It was confirmed today that information belonging to more than 360,000 people was leaked in a data breach affecting an arm of the analytics giant LexisNexis.
The breach occurred on December 25th, but Lexis Nexis only discovered it on April 1st, 2025, and is just starting to notify people. The company says it “promptly launched an investigation” and “notified law enforcement” once it discovered the breach, adding that the types of information exposed “varied by affected individual.”
LexisNexis spokesperson Jennifer Richman told TechCrunch that an attacker obtained the data through the firm’s GitHub account. Neither LexisNexis nor GitHub immediately responded to The Verge’s request for comment.
LexisNexis is one of the biggest data brokers in the US, as it works to collect and sell vast amounts of personal information for fraud and risk assessment. Last year, LexisNexis was named in a report from The New York Times, which found that automakers had been sharing driving data with the firm that the firm then sold to insurance companies, leading to higher premiums for the drivers. Other than serving as a data broker, LexisNexis also offers access to a database of news articles, public records, and legal documents.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:
“Data breaches like this one underscore the need for users to remove their personal data from as many data brokers as possible. Data brokers are popular targets among the bad actors of the world, as they are literal treasure troves of personal and often financial information. This one is particularly troubling due to what was exposed, including driver’s license and Social Security numbers, as well as date of birth. This information is of value to hackers, as it can be used to open fraudulent accounts in the victim’s name, and it can also be used to gain access to current financial accounts.”
“There needs to be more legislation as to how data brokers collect, store, and share and sell users’ information. Personally, I am not a fan of LexisNexis, following the retaliation it conducted against the group of users that filed a class action lawsuit against the company last year, by freezing their credit and falsely reporting them as identity theft victims. This is uncalled for and is what should be considered criminal conduct. At the very least, it was childish.”
A data breach at a company like LexisNexis is not just bad news, it’s horrible news. The damage that this creates is potentially huge and underscores why personal data needs to be better controlled.
UPDATE: James McQuiggan, security awareness advocate at KnowBe4 added this comment:
“Third-party integrations can expose organizations to serious risk. When sensitive data flows through external platforms, oversight must match internal standards. Token misuse, shared credentials, and poor API security create vulnerabilities that attackers exploit without breaching your perimeter.
Security questionnaires and audits often miss insecure development practices in vendor tools. Many organizations trust integrations by default without visibility into how data is accessed or stored. Vendor risk is operational risk, and short-lived API tokens can be considered. Organizations and security teams should build incident response plans that account for data leaks caused by third parties, not just direct attacks. You can’t outsource responsibility without oversight.”
Like this:
Like Loading...
Related
This entry was posted on May 28, 2025 at 4:02 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
LexisNexis Pwned With The Personal Data Of 360,000 Out In The Wild
It was confirmed today that information belonging to more than 360,000 people was leaked in a data breach affecting an arm of the analytics giant LexisNexis.
The breach occurred on December 25th, but Lexis Nexis only discovered it on April 1st, 2025, and is just starting to notify people. The company says it “promptly launched an investigation” and “notified law enforcement” once it discovered the breach, adding that the types of information exposed “varied by affected individual.”
LexisNexis spokesperson Jennifer Richman told TechCrunch that an attacker obtained the data through the firm’s GitHub account. Neither LexisNexis nor GitHub immediately responded to The Verge’s request for comment.
LexisNexis is one of the biggest data brokers in the US, as it works to collect and sell vast amounts of personal information for fraud and risk assessment. Last year, LexisNexis was named in a report from The New York Times, which found that automakers had been sharing driving data with the firm that the firm then sold to insurance companies, leading to higher premiums for the drivers. Other than serving as a data broker, LexisNexis also offers access to a database of news articles, public records, and legal documents.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:
“Data breaches like this one underscore the need for users to remove their personal data from as many data brokers as possible. Data brokers are popular targets among the bad actors of the world, as they are literal treasure troves of personal and often financial information. This one is particularly troubling due to what was exposed, including driver’s license and Social Security numbers, as well as date of birth. This information is of value to hackers, as it can be used to open fraudulent accounts in the victim’s name, and it can also be used to gain access to current financial accounts.”
“There needs to be more legislation as to how data brokers collect, store, and share and sell users’ information. Personally, I am not a fan of LexisNexis, following the retaliation it conducted against the group of users that filed a class action lawsuit against the company last year, by freezing their credit and falsely reporting them as identity theft victims. This is uncalled for and is what should be considered criminal conduct. At the very least, it was childish.”
A data breach at a company like LexisNexis is not just bad news, it’s horrible news. The damage that this creates is potentially huge and underscores why personal data needs to be better controlled.
UPDATE: James McQuiggan, security awareness advocate at KnowBe4 added this comment:
“Third-party integrations can expose organizations to serious risk. When sensitive data flows through external platforms, oversight must match internal standards. Token misuse, shared credentials, and poor API security create vulnerabilities that attackers exploit without breaching your perimeter.
Security questionnaires and audits often miss insecure development practices in vendor tools. Many organizations trust integrations by default without visibility into how data is accessed or stored. Vendor risk is operational risk, and short-lived API tokens can be considered. Organizations and security teams should build incident response plans that account for data leaks caused by third parties, not just direct attacks. You can’t outsource responsibility without oversight.”
Share this:
Like this:
Related
This entry was posted on May 28, 2025 at 4:02 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.