LexisNexis
Company Details
Linkedin ID:
lexisnexis
Employees number:
10,705
Number of followers:
391,074
NAICS:
5415
Industry Type:
Homepage:
lexisnexis.com
IP Addresses:
0
Company ID:
LEX_4725814
Scan Status:
In-progress
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions
LexisNexis Vendor Cyber Rating & Cyber Score
lexisnexis.comLexisNexis is a leading innovator of private, secure, and authoritative Legal AI solutions that help legal and business professionals draft full documents with ease, make informed decisions faster, and deliver outstanding work and improved outcomes, all powered by trusted content. LexisNexis Legal & Professional serves customers in more than 150 countries with 11,800 employees worldwide, and is part of RELX, a global provider of information-based analytics and decision tools for professional and business customers.
LexisNexis A.I CyberSecurity Scoring
LexisNexis Risk Score (AI oriented)Between 0 and 549
LexisNexis
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
LexisNexis Global Score (TPRM)XXXX
LexisNexis
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
LexisNexis Company CyberSecurity News & History
Past Incidents
5
Attack Types
1
Amazon Web Services (AWS)RELX Group and LexisNexis Legal & Professional: LexisNexis Data Breach — Threat Actor Allegedly Claims 2.04 GB Stolen
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: FulcrumSec Claims Breach of LexisNexis, Exposing 2GB of Sensitive Legal Data On March 3, 2026, the threat actor FulcrumSec publicly took responsibility for a breach of LexisNexis Legal & Professional, a division of RELX Group, alleging the theft of 2.04 GB of structured data from the company’s AWS cloud infrastructure. The attack, which began on February 24, exploited the React2Shell vulnerability in an unpatched React frontend application a flaw reportedly left unaddressed for months. FulcrumSec gained access via the compromised LawfirmsStoreECSTaskRole ECS task container, which had broad permissions, including read access to: - Production Redshift data warehouse - 17 VPC databases - AWS Secrets Manager - Qualtrics survey platform The actor criticized LexisNexis’s security practices, highlighting that the RDS master password was set to "Lexis1234" and that a single task role had access to all AWS Secrets Manager entries, including production database credentials. Exposed Data Includes: - 3.9 million database records - 400,000 cloud user profiles (names, emails, phone numbers, job functions) - 21,042 enterprise customer accounts - 45 employee password hashes - 118 .gov email accounts (federal judges, DOJ attorneys, U.S. SEC staff, and court law clerks) - 53 plaintext AWS Secrets Manager secrets - Complete VPC infrastructure map FulcrumSec clarified that this breach is unrelated to the December 2024 GitHub incident, where attackers stole Social Security numbers of 364,000 individuals via a third-party development platform. The repeated compromises raise concerns about systemic security gaps in one of the world’s largest legal data repositories.
LexisNexis Legal & Professional: LexisNexis confirms data breach as hackers leak stolen files
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App LexisNexis Legal & Professional, a global provider of legal, regulatory, and business analytics tools, has confirmed a data breach after hackers exploited an unpatched React frontend application to gain access to its AWS infrastructure. The incident, which occurred on February 24, was disclosed following a 2GB data leak by the threat actor FulcrumSec across underground forums. The breach stemmed from the React2Shell vulnerability, allowing attackers to infiltrate LexisNexis’ cloud environment. While the company stated that the compromised data was "legacy and deprecated" dating mostly from before 2020 it included customer names, user IDs, business contact details, IP addresses from surveys, and support tickets. LexisNexis emphasized that no sensitive personal or financial data (such as Social Security numbers, credit card details, or active passwords) was exposed. However, FulcrumSec claimed to have exfiltrated 3.9 million database records, including: - 21,042 customer accounts - 5,582 attorney survey responses - 45 employee password hashes - 53 AWS Secrets Manager secrets in plaintext - 400,000 cloud user profiles (with names, emails, and job functions) - 118 .gov email accounts linked to U.S. government employees, federal judges, DOJ attorneys, and SEC staff The hackers also accessed 536 Redshift tables and 430+ VPC database tables, along with a complete mapping of LexisNexis’ VPC infrastructure. FulcrumSec criticized the company’s security practices, noting that a single ECS task role had excessive read access, including to the production Redshift master credential. LexisNexis stated that the intrusion was contained and that no evidence suggested product or service disruption. The company has engaged law enforcement and external cybersecurity experts to investigate and has notified affected customers. This incident follows a 2023 breach where hackers compromised a corporate account, exposing data on 364,000 customers.
LexisNexis: LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: LexisNexis Breach Exposes Millions of Records Due to Unpatched React Vulnerability A major data breach at LexisNexis provider of legal and data analytics services to governments and corporations in over 150 countries has exposed nearly 4 million records, including customer accounts, password hashes, and cloud infrastructure details. The attack, carried out by the hacker group FulcrumSec, exploited an unpatched React2Shell vulnerability in the company’s systems, despite a patch being available since 2025. Hackers gained access to AWS containers containing sensitive data, leveraging insecure cloud configurations to exfiltrate over 2GB of stolen information, later dumped on dark web platforms. Exposed data included: - 3.9 million database records - 21,042 customer accounts - 5,582 attorney survey responses - 45 employee password hashes - 53 AWS Secrets Manager secrets in plaintext - Complete VPC infrastructure mapping LexisNexis confirmed the breach but downplayed its impact, stating the compromised servers contained mostly legacy data pre-2020, such as customer names, business contact details, and support tickets. The company assured that no Social Security numbers, financial data, or active passwords were exposed. Affected customers have been notified, and law enforcement has been engaged, along with a third-party cybersecurity firm to investigate and mitigate the incident. The breach underscores a persistent cybersecurity weakness: failure to apply critical patches. Despite the vulnerability being public for months, LexisNexis continued running an outdated React application, allowing attackers to exploit a known flaw. The incident highlights how even security-conscious organizations can fall victim to basic oversights, with potential ripple effects across government and legal sectors.
LexisNexis Risk Solutions and LexisNexis: LexisNexis Investigates Breach, Customer Data Access
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: LexisNexis Confirms Data Breach Affecting Legacy Customer Data LexisNexis, the legal and business intelligence provider, has confirmed a data breach involving legacy servers containing customer information. The incident, disclosed on Tuesday, exposed names, business contact details, user identities, product usage records, IP addresses from customer surveys, and support ticket data though no sensitive personally identifiable information (PII) such as Social Security numbers, financial details, or active passwords was accessed. The company stated that the breach was contained following an investigation, with no evidence of compromise to its active products or services. LexisNexis engaged an unnamed cybersecurity forensic firm and notified law enforcement, as well as affected current and former customers. The compromised servers held deprecated data from before 2020. Threat actor FulcrumSec claimed responsibility, alleging access to LexisNexis’ Amazon Web Services (AWS) infrastructure via an unpatched React2Shell vulnerability in a frontend application. The group posted 2GB of files in underground forums, asserting that the breach impacted records from law firms, insurance companies, government agencies, and universities. FulcrumSec also claimed to have contacted LexisNexis about the incident but received no cooperation. This is not the first breach for LexisNexis. In December 2024, its Risk Solutions division suffered an incident affecting 364,000 individuals, discovered in 2025. FulcrumSec has also taken credit for a prior breach at electronics distributor Avnet, confirmed in October. The incident follows recent high-profile cyberattacks, including the exploitation of Fortinet FortiGate firewalls, a July 2025 ransomware attack on Ingram Micro, and critical vulnerabilities in Ivanti’s mobile management tools.
LexisNexis: LexisNexis confirms data breach, says hackers hit customer and business info
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: LexisNexis Data Breach: Hackers Claim Far Greater Access Than Company Admits Cybersecurity researchers have uncovered a data breach at LexisNexis, the U.S.-based analytics firm, with hackers alleging far more extensive access than the company has acknowledged. The threat actor group *FulcrumSec* leaked 2GB of stolen files on underground forums, claiming to have exploited an unpatched React frontend application using the open-source post-exploitation tool *React2Shell*. According to the hackers, the breach exposed hundreds of Redshift and VPC database tables, plaintext AWS Secrets Manager credentials, employee password hashes, and millions of records. Among the compromised data were details of over 100 government users, including federal judges, U.S. Department of Justice attorneys, and SEC staff, as well as approximately 400,000 cloud user profiles containing names, email addresses, phone numbers, and job functions. LexisNexis confirmed the incident but downplayed its severity, stating that the stolen data was "legacy" and "deprecated," dating back to before 2020. The company asserted that the breach did not involve Social Security numbers, financial details, active passwords, or sensitive legal or contractual information. A spokesperson noted that the exposed data included only outdated customer names, user IDs, business contact details, and support ticket records. FulcrumSec claimed it attempted to negotiate with LexisNexis likely for a ransom but the company declined to engage. LexisNexis has since stated that the attack has been contained. The discrepancy between the hackers' claims and the company’s response raises questions about the true scope of the breach and its potential impact on affected users.
LexisNexis Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for LexisNexis
Incidents vs IT Services and IT Consulting Industry Average (This Year)
LexisNexis has 21.21% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
LexisNexis has 69.49% more incidents than the average of all companies with at least one recorded incident.
Incident Types LexisNexis vs IT Services and IT Consulting Industry Avg (This Year)
LexisNexis reported 2 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.
Incident History — LexisNexis (X = Date, Y = Severity)
LexisNexis cyber incidents detection timeline including parent company and subsidiaries
LexisNexis Company Subsidiaries
LexisNexis is a leading innovator of private, secure, and authoritative Legal AI solutions that help legal and business professionals draft full documents with ease, make informed decisions faster, and deliver outstanding work and improved outcomes, all powered by trusted content. LexisNexis Legal & Professional serves customers in more than 150 countries with 11,800 employees worldwide, and is part of RELX, a global provider of information-based analytics and decision tools for professional and business customers.
Loading...
LexisNexis Similar Companies
We have the world’s best talent that design, run, and manage the most advanced and reliable technology infrastructure each day. Together, we think holistically about the health of these vital technology ecosystems. We are a focused, independent company that builds on our foundation of excellence by
Zoom
Bring teams together, reimagine workspaces, engage new audiences, and delight your customers –– all on the Zoom AI-first work platform you know and love. 💙 Zoomies help people stay connected so they can get more done together. We set out on a mission to make video communications frictionless and se
LTIMindtree
LTIMindtree is a global technology consulting and digital solutions company that partners with enterprises across industries to reimagine business models, accelerate innovation, and drive AI-centric growth. Trusted by more than 700 clients worldwide, we use advanced technologies to enable operationa
Unisys
Unisys is a global technology solutions company that powers breakthroughs for the world’s leading organizations. Our solutions – cloud, AI, digital workplace, logistics and enterprise computing – help our clients challenge the status quo and unlock their full potential. To learn how we have been hel
Gainwell Technologies
For 50 years, our nation’s federal Medicaid program has worked to improve the health, safety and well-being of America’s most vulnerable populations: low-income families, women and children, seniors, and those with disabilities. With positive health and cost outcomes that pierce inequities and impac
TransUnion
TransUnion is a global information and insights company that makes trust possible in the modern economy. We do this by providing an actionable picture of each person so they can be reliably represented in the marketplace. As a result, businesses and consumers can transact with confidence and achiev
Zensar Technologies
Zensar stands out as a premier technology consulting and services company, embracing an ‘experience-led everything’ philosophy. We are creators, thinkers, and problem solvers passionate about designing digital experiences that are engineered into scale-ready products, services, and solutions to deli
Swisscom
As No. 1, we inspire people in the connected world. With the latest technologies and innovations, together we have the opportunity to shape the future. To do this, we are and act trustworthy, committed and curious. Are you with us? Join us on this exciting journey and work with us or in one of the
Capita
Capita is an outsourcer, helping clients across the public and private sectors run complex business processes more efficiently, creating better consumer experiences. Operating across eight countries, Capita’s 34,000 colleagues support primarily UK and European clients with people-based services und
.png)
LexisNexis CyberSecurity News
March 26, 2026 02:19 AM
Synthetic Identities and Agentic Bots Posing as Human Contribute to 8% Global Rise in Fraud Attacks – LexisNexis Risk Solutions
LexisNexis® Risk Solutions' latest Cybercrime Report reveals key global fraud trends emerging over the past year. Derived from analysi...
March 25, 2026 09:14 PM
Synthetic Identities And Agentic Bots Drive 8 Per Cent Global Rise In Fraud Attacks
Cybercriminals are scaling automation, deploying bots that convincingly mimic human behaviour and building fake identities from stolen data...
March 11, 2026 07:00 AM
LexisNexis L&P Confirms Data Breach After Hacker Leaks Stolen Information
A data breach at data analytics company LexisNexis L&P has leaked the details of over 400000 cloud profiles after an attacker breached its...
March 06, 2026 08:00 AM
LexisNexis hit by second data breach in two years
Key insight: Threat group FulcrumSec claims to have exfiltrated 2.04 gigabytes of data from LexisNexis Legal & Professional in late February...
March 06, 2026 08:00 AM
LexisNexis expands Epic integration with identity verification capabilities
LexisNexis Risk Solutions, a data and analytics vendor, announced an expansion of its integration with Epic to offer additional identity...
March 05, 2026 08:00 AM
LexisNexis AWS Data Breach 2026: React2Shell Exploit Exposes Legacy Data in Cloud Hack
On March 3, 2026, LexisNexis Legal & Professional confirmed a data breach following the public leak of approximately 2GB of company files by...
March 05, 2026 08:00 AM
Data Breach Hits LexisNexis Legal & Professional Division, Thousands of Customer Records Affected
Global data analytics company LexisNexis Group has confirmed a cybersecurity incident affecting its Legal & Professional division,...
March 04, 2026 08:00 AM
New LexisNexis Data Breach Confirmed After Hackers Leak Files
LexisNexis has confirmed a data breach after hackers leaked data allegedly stolen from its systems, but impact is limited.
March 04, 2026 08:00 AM
LexisNexis confirms data breach at Legal & Professional arm, some customer records affected
Data analytics giant LexisNexis has confirmed its Legal & Professional division suffered a data breach days after the Fulcrumsec cybercrime...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
LexisNexis CyberSecurity History Information
Official Website of LexisNexis
The official website of LexisNexis is https://www.lexisnexis.com/en-us/about-us/about-us.page.
LexisNexis’s AI-Generated Cybersecurity Score
According to Rankiteo, LexisNexis’s AI-generated cybersecurity score is 512, reflecting their Critical security posture.
How many security badges does LexisNexis’ have ?
According to Rankiteo, LexisNexis currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has LexisNexis been affected by any supply chain cyber incidents ?
According to Rankiteo, LexisNexis has been affected by multiple supply chain cyber incidents. The affected supply chain sources and their corresponding incident IDs are:
- Amazon Web Services (AWS) (Incident ID: RELLEX1772562253)
- LexisNexis (Incident ID: LEX1772555037)
Does LexisNexis have SOC 2 Type 1 certification ?
According to Rankiteo, LexisNexis is not certified under SOC 2 Type 1.
Does LexisNexis have SOC 2 Type 2 certification ?
According to Rankiteo, LexisNexis does not hold a SOC 2 Type 2 certification.
Does LexisNexis comply with GDPR ?
According to Rankiteo, LexisNexis is not listed as GDPR compliant.
Does LexisNexis have PCI DSS certification ?
According to Rankiteo, LexisNexis does not currently maintain PCI DSS compliance.
Does LexisNexis comply with HIPAA ?
According to Rankiteo, LexisNexis is not compliant with HIPAA regulations.
Does LexisNexis have ISO 27001 certification ?
According to Rankiteo,LexisNexis is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of LexisNexis
LexisNexis operates primarily in the IT Services and IT Consulting industry.
Number of Employees at LexisNexis
LexisNexis employs approximately 10,705 people worldwide.
Subsidiaries Owned by LexisNexis
LexisNexis presently has no subsidiaries across any sectors.
LexisNexis’s LinkedIn Followers
LexisNexis’s official LinkedIn profile has approximately 391,074 followers.
NAICS Classification of LexisNexis
LexisNexis is classified under the NAICS code 5415, which corresponds to Computer Systems Design and Related Services.
LexisNexis’s Presence on Crunchbase
Yes, LexisNexis has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/lexisnexis.
LexisNexis’s Presence on LinkedIn
Yes, LexisNexis maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/lexisnexis.
Cybersecurity Incidents Involving LexisNexis
As of March 30, 2026, Rankiteo reports that LexisNexis has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
LexisNexis has an estimated 39,840 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at LexisNexis ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does LexisNexis detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with external cybersecurity experts engaged, and law enforcement notified with yes, and containment measures with intrusion contained, and communication strategy with notified affected customers, and third party assistance with unnamed cybersecurity forensic firm, and law enforcement notified with yes, and containment measures with breach contained following investigation, and communication strategy with notified affected current and former customers, and containment measures with attack contained (per company statement), and communication strategy with public statement downplaying severity, and third party assistance with third-party cybersecurity firm engaged, and law enforcement notified with yes, and communication strategy with affected customers notified..
Incident Details
Can you provide details on each incident ?
Title: LexisNexis Data Breach After Hackers Exploit Unpatched React App
Description: LexisNexis Legal & Professional confirmed a data breach after hackers exploited an unpatched React frontend application to gain access to its AWS infrastructure. The breach resulted in a 2GB data leak by the threat actor FulcrumSec, including legacy and deprecated customer data.
Date Detected: 2024-02-24
Type: Data Breach
Attack Vector: Exploitation of unpatched React2Shell vulnerability in frontend application
Vulnerability Exploited: React2Shell vulnerability
Threat Actor: FulcrumSec
Title: FulcrumSec Claims Breach of LexisNexis, Exposing 2GB of Sensitive Legal Data
Description: On March 3, 2026, the threat actor FulcrumSec publicly took responsibility for a breach of LexisNexis Legal & Professional, a division of RELX Group, alleging the theft of 2.04 GB of structured data from the company’s AWS cloud infrastructure. The attack exploited the React2Shell vulnerability in an unpatched React frontend application, gaining access via the compromised LawfirmsStoreECSTaskRole ECS task container with broad permissions. Exposed data includes 3.9 million database records, 400,000 cloud user profiles, 21,042 enterprise customer accounts, 45 employee password hashes, 118 .gov email accounts, and 53 plaintext AWS Secrets Manager secrets.
Date Detected: 2026-02-24
Date Publicly Disclosed: 2026-03-03
Type: Data Breach
Attack Vector: Exploitation of unpatched vulnerability (React2Shell)
Vulnerability Exploited: React2Shell vulnerability in React frontend application
Threat Actor: FulcrumSec
Title: LexisNexis Data Breach Affecting Legacy Customer Data
Description: LexisNexis, the legal and business intelligence provider, confirmed a data breach involving legacy servers containing customer information. The incident exposed names, business contact details, user identities, product usage records, IP addresses from customer surveys, and support ticket data. No sensitive personally identifiable information (PII) such as Social Security numbers, financial details, or active passwords was accessed.
Date Publicly Disclosed: 2025-07-30
Type: Data Breach
Attack Vector: Unpatched React2Shell vulnerability in a frontend application
Vulnerability Exploited: React2Shell
Threat Actor: FulcrumSec
Title: LexisNexis Data Breach: Hackers Claim Far Greater Access Than Company Admits
Description: Cybersecurity researchers uncovered a data breach at LexisNexis, with hackers alleging far more extensive access than the company acknowledged. The threat actor group FulcrumSec leaked 2GB of stolen files, claiming to have exploited an unpatched React frontend application using the open-source post-exploitation tool React2Shell. The breach exposed hundreds of Redshift and VPC database tables, plaintext AWS Secrets Manager credentials, employee password hashes, and millions of records, including details of over 100 government users and approximately 400,000 cloud user profiles. LexisNexis confirmed the incident but downplayed its severity, stating the stolen data was 'legacy' and 'deprecated.'
Type: Data Breach
Attack Vector: Exploitation of unpatched React frontend application (React2Shell)
Vulnerability Exploited: Unpatched React frontend application
Threat Actor: FulcrumSec
Motivation: Likely financial (ransom negotiation attempted)
Title: LexisNexis Breach Exposes Millions of Records Due to Unpatched React Vulnerability
Description: A major data breach at LexisNexis, a provider of legal and data analytics services to governments and corporations in over 150 countries, has exposed nearly 4 million records, including customer accounts, password hashes, and cloud infrastructure details. The attack exploited an unpatched React2Shell vulnerability in the company’s systems, leading to the exfiltration of over 2GB of stolen information, later dumped on dark web platforms.
Type: Data Breach
Attack Vector: Unpatched Vulnerability (React2Shell)
Vulnerability Exploited: React2Shell
Threat Actor: FulcrumSec
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Unpatched React frontend application, LawfirmsStoreECSTaskRole ECS task container, AWS infrastructure via unpatched React2Shell vulnerability, Unpatched React frontend application and Unpatched React2Shell vulnerability.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach LEX1772555037
Data Compromised: 2GB of data leaked, including customer names, user IDs, business contact details, IP addresses, survey responses, support tickets, employee password hashes, AWS Secrets Manager secrets, cloud user profiles, and government email accounts
Systems Affected: AWS infrastructure, ECS task roles, Redshift tables, VPC database tables
Downtime: No evidence of product or service disruption
Operational Impact: Contained intrusion, no service disruption reported
Identity Theft Risk: Potential risk due to exposed personal and business contact details
Payment Information Risk: No sensitive financial data exposed
Incident : Data Breach RELLEX1772562253
Data Compromised: 2.04 GB of structured data
Systems Affected: AWS cloud infrastructureProduction Redshift data warehouse17 VPC databasesAWS Secrets ManagerQualtrics survey platform
Brand Reputation Impact: Systemic security gaps concerns
Identity Theft Risk: High (exposure of PII, .gov email accounts, and password hashes)
Incident : Data Breach LEX1772584112
Data Compromised: Names, business contact details, user identities, product usage records, IP addresses, support ticket data
Systems Affected: Legacy servers (deprecated data from before 2020)
Incident : Data Breach LEX1772641919
Data Compromised: 2GB of stolen files, including database tables, AWS Secrets Manager credentials, employee password hashes, and millions of records
Systems Affected: Redshift databasesVPC databasesAWS Secrets Manager
Brand Reputation Impact: Potential reputational damage due to discrepancy in breach scope
Identity Theft Risk: High (exposure of names, email addresses, phone numbers, and job functions)
Incident : Data Breach LEX1772815548
Data Compromised: 3.9 million database records, 21,042 customer accounts, 5,582 attorney survey responses, 45 employee password hashes, 53 AWS Secrets Manager secrets, VPC infrastructure mapping
Systems Affected: AWS containers, legacy servers
Brand Reputation Impact: Potential ripple effects across government and legal sectors
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Names, User Ids, Business Contact Details, Ip Addresses, Survey Responses, Support Tickets, Employee Password Hashes, Aws Secrets Manager Secrets, Cloud User Profiles, Government Email Accounts, , Database Records, Cloud User Profiles, Enterprise Customer Accounts, Employee Password Hashes, Government Email Accounts, Aws Secrets Manager Secrets, Vpc Infrastructure Map, , Legacy customer data, Database Tables, Aws Secrets Manager Credentials, Employee Password Hashes, User Profiles, , Customer Accounts, Password Hashes, Cloud Infrastructure Details, Attorney Survey Responses, Aws Secrets Manager Secrets and .
Which entities were affected by each incident ?
Incident : Data Breach LEX1772555037
Entity Name: LexisNexis Legal & Professional
Entity Type: Corporation
Industry: Legal, Regulatory, and Business Analytics
Location: Global
Customers Affected: 21,042 customer accounts, 118 .gov email accounts (U.S. government employees, federal judges, DOJ attorneys, SEC staff)
Incident : Data Breach RELLEX1772562253
Entity Name: LexisNexis Legal & Professional (RELX Group)
Entity Type: Corporation
Industry: Legal Data & Analytics
Customers Affected: 21,042 enterprise customer accounts, 118 .gov email accounts (federal judges, DOJ attorneys, U.S. SEC staff, court law clerks)
Incident : Data Breach LEX1772584112
Entity Name: LexisNexis
Entity Type: Corporation
Industry: Legal and Business Intelligence
Customers Affected: Current and former customers (law firms, insurance companies, government agencies, universities)
Incident : Data Breach LEX1772641919
Entity Name: LexisNexis
Entity Type: Analytics Firm
Industry: Legal and Business Analytics
Location: U.S.
Customers Affected: Over 100 government users (federal judges, U.S. Department of Justice attorneys, SEC staff) and approximately 400,000 cloud user profiles
Incident : Data Breach LEX1772815548
Entity Name: LexisNexis
Entity Type: Corporation
Industry: Legal and Data Analytics
Location: Global (150+ countries)
Customers Affected: 21,042 customer accounts
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach LEX1772555037
Third Party Assistance: External cybersecurity experts engaged
Law Enforcement Notified: Yes
Containment Measures: Intrusion contained
Communication Strategy: Notified affected customers
Incident : Data Breach LEX1772584112
Third Party Assistance: Unnamed cybersecurity forensic firm
Law Enforcement Notified: Yes
Containment Measures: Breach contained following investigation
Communication Strategy: Notified affected current and former customers
Incident : Data Breach LEX1772641919
Containment Measures: Attack contained (per company statement)
Communication Strategy: Public statement downplaying severity
Incident : Data Breach LEX1772815548
Third Party Assistance: Third-party cybersecurity firm engaged
Law Enforcement Notified: Yes
Communication Strategy: Affected customers notified
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through External cybersecurity experts engaged, Unnamed cybersecurity forensic firm, Third-party cybersecurity firm engaged.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach LEX1772555037
Type of Data Compromised: Customer names, User ids, Business contact details, Ip addresses, Survey responses, Support tickets, Employee password hashes, Aws secrets manager secrets, Cloud user profiles, Government email accounts
Number of Records Exposed: 3.9 million database records
Sensitivity of Data: Legacy and deprecated data (mostly pre-2020), no sensitive personal or financial data exposed
Data Exfiltration: Yes, 2GB of data leaked
Personally Identifiable Information: Names, business contact details, IP addresses, government email accounts
Incident : Data Breach RELLEX1772562253
Type of Data Compromised: Database records, Cloud user profiles, Enterprise customer accounts, Employee password hashes, Government email accounts, Aws secrets manager secrets, Vpc infrastructure map
Number of Records Exposed: 3.9 million database records, 400,000 cloud user profiles
Sensitivity of Data: High (PII, .gov accounts, plaintext secrets, password hashes)
Data Exfiltration: 2.04 GB of data stolen
Personally Identifiable Information: Names, emails, phone numbers, job functions, .gov email accounts
Incident : Data Breach LEX1772584112
Type of Data Compromised: Legacy customer data
Sensitivity of Data: Non-sensitive PII (no Social Security numbers, financial details, or active passwords)
Data Exfiltration: 2GB of files posted in underground forums
Personally Identifiable Information: Names, business contact details, user identities, IP addresses
Incident : Data Breach LEX1772641919
Type of Data Compromised: Database tables, Aws secrets manager credentials, Employee password hashes, User profiles
Number of Records Exposed: Millions of records (including ~400,000 cloud user profiles)
Sensitivity of Data: High (government users, plaintext credentials, PII)
Data Exfiltration: 2GB of files leaked on underground forums
Personally Identifiable Information: NamesEmail addressesPhone numbersJob functions
Incident : Data Breach LEX1772815548
Type of Data Compromised: Customer accounts, Password hashes, Cloud infrastructure details, Attorney survey responses, Aws secrets manager secrets
Number of Records Exposed: 3.9 million
Sensitivity of Data: Legacy data (pre-2020), including customer names, business contact details, and support tickets. No Social Security numbers, financial data, or active passwords exposed.
Data Exfiltration: 2GB of stolen information dumped on dark web platforms
Personally Identifiable Information: Customer names, business contact details
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by intrusion contained, breach contained following investigation and attack contained (per company statement).
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach LEX1772555037
Data Exfiltration: Yes
Incident : Data Breach RELLEX1772562253
Data Exfiltration: Yes
Incident : Data Breach LEX1772641919
Ransom Paid: No (company declined to engage)
Data Exfiltration: Yes
Incident : Data Breach LEX1772815548
Data Exfiltration: Yes
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach LEX1772815548
Lessons Learned: Failure to apply critical patches and persistent cybersecurity weaknesses due to outdated software.
What recommendations were made to prevent future incidents ?
Incident : Data Breach LEX1772815548
Recommendations: Apply critical patches promptly, enhance cloud security configurations, and conduct regular vulnerability assessments.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Failure to apply critical patches and persistent cybersecurity weaknesses due to outdated software.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Apply critical patches promptly, enhance cloud security configurations and and conduct regular vulnerability assessments..
References
Where can I find more information about each incident ?
Incident : Data Breach LEX1772555037
Source: Cyber Incident Description
Incident : Data Breach RELLEX1772562253
Source: Cyber Incident Description
Incident : Data Breach LEX1772584112
Source: LexisNexis Public Disclosure
Incident : Data Breach LEX1772584112
Source: FulcrumSec Claims
Incident : Data Breach LEX1772641919
Source: Cybersecurity researchers / Underground forums
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cyber Incident Description, and Source: Cyber Incident Description, and Source: LexisNexis Public Disclosure, and Source: FulcrumSec Claims, and Source: Cybersecurity researchers / Underground forums.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach LEX1772555037
Investigation Status: Ongoing
Incident : Data Breach LEX1772584112
Investigation Status: Contained
Incident : Data Breach LEX1772641919
Investigation Status: Contained (per company statement)
Incident : Data Breach LEX1772815548
Investigation Status: Ongoing
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notified affected customers, Notified affected current and former customers, Public statement downplaying severity and Affected customers notified.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach LEX1772555037
Customer Advisories: Affected customers notified
Incident : Data Breach LEX1772584112
Customer Advisories: Notified affected current and former customers
Incident : Data Breach LEX1772815548
Customer Advisories: Affected customers notified
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Affected customers notified, Notified affected current and former customers and Affected customers notified.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach LEX1772555037
Entry Point: Unpatched React frontend application
High Value Targets: AWS Secrets Manager secrets, Redshift tables, VPC infrastructure
Data Sold on Dark Web: AWS Secrets Manager secrets, Redshift tables, VPC infrastructure
Incident : Data Breach RELLEX1772562253
Entry Point: LawfirmsStoreECSTaskRole ECS task container
Incident : Data Breach LEX1772584112
Entry Point: AWS infrastructure via unpatched React2Shell vulnerability
Incident : Data Breach LEX1772641919
Entry Point: Unpatched React frontend application
High Value Targets: Government Users, Cloud User Profiles,
Data Sold on Dark Web: Government Users, Cloud User Profiles,
Incident : Data Breach LEX1772815548
Entry Point: Unpatched React2Shell vulnerability
High Value Targets: AWS containers, legacy servers
Data Sold on Dark Web: AWS containers, legacy servers
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach LEX1772555037
Root Causes: Unpatched React2Shell vulnerability, excessive read access in ECS task role
Incident : Data Breach RELLEX1772562253
Root Causes: Unpatched React2Shell Vulnerability, Over-Permissive Ecs Task Role, Weak Rds Master Password (Lexis1234), Single Task Role With Access To All Aws Secrets Manager Entries,
Incident : Data Breach LEX1772584112
Root Causes: Unpatched React2Shell vulnerability in a frontend application
Incident : Data Breach LEX1772641919
Root Causes: Unpatched vulnerability in React frontend application
Incident : Data Breach LEX1772815548
Root Causes: Unpatched React2Shell vulnerability, insecure cloud configurations
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as External cybersecurity experts engaged, Unnamed cybersecurity forensic firm, Third-party cybersecurity firm engaged.
Additional Questions
General Information
Has the company ever paid ransoms ?
Ransom Payment History: The company has Paid ransoms in the past.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an FulcrumSec, FulcrumSec, FulcrumSec, FulcrumSec and FulcrumSec.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-02-24.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07-30.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were 2GB of data leaked, including customer names, user IDs, business contact details, IP addresses, survey responses, support tickets, employee password hashes, AWS Secrets Manager secrets, cloud user profiles, and government email accounts, 2.04 GB of structured data, Names, business contact details, user identities, product usage records, IP addresses, support ticket data, 2GB of stolen files, including database tables, AWS Secrets Manager credentials, employee password hashes, and millions of records, 3.9 million database records, 21,042 customer accounts, 5,582 attorney survey responses, 45 employee password hashes, 53 AWS Secrets Manager secrets and VPC infrastructure mapping.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was AWS cloud infrastructureProduction Redshift data warehouse17 VPC databasesAWS Secrets ManagerQualtrics survey platform and and Redshift databasesVPC databasesAWS Secrets Manager and .
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was External cybersecurity experts engaged, Unnamed cybersecurity forensic firm, Third-party cybersecurity firm engaged.
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Intrusion contained, Breach contained following investigation and Attack contained (per company statement).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were 2.04 GB of structured data, 3.9 million database records, 21,042 customer accounts, 5,582 attorney survey responses, 45 employee password hashes, 53 AWS Secrets Manager secrets, VPC infrastructure mapping, Names, business contact details, user identities, product usage records, IP addresses, support ticket data, 2GB of stolen files, including database tables, AWS Secrets Manager credentials, employee password hashes, and millions of records, 2GB of data leaked, including customer names, user IDs, business contact details, IP addresses, survey responses, support tickets, employee password hashes, AWS Secrets Manager secrets, cloud user profiles and and government email accounts.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 12.5M.
Ransomware Information
What was the highest ransom paid in a ransomware incident ?
Highest Ransom Paid: The highest ransom paid in a ransomware incident was No (company declined to engage).
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Failure to apply critical patches and persistent cybersecurity weaknesses due to outdated software.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Apply critical patches promptly, enhance cloud security configurations and and conduct regular vulnerability assessments..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are FulcrumSec Claims, LexisNexis Public Disclosure, Cyber Incident Description and Cybersecurity researchers / Underground forums.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Affected customers notified, Notified affected current and former customers and Affected customers notified.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Unpatched React frontend application, Unpatched React2Shell vulnerability, AWS infrastructure via unpatched React2Shell vulnerability and LawfirmsStoreECSTaskRole ECS task container.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Unpatched React2Shell vulnerability, excessive read access in ECS task role, Unpatched React2Shell vulnerabilityOver-permissive ECS task roleWeak RDS master password (Lexis1234)Single task role with access to all AWS Secrets Manager entries, Unpatched React2Shell vulnerability in a frontend application, Unpatched vulnerability in React frontend application, Unpatched React2Shell vulnerability, insecure cloud configurations.
.png)
Latest Global CVEs (Not Company-Specific)
Description
A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Risk Information
cvss2
Base: 6.5
Severity: LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
cvss3
Base: 6.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
References
- https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94
- https://lists.security.metacpan.org/cve-announce/msg/37638919/
- https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes
- https://metacpan.org/release/SHAY/perl-5.40.4/changes
- https://metacpan.org/release/SHAY/perl-5.42.2/changes
- https://www.cve.org/CVERecord?id=CVE-2026-3381
Description
Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.
Risk Information
cvss3
Base: 8.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
Risk Information
cvss3
Base: 8.3
Severity: LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=lexisnexis' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
