Data analytics firm LexisNexis Risk Solutions revealed a cyberattack that compromised the personal information of 364,333 individuals, marking another significant breach in the data brokerage industry. The incident occurred on December 25, 2024, when hackers accessed company data through a third-party software development platform, particularly targeting the firm’s GitHub account.
Data analytics firm LexisNexis Risk Solutions suffered a cyberattack compromising 364,333 individuals’ personal information through a third-party platform breach.
The breach remained undetected for nearly five months, with LexisNexis first learning of unauthorized access on April 1, 2025, and officially identifying the full scope on May 14, 2025. The company filed formal notification with the Maine Attorney General’s office, revealing that attackers acquired sensitive personal data including names, phone numbers, mailing addresses, email addresses, Social Security numbers, driver’s license numbers, and dates of birth. Remarkably, no financial or credit card information was compromised, and the company’s primary networks remained unaffected.
The attack vector exploited vulnerabilities in external development tools rather than LexisNexis’s core systems. Hackers particularly targeted the company’s GitHub account through a third-party platform used for software development, potentially taking advantage of reduced security monitoring during the Christmas holiday period. Third-party relationships continue to pose significant risks, with studies showing that supply chain attacks now account for a substantial portion of cybersecurity incidents.
TechCrunch confirmed that the breach originated from this external source, emphasizing the growing risks associated with third-party vendor relationships.
LexisNexis Risk Solutions, which specializes in corporate risk assessments and fraud detection services, has previously sold vehicle driving data to insurance companies and provides information to law enforcement agencies about suspects. The company launched an extensive investigation with external cybersecurity experts, notified law enforcement, and began sending breach notifications to affected individuals. Security experts have emphasized the critical importance of timely notification for sensitive data breaches like this one. As of the disclosure date, no obvious misuse of the compromised data had been detected.
The incident has prompted discussions about potential class-action litigation, with news outlets reporting on brewing legal challenges by May 29, 2025. Although smaller than recent breaches like DISA’s 3.3 million affected individuals, this incident highlights persistent vulnerabilities in the data analytics sector and raises significant privacy concerns about companies that collect and monetize personal information for commercial purposes. Data breaches have become increasingly frequent across various sectors, with recent incidents including breaches at healthcare giant Yale Health and insurance firms.
