LexisNexis Risk Solutions (LNRS), a major provider of data analytics, risk assessment, and identity verification tools, has disclosed a serious cyberattack that resulted in the theft of personal information belonging to 364,333 individuals. The data was accessed via a third-party software development platform—specifically GitHub—on December 25, 2024, and the breach was only detected on April 1, 2025, after LNRS received a tip from an unknown third party.
According to LNRS, the breach did not affect the company’s internal systems, infrastructure, or core products, but it did result in the unauthorized access of software artifacts and sensitive personal information stored on GitHub. The company is working with law enforcement, cybersecurity experts, and regulators to assess the damage and ensure no further vulnerabilities remain.
What Data Was Compromised?
Though LNRS has stated that no financial or credit card data was accessed, the personally identifiable information (PII) exposed in the breach is significant and varied across affected individuals. The stolen data includes:
- Full names
- Phone numbers
- Home and email addresses
- Social Security numbers (SSNs)
- Driver’s license numbers
- Dates of birth
A sample of the notification letter sent to affected individuals—published by the Maine Attorney General’s office—confirms the depth and sensitivity of the breach. LNRS noted that the breach was limited to data stored on the compromised GitHub repository and did not impact live systems or services.
To mitigate the risk, LNRS is offering 24 months of complimentary credit monitoring and identity theft protection through Experian, and is advising users to remain vigilant, monitor financial accounts, and regularly check their credit reports.
Rising Tide of High-Profile Cyber Breaches
LexisNexis joins a growing list of prominent organizations recently targeted by cybercriminals. From Adidas and Coinbase to the UK Legal Aid Agency, the string of disclosures suggests that data breaches are becoming more frequent, severe, and sophisticated. In many cases, attackers exploit supply chain vulnerabilities, insider threats, or software development environments—as was the case here.
The Coinbase breach, for example, affected nearly 70,000 users, facilitated through bribed offshore support staff. Meanwhile, attacks on public institutions like the UK’s Legal Aid Agency may have affected millions seeking legal help over the past decade. These events underline the escalating impact of cybercrime, which experts now say is “orders of magnitude larger” than state-backed espionage operations.
LNRS’s response—prompt notification, coordinated forensic investigation, and public transparency—has been praised by some analysts. However, the breach has reignited discussions about the growing vulnerability of third-party platforms like GitHub in enterprise environments. Experts argue that organizations must adopt zero-trust architecture, regular code audits, and stricter access controls to prevent such breaches.
The LexisNexis breach is yet another reminder that data security in the digital age requires constant vigilance, not just within company firewalls but across all connected systems and development tools. As cybercriminals continue to evolve their tactics, businesses handling sensitive information must proactively secure every layer of their operations, including third-party integrations.
The coming weeks will be critical as regulators, cybersecurity teams, and affected users assess the long-term impact of the breach. For now, LNRS is offering support to those affected and pledging to reinforce its digital defenses to prevent further incidents.