LexisNexis Risk Solutions has reported a data breach that may have compromised the personal information, including names, Social Security numbers, contact details, and driver’s license numbers, of over 364,000 individuals, as previously noted by TechCrunch. In a report submitted to the state of Maine, LexisNexis indicated that “an unauthorized third party” accessed its data through a third-party software development platform.
The breach occurred on December 25th, but LexisNexis only became aware of it on April 1st, 2025, and has just begun notifying affected individuals. The company stated that it “promptly initiated an investigation” and “informed law enforcement” upon discovering the breach, adding that the specific information exposed “differed by individual.”
Jennifer Richman, a spokesperson for LexisNexis, informed TechCrunch that the data was accessed through the company’s GitHub account. As of now, neither LexisNexis nor GitHub has provided a comment to The Verge regarding the incident.
LexisNexis is one of the largest data brokers in the United States, collecting and selling extensive amounts of personal data for fraud and risk assessment purposes. Last year, a The New York Times report highlighted how automakers shared driving data with LexisNexis, which was then sold to insurance companies, potentially resulting in increased premiums for drivers. In addition to its role as a data broker, LexisNexis provides access to a database that includes news articles, public records, and legal documents.
“The LexisNexis breach is yet another instance that underscores the urgent need to regulate the reckless business practices of data brokers who profit from our most sensitive information,” stated Caroline Kraczon, a law fellow at the Electronic Privacy Information Center, in a statement to The Verge. “As a result of LexisNexis’s actions, personal data belonging to hundreds of thousands of individuals is now vulnerable to exploitation by malicious actors. This data could be leveraged by foreign adversaries posing risks to national security, used by fraudsters to target victims, or exploited by abusers to locate and harm survivors of domestic violence.”
Update, May 28th: Statement from EPIC added.
