LexisNexis Risk Solutions, a leading data analytics and brokerage firm, has disclosed a significant data breach that exposed the personal information of over 364,000 individuals. The breach, first reported by TechCrunch, involved the unauthorized access of names, Social Security numbers, contact details, and driver’s license numbers.
Details of the Breach
According to a notice filed with the state of Maine, LexisNexis revealed that an “unauthorized third party” accessed its data through a third-party software development platform. The incident occurred on December 25, 2024, but was only discovered by the company on April 1, 2025. LexisNexis has since begun notifying affected individuals.
Upon discovering the breach, the company states it “promptly launched an investigation” and notified law enforcement. The specific types of information exposed varied by individual, but the breach has raised serious concerns about the security of sensitive personal data.
How the Breach Happened
Jennifer Richman, a spokesperson for LexisNexis, confirmed to TechCrunch that the attacker gained access to the data via the company’s GitHub account. Both LexisNexis and GitHub have not yet responded to further requests for comment.
LexisNexis and the Data Brokerage Industry
LexisNexis is one of the largest data brokers in the United States, collecting and selling vast amounts of personal information for purposes such as fraud detection and risk assessment. The company also provides access to databases containing news articles, public records, and legal documents.
Last year, The New York Times reported that automakers had shared driving data with LexisNexis, which was then sold to insurance companies, sometimes resulting in higher premiums for drivers.
Expert Reactions and Regulatory Concerns
Caroline Kraczon, a law fellow at the Electronic Privacy Information Center (EPIC), commented on the breach, stating, “The LexisNexis breach is yet another example of why we need to rein in the reckless business model of data brokers that traffic in our most sensitive information for profit. Thanks to LexisNexis, hundreds of thousands of individuals’ personal data is now up for grabs by bad actors.” She warned that such data could be exploited by foreign adversaries, fraudsters, or abusers.
Regulatory Response and Legislative Stalemate
Efforts to regulate data brokers have recently stalled. The Consumer Financial Protection Bureau (CFPB), under the Biden administration, had been working to restrict the sale of Social Security numbers and sensitive financial data. However, in February, Treasury Secretary Scott Bessent ordered the CFPB to halt all rulemaking, effectively pausing these proposals. The CFPB officially withdrew the rule earlier this month.
In addition, while the House passed a bill last year to prevent data brokers from selling Americans’ personal information to foreign adversaries, there has been little progress since.
Update, May 28: Added a statement from EPIC.
