LexisNexis Risk Solutions says 364,000 impacted by breach involving GitHub data

Information belonging to more than 360,000 people was leaked in a data breach affecting an arm of the analytics giant LexisNexis, the company said Wednesday. 

A spokesperson for the company told Recorded Future News that on April 1, officials at LexisNexis Risk Solutions (LNRS) received a report from “an unknown third party” saying they accessed information from the company. 

LNRS is a branch of LexisNexis that provides risk management services to business customers and is one of the largest data brokers in the U.S.

“Our Information Security team, in consultation with a forensic firm, immediately began investigating and confirmed that some data which was held in GitHub, a third-party platform used by LNRS for software development purposes was acquired by an unknown third party,” the spokesperson said. 

“Specifically, we have determined that some software artifacts as well as some personal information was accessed. The personal information involved was limited to name, contact information (such as phone number, postal or email address), Social Security number, driver’s license number or date of birth.”

The spokesperson added that their systems and products were never compromised. Regulatory filings said more than 364,000 people were affected. 

LNRS has faced significant backlash over the last three years for its data sharing relationship with U.S. Customs and Border Patrol and car companies. It has faced lawsuits in multiple states for its role as a data broker that collects and sells sensitive information on topics like driver behavior and reproductive health, as well as data belonging to children.

In breach notification letters filed in Maine, South Carolina and Vermont, the company said the breach occurred last Christmas and they were informed of it on April 1. The letters do not mention GitHub but say the data came from a “third-party platform used for software development.”

No hacker has come forward to claim the attack. In the notification letters, LNRS said there is “no evidence that your data has been further misused.”

Law enforcement was notified of the issue and an investigation was launched with cybersecurity experts. Victims are being provided two years of identity protection services. 

The Georgia-based company is best known for its data and technology services, analytics and predictive insights and has offices across Asia and Europe. It is a subsidiary of RELX, a British analytics company that reported more than $12 billion in revenue last year. 

More than 18,000 people associated with New Jersey law enforcement filed a class action lawsuit against LexisNexis Risk Data Management last year alleging that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.