Hackers have nabbed LexisNexis data belonging to more than 360,000 people via GitHub.
LexisNexis Risk Solutions (LNRS) began sending data breach notifications to impacted individuals last week, but admitted it was told about the leak at the beginning of April — and that the actual breach had occurred in December of last year.
The data broker said that its own systems weren’t breached, explaining that the data was taken from GitHub by an “unknown threat actor” using a compromised company account, according to a company statement.
The company’s investigation revealed that “software artifacts” were accessed in the breach, as well as personal information.
According to a letter sent by LNRS to affected individuals, that included names, phone numbers, postal and email addresses, social security numbers, driver’s license numbers, and dates of birth.
“No financial or credit card information was affected,” the letter notes. “We have no evidence that your data has been further misused.”
A government filing shows that 364,333 people were affected by the break.
LNRS said in the data breach notice sent to customers that it was working with law enforcement on the incident.
In a statement given to ITPro, the company said: “On Tuesday, April 1, 2025, LexisNexis Risk Solutions (LNRS) received a report from an unknown third party claiming to have accessed certain information belonging to LNRS.
“Our Information Security team, in consultation with a forensic firm, immediately began investigating and confirmed that some data which was held in GitHub, a third-party platform used by LNRS for software development purposes, was acquired by an unknown third party.”
The statement added: “There was no compromise of our own systems, infrastructure, or products. We are notifying approximately 360,000 individuals and appropriate regulators. We have also reported this incident to law enforcement.”
Questionable timeline?
One security expert criticised the delay between the incident happening, LNRS being informed, and the subsequent disclosure.
Ilya Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said informing affected individuals in the wake of a breach should be of paramount importance to any organization.
“The timeline of the incident detection and disclosure is a bit surprising for a company offering legal and other comparatively sensitive services: the incident reportedly happened in December 2024, was detected in April 2025 after receiving information from the attackers, while disclosed only in May,” Kolochenko said.
“Given that a lot of personal data was reportedly compromised, the incident detection and response timeline is pretty far from being perfect, to put it mildly.”
That said, Kolochenko admitted that spotting such issues with partner platforms wasn’t easy.
“Incidents stemming from compromised third-party repositories, like GitHub, are not trivial to detect and may even remain totally undetected,” he said.
