LexisNexis says hackers accessed legacy data in contained breach

Data analytics giant LexisNexis confirmed that information leaked on a cybercriminal forum on Tuesday is legitimate and related to a recent security incident. 

The breach emerged this week when a threat actor claimed they stole 2 GB worth of information from the company that included millions of records, contact information that included .gov email addresses, account records for government agencies and law firms, passwords, IT incident tickets and more. 

A spokesperson for LexisNexis’ Legal & Professional division confirmed that a threat actor gained access to a “limited number of servers” that contained “mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.”

“LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained. We have no evidence of compromise of or impact to our products and services,” the spokesperson said. 

“We engaged a preeminent cybersecurity forensic firm to assist in our investigation and response and have reported this issue to law enforcement.”

They have informed impacted current and previous customers of the breach, the spokesperson added.

The company did not respond to further questions about whether a ransom was offered or when the intrusion was initially discovered. 

The spokesperson said the breached data did not include Social Security numbers, financial data or information on what customers searched.

The hackers claimed in the cybercriminal forum post that the breach was conducted last week. The incident was first reported by BleepingComputer.

LexisNexis is best known for its data and technology services, analytics and predictive insights and has offices across Asia and Europe. The Legal & Professional branch is a large service provider for law firms and governments around the world, with nearly 12,000 employees and customers in 150 countries. 

The company’s risk management services branch LexisNexis Risk Solutions suffered a massive data breach last year that involved the information of more than 360,000 people. That incident involved contact information, Social Security numbers, driver's license numbers and dates of birth.