Privacy Please S6, E244 - They didn't hack in, they just logged in: The LexisNexis Security Incident
We explore the recent LexisNexus data breach that exposed sensitive personal information of over 364,000 individuals through a third-party platform accessing their GitHub account. This incident highlights critical vulnerabilities in how data brokers handle our most sensitive information and raises questions about regulatory oversight.
• Data exposed included names, date of birth, phone numbers, social security numbers, and driver's license numbers
• The breach occurred when someone accessed the company's GitHub account through a third-party platform
• Attackers likely found hard-coded credentials that allowed them to move laterally through systems
• Data brokers operate with minimal regulation despite handling massive amounts of sensitive information
• Better governance policies and automated privacy operations could significantly reduce these risks
• Both technical solutions and regulatory approaches are needed to protect consumer data
- Breach Occurred: December 25, 2024.
- Discovery: April 1, 2025.
- Public Notification: May 27, 2025.
- Notice Letters Sent: May 24, 2025.
Shameless plus: Check out tools like Transcend's autonomous privacy operations to help prevent similar incidents and continue to monitor your privacy activities.