LexisNexis Risk Solutions, one of the largest data brokers in the U.S., has confirmed a major data breach that compromised the personal information of more than 364,000 individuals. The breach, disclosed in a filing with the Maine attorney general, occurred on December 25, 2024, but was only publicly acknowledged after the company received an alert from an unknown third party in April 2025.
GitHub Breach Leads to Leak of Highly Sensitive Consumer Data
According to LexisNexis spokesperson Jennifer Richman, the unauthorized access occurred through the company’s GitHub account — a platform commonly used for software development. The hacker gained entry to a third-party platform integrated with the company’s systems, leading to the exposure of highly sensitive data.
The compromised information includes full names, dates of birth, phone numbers, mailing and email addresses, Social Security numbers, and driver’s license numbers. LexisNexis has not confirmed whether a ransom was demanded or what security vulnerabilities were exploited in the breach.
This breach underscores a broader industry concern: data brokers like LexisNexis aggregate and monetize vast amounts of consumer data, often with minimal transparency. Their datasets are sold to companies for risk analysis, fraud detection, and customer background checks.
Controversial Practices and Weak Regulatory Oversight Raise Alarm
LexisNexis has faced increasing scrutiny over how it obtains and shares personal information. A 2023 investigation by The New York Times revealed that several car manufacturers shared vehicle driving data — such as mileage and behavior — with LexisNexis, which then resold that data to insurance companies. Many car owners were unaware this data was being collected, let alone shared.
Government agencies also rely on LexisNexis to access personal details on individuals under investigation. This includes names, addresses, and phone records — raising further questions about oversight and data privacy.
Meanwhile, regulatory safeguards around data brokers remain limited. Earlier this month, the Trump administration reversed a proposed Biden-era rule that would have required data brokers to follow federal privacy laws similar to those imposed on credit bureaus. The rule aimed to limit the sale of Social Security numbers and other sensitive financial data.
But in a Federal Register notice, White House official Russell Vought stated the rule was “not necessary or appropriate,” dealing a blow to privacy advocates who have long argued for closing legal loopholes that allow unchecked data collection and resale.
As LexisNexis notifies affected individuals and investigates the full scope of the breach, the incident is reigniting calls for stricter data privacy protections in an era when even backend developer tools like GitHub can become vectors for mass data exposure.
