The data analytics firm LexisNexis Risk Solutions says it suffered a breach that could have exposed the names, Social Security numbers, contact information, and driver’s license numbers of over 364,000 people, as reported earlier by TechCrunch. In a notice filed with the state of Maine, LexisNexis says “an unauthorized third party” accessed its data through a third-party software development platform.
The breach occurred on December 25th, but Lexis Nexis only discovered it on April 1st, 2025, and is just starting to notify people. The company says it “promptly launched an investigation” and “notified law enforcement” once it discovered the breach, adding that the types of information exposed “varied by affected individual.”
LexisNexis spokesperson Jennifer Richman told TechCrunch that an attacker obtained the data through the firm’s GitHub account. Neither LexisNexis nor GitHub immediately responded to The Verge’s request for comment.
LexisNexis is one of the biggest data brokers in the US, as it works to collect and sell vast amounts of personal information for fraud and risk assessment. Last year, LexisNexis was named in a report from The New York Times, which found that automakers had been sharing driving data with the firm that the firm then sold to insurance companies, leading to higher premiums for the drivers. Other than serving as a data broker, LexisNexis also offers access to a database of news articles, public records, and legal documents.
“The LexisNexis breach is yet another example of why we need to rein in the reckless business model of data brokers that traffic in our most sensitive information for profit,” Caroline Kraczon, a law fellow at the Electronic Privacy Information Center, said in a statement to The Verge. “Thanks to LexisNexis, hundreds of thousands of individuals’ personal data is now up for grabs by bad actors. That data may be used by foreign adversaries in ways that threaten national security, by fraudsters to target victims for scams, or by abusers to locate and harm survivors of domestic violence.”
Though the Consumer Financial Protection Bureau had been working to crack down on data brokers under the Biden administration, those efforts have come to a halt. In February, the Trump-appointed Treasury Secretary Scott Bessent ordered the Consumer Financial Protection Bureau (CFPB) to “stop all rulemaking,” pausing a proposal that would’ve prevented data brokers from selling social security numbers and sensitive financial information. The CFPB officially withdrew the rule earlier this month.
Last year, the House also passed a bill that would block data brokers from selling Americans’ personal information to foreign adversaries, but there hasn’t been much movement since.
Update, May 28th: Added a statement from EPIC.