers that could possibly be impacted by the potential database compromise." MasterCard and Visa both said U.S. cardholders are protected from liability for unauthorized transactions. 

Identity theft is a growing problem. Typically, criminals use stolen information to then fraudulently obtain credit cards, mortgage loans and auto loans, or simply to charge purchases to existing accounts. The Federal Trade Commission says 10 million people -- nearly 5% of the adult population -- discovered they were victims of identity theft in 2003. Other studies put the cost to consumers, banks and credit-card companies at more than $11 billion a year. 

Currently, only two laws mandate consumer notification when a breach occurs. The first is a two-year-old California statute requiring notification whenever electronic personal data are stolen. The second, a federal regulation requiring banks to inform consumers of breaches if it is "reasonably possible" that identity theft will result, took effect last month. 

While banks also are required to report breaches that occur in-house or at financial-service providers with whom they do business, HSBC technically wasn't required to notify GM MasterCard holders because the breach in question occurred at a separate retailer, not within the bank or the credit-card company. 

More than 20 states are considering legislation similar to the California law, which this year exposed a scandal involving ChoicePoint Inc., an Alpharetta, Ga., company that collects consumer data, and which said thieves had obtained information on about 145,000 people by posing as legitimate customers. This week, LexisNexis said 310,000 Americans, nearly 10 times its original estimate, had their personal and financial data accessed by unauthorized individuals via its computer systems. 

Sensitive data also have been compromised at some banks, mutual funds and universities. Last month, DSW Shoe Warehouse reported the theft of credit-card information from a database for 103 of the chain's 175 stores. 

Congress seems likely to put data brokers like LexisNexis and ChoicePoint under greater scrutiny this year, but debate is heating up over whether to impose a broader notification requirement on any business or government agency that handles personal information. 

At a Senate Judiciary Committee hearing yesterday, one frequent topic of discussion was a bill put forward by Democratic Sen. Dianne Feinstein of California that goes even further than the California law by expanding the definition of a breach to include encrypted data and paper records. Business groups are resigned to some kind of notification standard, but they are pushing hard for something along the lines of the banking regulations, which preserve some latitude for a bank to decide when a breach poses a threat to consumers. 

--- 

--Robin Sidel and Christopher Conkey 

Ellen Byron and Teri Agins contributed to this report. 

--- 

Foiling the Thieves 

Here are some steps to take if you learn that someone may have gotten access to your personal data: 

-- Contact the three major credit bureaus to place a fraud alert on your file. 

-- Check the compromised account to look for signs of fraudulent activity (and if you see any, call the company involved for help). 

-- Check your credit report frequently after the breach occurs in case thieves manage to open new accounts in your name. 
 
zm{je

 ³o½g´£¤Î Tufts University ®դͤ]¨ü®`.iRD[?
©½t¥Í³N¼Æ¬ã¨sªÀ -- ³N¼Æ¬ã¨s¡@¡@ ,

LexisNexis Reveals Further Breaches of Database"g)
By  David Pringle and Rachel Zimmerman2%d<K
Wall Street Journal , April 13, 2005 

LexisNexis said 310,000 Americans, nearly 10 times itsLB
original estimate, have had their personal dataYI
accessed by unauthorized individuals via its computern(AWuX
systems, raising fresh concerns about theWC
data-collection industry's ability to guard againstH<Aqk.
hackers amid a surge in identity-theft crimes. 
Separately, Tufts University sent a "precautionary"|
letter to alumni last week warning them that personalY*7
information may have been stolen from a computerBHoIA
database used for fund raising. The letter, sent to@7fREr
about 106,000 graduates and other donors, says Tufts>
"detected abnormal activity" on a computer thatC
included names, addresses, Social Security andz
credit-card numbers. 

The latest revelations are likely to give new urgency-n,n
to the clamor for laws to prevent data brokers from4VP
amassing sensitive personal information without]OGH
consent and for better safeguards of other databases.>p!.
Recently, data broker ChoicePoint Inc. of Alpharetta,kp6fD
Ga., said identity thieves had obtained information onOaU.L
about 145,000 people by posing as legitimate,$G
customers. Sensitive data also have been compromisedao7
at some banks, mutual funds and other universities. 

LexisNexis, a legal- and business-information provider4d#4~
owned by Reed Elsevier PLC of the United Kingdom, saidk-fw
it has identified 59 security breaches over two years7L^E@u
-- a rate of about one every two weeks -- making the&
problem far more pervasive than it had previouslyJ3
realized. The accessed information included Socialys EZ
Security, driver's license numbers and other personalGzj
information. 

U.S. law-enforcement agencies are investigating the),v
breach, and Reed said it is offering fraud insuranceXMOJ
and other services such as credit checks, free ofhkObZ
charge, to individuals whose data were accessed byKqa.gX
unauthorized people. Reed's latest announcement comesu3
five weeks after its initial disclosure that breachesKd1)
had affected about 30,000 people. 

Once individual information has been purloined, it canl5u
be used by identity thieves to fraudulently obtainu<vR
credit cards, mortgage loans and car loans, amongo]cQ
other things. The Federal Trade Commission estimatesXcmF`
27.3 million Americans were affected by identity theft^>9%
in the five years through 2003, with the pace of theftW@HHo
quickening toward the end of that period. 

Data brokers, which collect and sell personal^4f3T
information, represent a new and still largelyO)5
unregulated industry -- but virtually every state isD.G20F
considering some kind of privacy legislation. In atNMOn
least 20 states, the law would require companies to&l<|aK
notify individuals when their personal information isv
compromised, according to the Electronic Privacy;$= *%
Information Center, a public-interest research group\m\,
in Washington, D.C. Congress is also considering aJ8x
federal notification standard, based on a Californiad]q
law that exposed the ChoicePoint breach. 

The Senate Judiciary Committee plans to hold a hearingW
today on the recent wave of data breaches and on the$R*Qo
proposed legislation. 

Laws governing the collection and movement of personali
data are much stricter in Europe and the region hasn't.;@A=
had the spate of security breaches experienced in thehM|Dss
U.S. 

Data brokers such as LexisNexis promote theirv_6y
"risk-management" services to banks, insurancePMq{
companies, law-enforcement agencies and otherQB
legitimate organizations that need to guard againstNN
financial fraud. Banks, for instance, buy the data soc*O
they can run checks when deciding whether to approve a1uaO
mortgage application. Reed executives say the^1
data-brokering business is an important tool inYzJuvI
preventing fraud. 

LexisNexis said it began investigating thousands ofYv
customers' accounts last month, after announcing that`Z
information on 30,000 people held by its SeisintVG>
data-brokering division may have been accessed byUymW
criminals. Yesterday Reed said that it had uncoveredC5xS
dozens of Seisint security breaches that predated itsusj/$
acquisition of the company late last year, as well asC
a handful of incidents in other parts of LexisNexis.YT]
Kurt Sanford, head of U.S. corporate and federalbnow>
markets for LexisNexis, said the company didn't haveBj{;`C
any idea of the extent of the problem before thelZ
investigation. 

The security breaches typically took one of threedX^F
forms, Mr. Sanford said, all related to ,yxla
misappropriation of passwords. In some cases, anK
unauthorized individual was able to access LexisNexisBd}}
databases after figuring out a legitimate customer'sgErm>
too-obvious password. In others, a former employee of?):1j8
a legitimate customer was able to continue accessing/$.J~Q
the LexisNexis databases because the customer didn't&
change the account details after the employee left. In"4T@^)
still others, criminals obtained an accountpgo
administrator's identification details, allowing themO$
to create unauthorized accounts. 

LexisNexis executives say they are now monitoringaRt
customers' usage patterns closely to spot anyB2,(g
irregular activity. They say they are also trying to'6-0Sj
force customers to beef up their security by reviewing"~Gvhz
passwords monthly and requiring authorizations fromY
two managers for each new account. 

LexisNexis said that so far none of the 30,000 people{tO
notified of a breach in December and January have come/TQ>C
back to report instances of identity theft. Privacy?QOG
advocates, however, say criminals don't alwayswz`
immediately use data they obtain, preferring sometimese{.pl3
to sell them on the Internet. Or, they say, a criminalxJ
may open a credit card in an individual's name, butyV
use a different address, so the individual doesn't seeI5>0^
the credit-card statements and isn't aware of theCDLV\v
fraud. 

Reed's LexisNexis unit pushed deeply into data-;&x-
brokering when it purchased Seisint Inc. of Bocaf
Raton, Fla., for $775 million late last year. Seisint/6UU
was known for having some of the top software forc
searching databases. It also sold data searches for as?E#2[
little as 25 cents apiece. 

Reed said the financial cost of the breaches will beY
manageable and didn't change its earnings forecasts. 

At Tufts, Betsey Jay, director of advancement?%'
communications and donor relations, said there is "noGo
evidence that any data is being misused." Still, theg#pw\
letter urged alumni to contact their banks and checkzx
credit reports for any signs of unauthorized activity.5mD[
©½t¥Í³N¼Æ¬ã¨sªÀ -- ³N¼Æ¬ã¨s¡@¡@ Wi)|Cv
Ms. Jay said analysts detected "unusual activity,")p
during routine checks on a server used for telephoneC/q.E5
fund raising that is owned by Tufts but managed by an4]@
outside vendor. The suspicious activity --%c6{
specifically, large amounts of data moving through thee
machine -- occurred Oct. 31 and Dec. 19, she said. One~2Q0
theory was that someone was using the computer as aX1,
distribution point for movies and other entertainment{
media, Ms. Jay said. At the time, Tufts decided there,m
wasn't enough evidence to notify alumni about thev{oM
unusual activity. But, she said, after recent7
revelations about security breaches at financial andvmt
educational institutions, Tufts decided to alert its2NNtv6
donors. She said there is no evidence that the>;X1C
break-in was carried out by students, faculty members@ZUE2
or employees. 

--- 

--David Pringle and Rachel Zimmerman 

Christopher Conkey contributed to this article.