Data broker LexisNexis Risk Solutions (LNRS) has confirmed a data breach that compromised the personal information of over 364,000 people.
LexisNexis operates in 40 countries, has customers worldwide, and employs over 11,500 people.
The subsidiary of the British data analytics conglomerate RELX works with 91% of Fortune 100 companies and 85% of Fortune 500 companies, making the breach more significant.
LNRS helps companies in the financial, insurance, healthcare, and government sectors to assess risk and identify fraud.
“On April 1, 2025, we learned that on December 25, 2024, an unauthorized third party acquired certain LNRS data from a third-party platform used for software development,” the company said.
The threat actor copied data from the company’s GitHub account by exploiting a compromised employee account. However, LexisNexis’ internal information systems, corporate networks, infrastructure, or products were not compromised.
Data broker LexisNexis confirms data breach
The New York City-based data broker launched an investigation with third-party cyber forensics to determine the nature of the stolen information.
LexisNexis says the data breach leaked the victims’ names, email and postal addresses, dates of birth, and government- and state-issued IDs, like Social Security Numbers, and driver’s license numbers.
This information puts the data breach victims at an elevated risk of targeted phishing attacks (spear phishing) and fraud.
“This one [data breach] is particularly troubling due to what was exposed, including driver’s license and Social Security numbers, as well as date of birth,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “This information is of value to hackers, as it can be used to open fraudulent accounts in the victim’s name, and it can also be used to gain access to current financial accounts.”
However, financial information such as credit card details and bank account information was not exposed. Similarly, no evidence suggests that the stolen information has been misused or further disseminated.
“This data breach has led to concerns over the security of sensitive personal and protected health information entrusted to LexisNexis Risk Solutions,” Levi Korsinsky, LLP, which is investigating the LexisNexis data breach, said in a press release.
Meanwhile, LexisNexis has also reported the data breach to the relevant regulatory and law enforcement authorities. LNRS told the Office of the Maine Attorney General that the data breach affected 364,333 people.
The data broker also advised the victims to monitor their account statements and credit reports and notify law enforcement authorities of any suspicious activity.
In addition, NexisLexis is offering two years of identity theft and credit monitoring services to protect victims from fraud. Data breach victims may also be entitled to compensation, according to L&K, which might file a lawsuit.
According to media sources, the data broker allegedly trades the personal information of Americans without their express permission, making the data breach even more concerning. Insurance companies reportedly use that information to determine their customers’ premiums. Privacy advocates have frequently called for regulations to prevent companies from engaging in such behavior.
Meanwhile, the identity of the threat actor and whether the data broker has received any extortion demands remain unreported, signaling that ransom negotiations could be ongoing.
