One of the largest, LexisNexis—a household name to law students—was recently hit hard by a data breach. This failed to protect the sensitive information of these 364,000 people. On Christmas Day in 2024, an unknown malicious actor gained access to the company’s GitHub account. They gamed a third-party platform that LexisNexis uses for rapid application development.
On April 1, 2025, LexisNexis was alerted to a potential privacy incident by an unknown third party. This party alleged that it obtained sensitive personal information during the breach, including social security numbers. Jennifer Richman, a company spokesperson for LexisNexis, confirmed the incident and added that LexisNexis is treating the matter seriously. LexisNexis should be commended for addressing this breach with amazing speed. They filed a preliminary complaint with Maine’s attorney general, describing the scope of the data leak.
The breach raises deep and fundamental questions about the protection, collection, and use of consumer data. This is especially egregious given that LexisNexis’ data practices have previously drawn severe condemnation. In March 2024, The New York Times reported that LexisNexis provided data on vehicle driving habits to car makers. They accomplished this without ever asking the permission of car owners up front. This practice has only exacerbated the company‘s contentious track record of processing sensitive data.
The security implications of this breach are highlighted by recent commentary from Zack Whittaker, the security editor for TechCrunch. Additionally, he pointed out that these breaches expose holes in large data brokerage companies. In doing so, they highlight the grave potential risks to individual privacy posed by these weaknesses. This unprecedented access to consumers’ personal data—including sensitive financial information—has been understandably alarming to consumers and to regulators as well.
The problem posed by data brokers has not escaped the attention of federal lawmakers. Protecting privacy The Trump administration released a plan to limit data brokers, like LexisNexis. This proposal would stop them from continuing to peddle Americans’ nonpublic personal and financial information. This plan was never fully implemented and consumers are just as exposed to continued breaches and data abuse today.
LexisNexis is taking immediate steps to mitigate the impact of this breach. The company’s attention now, as it should be, is on securing its systems and restoring consumer confidence. The company has yet to provide concrete details on exactly how the hacker gained access to its GitHub account. It hasn’t disclosed what actions it will take to ensure something like this doesn’t happen again.
Leave a Reply