Another stark reminder of the dangers posed by digital identity systems has emerged, this time through a major breach at LexisNexis Risk Solutions, one of the largest data brokers in the world. The incident, which could impact more than 364,000 people, illustrates how vulnerable centralized identity data can be when housed within massive corporate data warehouses.
The breach itself occurred on December 25, 2024, but LexisNexis did not uncover the intrusion until April 1, 2025.
During that four-month gap, highly sensitive information may have been accessible to unauthorized actors. The data exposed includes names, Social Security numbers, contact details, and driver’s license numbers, exactly the kind of information that forms the backbone of digital identity systems and can be repurposed for surveillance, tracking, or fraud.
More: Privacy-invasive Data Brokers Are Funded by the Federal Government
According to a disclosure filed with the state of Maine, the data was accessed through a third-party software development platform. A spokesperson for LexisNexis confirmed to TechCrunch that the attack involved their GitHub account. The company stated it launched an internal investigation after discovering the breach and notified law enforcement, though affected individuals are only now being notified.
LexisNexis plays a key role in the data economy, collecting and selling massive quantities of personal data under the pretext of risk assessment and fraud prevention. In addition to its core data brokerage business, it offers tools that provide access to legal documents, public records, and news content. The company’s reach extends into industries such as insurance and law enforcement, sectors that are increasingly reliant on data profiles to make automated decisions about individuals.
Last year, LexisNexis faced public backlash after The New York Times revealed that it had acquired driving data from car manufacturers and then sold it to insurers, resulting in higher premiums for drivers without their knowledge or consent.
More: Opt-Out or Be Exposed: Fighting Data Brokers
While regulatory momentum had been building under the Biden administration to confront data broker practices, those efforts have hit a wall. Treasury Secretary Scott Bessent, a Trump appointee, ordered the Consumer Financial Protection Bureau in February to halt all rulemaking, shelving a proposed rule that would have prohibited the sale of Social Security numbers and other sensitive financial data. That proposal was officially withdrawn earlier this month.
Although the House passed legislation last year that would prevent data brokers from selling personal information to foreign adversaries, that bill has stalled. Meanwhile, breaches like the one at LexisNexis continue to expose the inherent risks of digital identity systems that rely on centralized, easily compromised repositories of personal data.