SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
Data Analytics
#
Advanced Persistent Threat Protection

LexisNexis data breach exposes 364,000 personal records

Yesterday
Author image
By Kaleah Salmon, Journalist

LexisNexis, a prominent global data analytics and legal intelligence provider, has confirmed a data breach impacting more than 364,000 individuals, raising significant concerns over the security of personal information held by data brokers. The breach, reportedly executed through a third-party platform used for software development, exposed a wide array of sensitive data, including names, dates of birth, phone numbers, addresses, email and postal details, driver's license numbers, and Social Security information.

The exposure of such comprehensive personal data has triggered alarm among both customers and cybersecurity experts. LexisNexis serves a varied clientele, ranging from law enforcement agencies to automotive manufacturers, which means the implications of the breach extend across numerous industries and organisations. The breadth and depth of the data held by LexisNexis amplify the potential fallout from the incident.

Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, commented on the breach, highlighting its origins and wider impact: "Legal AI and data analytics company LexisNexis has disclosed a data breach that has affected at least 364,000 people. An unknown hacker accessed customer data through a third-party platform that LexisNexis utilises for software development. The stolen data includes names, dates of birth, phone numbers, postal and email addresses, driver's license numbers, and Social Security information. Given the range of LexisNexis' customer base, which spans law enforcement agencies to vehicle manufacturers, the scope of individuals and organisations impacted is substantial."

Costis further stressed the critical importance of security for data brokers: "Protecting the information of its customers is a necessity for any successful company. However, for data brokers like LexisNexis, who profit from collecting and selling huge amounts of personal and financial customer data, the need for airtight security measures is exponentially greater. One breach can often set off a chain reaction of mistrust from their client base, putting not just the company at risk, but their massive stockpile of customer data as well. A recent example of this effect can be seen in the recent 23andMe breach and subsequent bankruptcy."

He called for more proactive defence strategies: "To protect valuable customer data, organisations must prioritise proactive defense, with a strong focus on threat detection and response. By utilising techniques like adversarial exposure validation, organisations can test their system's response to identify and address any vulnerabilities before they can be exploited."

Steve Cobb, Chief Information Security Officer at SecurityScorecard, added analysis on the risks associated with third-party platforms: "The breach at LexisNexis Risk Solutions, involving unauthorised access via GitHub and the exposure of over 360,000 individuals' personal data, highlights a critical blind spot in third-party risk management."

He pointed out the ongoing challenges LexisNexis faces with its data broker role: "LexisNexis has already faced scrutiny over data sharing relationships and has faced multiple lawsuits for its role as a data broker that collects and sells sensitive information. The immense volume of sensitive data that the company holds makes the integrity of every access point, including software development platforms, non-negotiable."

Cobb emphasised the importance of treating third-party platforms with the same security rigour as core systems: "Third-party platforms are high-value assets used by organisations that demand the same level of security oversight as any core system. When enterprises treat them as afterthoughts, they open the door to cascading risk. In today's ecosystem, third-party risk isn't an external issue, but an internal vulnerability. The future of cyber defence hinges on operationalising visibility and integrating supply chain detection and response into the heart of security operations."

LexisNexis has historically faced scrutiny over its data collection practices and the sharing of sensitive information. This latest breach may reinvigorate debate around the accountability of data brokers and the regulatory frameworks designed to protect individuals' privacy. As the volume and value of digital information continue to rise, the incident serves as a stark reminder of the responsibility data custodians bear to maintain the highest standards of security across all facets of their operations, including those managed by third-party suppliers.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
SentinelOne named a Customers' Choice in 2025 Gartner XDR report
Genetec enhances Cloudrunner with advanced ALPR mapping tools
AI agents spark new enterprise security fears, report shows
Lineaje survey reveals software supply chain security gaps
Westcon-Comstor hits record USD $5.24 billion sales in FY25
Top stories
Secureframe & Coalfire launch platform to speed CMMC process
Bitdefender unveils upgrades to partner & MSP programmes
Experts warn of surge in Google, Apple, Microsoft breaches
Most high-traffic email domains still vulnerable to phishing
Safari users at heightened risk from new fullscreen BitM attack