LexisNexis Risk Solutions (LNRS) has suffered a data breach affecting 364,333 people, whose personal information has been stolen by “an unauthorised third party” that accessed the data through a third-party software platform. TechCrunch reports that a hacker accessed the company’s GitHub account.
LNRS collects data to help businesses and government entities identify risks and fraud.
The breach came to light when LNRS formally notified the Maine Attorney General that data had been stolen due to an external system hack. A sample letter from the company informs those affected that “on 1 April 2025, we learned that on 25 December 2024, an unauthorised third party acquired certain LNRS data from a third party platform used for software development. The issue did not affect LNRS’s own network or systems.”
The information affected could have included names, phone, numbers, addresses, email addresses, social security number, driver’s license number or data of birth. No financial or credit information was affected.
LNRS has launched an investigation with the help of external cybersecurity experts, as well as notifying law enforcement. They have also initiated an extensive review of the impacted data to identify personal information that may have been affected.
We have reached out to LNRS and GitHub for comment.
A spokesperson for LNRS told Legal IT Insider: “On Tuesday, April 1, 2025, LexisNexis Risk Solutions (LNRS) received a report from an unknown third party claiming to have accessed certain information belonging to LNRS. Our Information Security team, in consultation with a forensic firm, immediately began investigating and confirmed that some data which was held in GitHub, a third-party platform used by LNRS for software development purposes was acquired by an unknown third party. Specifically, we have determined that some software artifacts as well as some personal information was accessed. The personal information involved was limited to name, contact information (such as phone number, postal or email address), Social Security number, driver’s license number or date of birth. No financial, credit card, or other sensitive personal information
was accessed. There was no compromise of our own systems, infrastructure, or products. We are notifying approximately 360,000 individuals and appropriate regulators. We have also reported this incident to law enforcement.”
However, GibHub said: “GitHub is aware of this. Based on the information available to GitHub, this was not a result of a vulnerability or compromise of GitHub.”