LexisNexis Risk Solutions, a prominent data brokerage company, revealed a significant cybersecurity incident that compromised the personal information of 364,333 individuals through unauthorized access to its GitHub repository on December 25, 2024. The breach remained undetected for over three months until an unknown third party notified the company on April 1, 2025, prompting an immediate internal investigation and forensic analysis.
The unauthorized intrusion targeted LNRS’s GitHub repository rather than the company’s core infrastructure, networks, or primary products. Cybercriminals accessed software artifacts alongside sensitive personal data, including names, contact information, Social Security numbers, and driver’s license numbers. The company confirmed that financial information, credit card data, and other highly sensitive records were not compromised during the incident. Like many zero-day exploits, this attack targeted previously unknown vulnerabilities in the system.
The breach targeted LexisNexis’s GitHub repository, exposing names, contact details, Social Security numbers, and driver’s license information of over 364,000 individuals.
LNRS formally identified the breach’s scope through regulatory filings on May 14, 2025, followed by public disclosure and regulatory notifications on May 28, 2025. The affected individuals primarily consisted of customers whose data was processed for risk assessment and fraud prevention services, core functions within the multi-billion-dollar data brokerage industry.
The incident highlights significant vulnerabilities in third-party platform security, particularly for companies handling vast volumes of personal information. Data brokers like LexisNexis routinely manage sensitive data for risk assessment, fraud detection, and customer analytics across various industries, making them attractive targets for cybercriminals seeking valuable personal information.
Following the breach confirmation, LNRS dispatched notification letters to all impacted parties in compliance with regulatory requirements. The company initiated thorough reviews of its third-party platform security measures, emphasizing the need for improved protections on development platforms such as GitHub. Recommendations include implementing strong Single Sign-On protocols and advanced authentication methods. LexisNexis is also providing identity protection services to help affected individuals safeguard their personal information. The company offered affected individuals 24 months of credit monitoring through Experian as part of its comprehensive response to the breach.
The breach has intensified regulatory scrutiny surrounding data broker operations and consumer data protection standards. LNRS continues cooperating with law enforcement agencies and regulatory authorities throughout the ongoing investigation.
The incident serves as a critical reminder of the evolving cybersecurity challenges facing organizations that rely on third-party platforms for data management and software development activities.
