LexisNexis confirms data breach at Legal & Professional division

Data analytics giant LexisNexis has confirmed that its Legal & Professional division suffered a data breach, following claims from the Fulcrumsec cybercrime group that they had accessed and exfiltrated sensitive customer information.

According to a spokesperson for LexisNexis, the breach has been contained and the company has engaged a third-party digital forensics firm to manage the investigation and remediation. The company stated that only "a limited number of servers" were accessed, and the data stored on them was "mostly legacy, deprecated data from prior to 2020."

The compromised data reportedly included customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets. However, LexisNexis emphasized that the breach did not involve Social Security numbers, driver's license numbers, financial information, active passwords, customer search queries, client or matter information, or customer contracts.

Despite the company's assurances, the Fulcrumsec cybercrime group has made more extensive claims about the breach. According to their listing, they exfiltrated approximately 2GB of data from a LexisNexis AWS instance by exploiting a vulnerable React container - specifically, an unpatched React2Shell vulnerability.

The criminals claim their haul includes 400,000 cloud user profiles containing personally identifiable information such as names, emails, and phone numbers. They also allege that among the affected accounts were more than 118 belonging to US government staff, including federal judges, Department of Justice attorneys, SEC staff, and court clerks.

Fulcrumsec's claims extend beyond basic user profiles. The group alleges they accessed 17 VPC databases and more than 430 VPC database tables, 536 Redshift tables, 3.9 million database records, and 53 secrets from AWS Secrets Manager. They claim to have leaked more than 21,000 customer account records belonging to government agencies, insurance companies, law firms, and universities.

Perhaps most concerning from a business intelligence perspective, the criminals assert they obtained more than 300,000 customer contract records, revealing which products individual organizations pay for, associated renewal dates, and pricing tiers. "This is the complete commercial relationship database," Fulcrumsec wrote. "If you wanted to know exactly what Gibson Dunn pays for Lexis Advance, or what the SEC subscribes to, or which Newsdesk package the Ellen MacArthur Foundation uses – it is all here."

LexisNexis has informed impacted current and previous customers about the breach and continues to investigate the incident. The company maintains that neither its products nor services were ever compromised, despite the claims made by the cybercriminals.

As with all such claims from criminal groups, these assertions should be treated with caution until independently verified. The incident highlights the ongoing challenges faced by major data analytics and legal research firms in protecting sensitive customer information from increasingly sophisticated cyber threats.

The breach comes amid a broader trend of high-profile cyberattacks targeting organizations that handle sensitive data, with criminals increasingly focusing on exploiting vulnerabilities in cloud infrastructure and containerized applications.