Attack on LexisNexis Risk Solutions exposes data on 300k + – Source: go.theregister.com

LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333.

A notification letter being dispatched to affected individuals says that an “unauthorized party” gained access to a third-party software development platform on December 25, 2024, and made off with LNRS data.

The company, which offers various products related to data analytics, Know Your Customer, and risk management insights, among others, detected the intrusion on April 1, but said there was no impact on its own networks or systems.

It told The Register in a statement:

It added that “No financial, credit card, or other sensitive personal information was accessed” and said it believes its own systems, infrastructure, and products were not “compromised.”

It said it was notifying the circa 360,000 people affected as well as “appropriate regulators. We have also reported this incident to law enforcement.”

The stolen data will be different for each affected individual, but in total it includes:

• Names
• Phone numbers
• Home addresses
• Email addresses
• Social Security numbers
• Driver’s license numbers
• Dates of birth

Its letter to individuals, a sample of which was uploaded to Maine’s Attorney General’s office, stated:

“Upon learning of the issue, we promptly launched an investigation with the assistance of leading external cybersecurity experts, notified law enforcement and took steps to review and further enhance our security controls. We also initiated an extensive review of the impacted data to identify personal information that may have been affected.

“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing your account statements and monitoring your free credit reports.”

On that last point, it reminded affected parties that US citizens are entitled to one free credit report per year, and also offered 24 months’ worth of identity protection and credit monitoring through Experian – standard procedure in these kinds of cases.

The Register asked LNRS for additional details about the attack and how it unfolded, but it had not responded at the time of writing.

LNRS is the latest in a string of major organizations to fess up to data plunderings of late. 

• Cybercrime is ‘orders of magnitude’ larger than state-backed ops, says ex-White House advisor
• CISA mutes own website, shifts routine cyber alerts to Musk’s X, RSS, email
• M&S warns of £300M dent in profits from cyberattack
• UK must pay cyber pros more than its Prime Minister, top civil servant says

German sportswear giant Adidas offered up apologies this month, although it didn’t reveal how the attack occured, how many people it affected, or the exact data points involved.

Crypto colossus Coinbase also recently confirmed that around 70,000 people were affected by its attack, which was facilitated by offshore support workers bribed by cyber crooks.

And while it might not be a universally recognized brand, the attack on the UK’s Legal Aid Agency potentially affects millions of people who have sought legal assistance in criminal cases dating back to 2010. ®