Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LexisNexis. Show all posts
LexisNexis
AWS Cloud Data Theft Cloud Infrastructure Threats Customer Data Exposed Data Breach Data protection data security Hacker attack LexisNexis

LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App

 

A breach at LexisNexis Legal & Professional exposed some customer and business data, the firm confirmed. News surfaced after FulcrumSec claimed responsibility and leaked about two gigabytes of files on underground platforms. Hackers accessed parts of the company’s systems, though the breach scope was limited. The American analytics provider confirmed the incident days later, stating only a small portion of its infrastructure was affected. 

The company said an outside actor gained access to a limited number of servers. LexisNexis Legal & Professional provides legal research, regulatory information, and analytics tools to lawyers, corporations, government agencies, and universities in more than 150 countries. According to the firm, most of the accessed information came from older systems and was not considered sensitive, which reduced the potential impact.  

Internal findings showed that much of the exposed data originated from legacy systems storing information created before 2020. Records included customer names, user IDs, and business contact details. Some files contained product usage information and logs from past support tickets, including IP addresses from survey responses. However, sensitive personal identifiers such as Social Security numbers or driver’s license data were not included. Financial information, active passwords, search queries, and confidential client case data were also not part of the compromised dataset. 

The breach reportedly occurred around February 24 after attackers exploited the React2Shell vulnerability in an outdated front-end application built with React. The flaw allowed entry into cloud resources hosted on Amazon Web Services before it was addressed. 

While LexisNexis described the affected systems as containing mostly obsolete data, FulcrumSec claimed the intrusion was broader. The group said it extracted about 2.04GB of structured data from the company’s cloud infrastructure, including numerous database tables, millions of records, and internal system configurations. According to the attacker, the breach exposed more than 21,000 customer accounts and information linked to over 400,000 cloud user profiles, including names, email addresses, phone numbers, and job roles. 

Some of the records reportedly belonged to individuals with .gov email addresses, including U.S. government employees, federal judges and law clerks, Department of Justice attorneys, and staff connected to the Securities and Exchange Commission. FulcrumSec also criticized the company’s cloud security setup, alleging that a single ECS task role had access to numerous stored secrets, including credentials linked to production databases. The group said it attempted to contact the company but claimed no cooperation occurred. 

LexisNexis stated that the breach has been contained and confirmed that its products and customer-facing services were not affected. The company notified law enforcement and engaged external cybersecurity experts to assist with investigation and response. Customers, both current and former, have also been informed about the incident. The company had disclosed another breach last year after a compromised corporate account exposed data belonging to roughly 364,000 customers. 

The latest case highlights how vulnerabilities in cloud applications and outdated software can expose enterprise systems even when they contain primarily legacy information.
Read more »
Privacy
Car Buyers Cyberattacks CyberCrime Cybersecurity CyberThreat Insurance Rates LexisNexis Privacy

GM Car Buyers' Nightmare: The Unveiling of a Program Raising Insurance Rates

 


It is believed that auto manufacturers are selling millions of pieces of data to the insurance industry about the driving behaviours of their customers. It is my responsibility to report the story about GM sharing driving data from connected vehicles with third parties after they were not informed about the tracking. This led to some insurance companies charging more premiums to some of the affected drivers in the case of General Motors. 

In a nutshell, Kashmir Hill of the New York Times broke the news that General Motors had been selling driving records on specific drivers and specific trips to LexisNexis and Verisk, two companies that assist insurance companies in determining risk levels in the automotive sector. A GM program called Smart Driver+, which GM describes as a driving gamification program that helps improve one's driving skills, was enrolled by the drivers. 

Smart Driver+ is used by the insurance industry to detect drivers who are hard braking, hard accelerating, swerving, and speeding. Insurers use this data to raise the rates of their insured based on these incidents. Two weeks before the first article in the New York Times ran, and two weeks after it was published, GM said it was cutting ties with LexisNexis, because "customer trust is a priority for us, and companies are actively evaluating our privacy policies and processes." 

A lawsuit had already been filed by a Cadillac driver in Florida who had already seen his insurance premium double because of the new policy.  It has been confirmed that owners must opt into the SmartDriver program to benefit from it. As Hill points out in the latest instalment of her piece, she is a privacy and technology writer who has been writing about privacy and technology for more than 10 years, and she discovered that the Chevrolet Bolt that her husband and she purchased in December 2023 also had Smart Driver+ installed on it, even though she had no idea that it had happened. He requested LexisNexis and Verisk reports, and sure enough, he received two files from these companies that, combined, summarized nearly 300 travels over three months. 

Even though both her name and her husband's name were on the vehicle title, neither of the third-party companies had any information regarding Kashmir Hill because the dealership listed her husband as the primary owner.  OnStar's app indicated that Hill and her husband were not enrolled in the Smart Driver feature of the OnStar system, so they checked the app to see if they were. 

Once they had logged into OnStar at a computer, they were shown that they were enrolled, and they were beginning their program. Hill was told by General Motors that "a small population" of owners had been affected by this "bug" which resulted in an error showing up in the app of incorrect information.  There were a few revealing nuggets that emerged when she called the dealership's salesperson to inquire about when she thought she had opted in.

During the sales process, he explained to me that he wants to make sure that the customer is aware that there are three pages he fills in automatically by answering "Yes," "Yes," and "No," without asking them for their consent. There are 2 pages in the sales process - the first is a standard OnStar registration, the second is an OnStar Connected Access registration and the third is an Enrolment in Smart Driver registration. 

A few lines are on the salesperson's instruction sheet that instructs him to ask the buyer for his permission before committing to the contract and GM insisted to Hill that car buyers had to approve the terms. He also said that if he does not sign up a customer for OnStar, his pay will be docked by GM, and that dealerships will be graded according to how many cars are enrolled in Connected Access. The fact that OnStar was the page where users opted into Smart Driver+ turned out to be the page where users opted into OnStar. Consequently, at the dealership, a new-car buyer was not allowed to avail of both OnStar and Smart Driver+ when they purchased a new car. 

Two months into the controversy, General Motors (GM) has taken decisive actions in response to concerns surrounding its OnStar Connected Services and Smart Driver+ program. One option available to buyers was to opt out of OnStar Connected Services, but doing so would result in forfeiting certain benefits such as over-the-air updates and remote diagnostics. 

However, even for those who opted in, crucial information regarding the potential use of data captured by Smart Driver+ was not adequately disclosed. Notably, this information, which includes details about driving behaviour, could potentially be sold to third-party firms without the driver's knowledge, with access limited to only those who obtain their reports from entities like LexisNexis or Verisk. In light of the public outcry and legal challenges, GM has taken proactive steps to address the situation. 

The company has ceased data sharing with LexisNexis and Verisk, terminated the Smart Driver program across all GM vehicles, and appointed a new trust and privacy officer. Despite these measures, GM faces a mounting legal battle, with at least 10 federal lawsuits filed by disgruntled owners regarding the Smart Driver program.
Read more »
Subscribe to: Comments (Atom)