Article Details

Attack on LexisNexis Risk Solutions exposes data on 300k +. Data analytics and risk management biz says software dev platform breached, not itself. LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. A notification letter being dispatched to affected individuals says that an "unauthorized party" gained access to a third-party software development platform on December 25, 2024, and made off with LNRS data. The company, which offers various products related to data analytics, Know Your Customer, and risk management insights, among others, detected the intrusion on April 1, but said there was no impact on its own networks or systems. It told The Register in a statement: On Tuesday, April 1, 2025, LexisNexis Risk Solutions (LNRS) received a report from an unknown third party claiming to have accessed certain information belonging to LNRS. Our Information Security team, in consultation with a forensic firm, immediately began investigating and confirmed that some data which was held in GitHub... was acquired by an unknown third party. Specifically, we have determined that some software artifacts as well as some personal information was accessed. It added that "No financial, credit card, or other sensitive personal information was accessed" and said it believes its own systems, infrastructure, and products were not "compromised." It said it was notifying the circa 360,000 people affected as well as "appropriate regulators. We have also reported this incident to law enforcement." The stolen data will be different for each affected individual, but in total it includes: Its letter to individuals, a sample of which was uploaded to Maine's Attorney General's office, stated: "Upon learning of the issue, we promptly launched an investigation with the assistance of leading external cybersecurity experts, notified law enforcement and took steps to review and further enhance our security controls. We also initiated an extensive review of the impacted data to identify personal information that may have been affected. "We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing your account statements and monitoring your free credit reports." On that last point, it reminded affected parties that US citizens are entitled to one free credit report per year, and also offered 24 months' worth of identity protection and credit monitoring through Experian – standard procedure in these kinds of cases. The Register asked LNRS for additional details about the attack and how it unfolded, but it had not responded at the time of writing. LNRS is the latest in a string of major organizations to fess up to data plunderings of late.  German sportswear giant Adidas offered up apologies this month, although it didn't reveal how the attack occured, how many people it affected, or the exact data points involved. Crypto colossus Coinbase also recently confirmed that around 70,000 people were affected by its attack, which was facilitated by offshore support workers bribed by cyber crooks. And while it might not be a universally recognized brand, the attack on the UK's Legal Aid Agency potentially affects millions of people who have sought legal assistance in criminal cases dating back to 2010.