In a newly disclosed cybersecurity incident, LexisNexis Risk Solutions, a major player in the data analytics and risk management industry, confirmed that personal information belonging to approximately 364,000 people was exposed in a data breach involving a third-party software development platform.
The company revealed the breach after receiving a report from an unidentified source on April 1, alerting them to unauthorised access of information stored on GitHub, a platform used by LNRS for software development.
In a statement to Recorded Future News, a LexisNexis spokesperson said the firm’s Information Security team, working alongside a forensic investigation firm, launched a probe immediately upon notification. The investigation confirmed that certain software components and personal data had been accessed.
“The exposed personal information includes names, contact details (such as phone numbers, mailing and email addresses), Social Security numbers, driver’s license numbers, and dates of birth,” the company said. It emphasised, however, that the breach was limited to data housed on GitHub and that its internal systems and client-facing products were not affected.
Regulatory documents filed in Maine, South Carolina, and Vermont reveal that the incident dates back to December 25, 2024, though the company only learned of it in April. The breach notification letters describe the data source as a “third-party platform used for software development,” without naming GitHub directly.
To date, no group or individual has claimed responsibility for the breach. LNRS said it has found no evidence of further misuse of the compromised data. Law enforcement agencies have been notified, and cybersecurity experts have been enlisted to assist in the ongoing investigation. Impacted individuals are being offered complimentary identity theft protection services for two years.
This breach adds to growing scrutiny of LNRS, which has faced legal and public criticism over its role as a data broker. The company has been involved in multiple lawsuits related to its data-sharing practices with U.S. Customs and Border Protection, automakers, and other entities. Concerns have also been raised about its collection of sensitive data related to individuals’ driving habits, reproductive health, and even children.
LexisNexis Risk Solutions is a division of Georgia-based LexisNexis and operates under the umbrella of RELX, a global information and analytics firm headquartered in the United Kingdom. RELX reported annual revenues exceeding $12 billion in 2024.
In a separate legal matter, more than 18,000 law enforcement personnel in New Jersey filed a class action lawsuit last year against LexisNexis Risk Data Management. The plaintiffs allege the company retaliated against them by freezing their credit and falsely labelling them as identity theft victims after they requested their data be kept private.
As investigations continue, the breach underscores the growing cybersecurity challenges faced by companies that handle vast troves of sensitive consumer data.
