LexisNexis confirms server access after FulcrumSec posts 2.04 GB dump

LexisNexis Legal & Professional confirmed on March 3, 2026 that an unauthorized party accessed a "limited number of servers" in its environment after a threat actor calling itself FulcrumSec posted a 2.04 GB data dump on underground forums and messaging channels. The company statement tied the server access to the FulcrumSec posting but did not provide further detail about the contents of the dump or any demands from the group.

That disclosure arrives alongside a separate breach disclosed by LexisNexis Risk Solutions that dates to late 2024 and affected hundreds of thousands of people. LexisNexis Risk Solutions said it learned on April 1, 2025 that data taken from a third-party software development platform had been acquired by an unauthorized party. In regulators filings, outside counsel cited a May 14, 2025 formal discovery date; notification letters to affected people began being sent on May 24, 2025.

Company statements describe the two incidents as distinct. On the Risk Solutions breach, LexisNexis Risk Solutions said, "On Tuesday, April 1, 2025, LexisNexis Risk Solutions (LNRS) received a report from an unknown third party claiming to have accessed certain information belonging to LNRS. Our Information Security team, in consultation with a forensic firm, immediately began investigating and confirmed that some data which was held in GitHub, a third-party platform used by LNRS for software development purposes was acquired by an unknown third party. Specifically, we have determined that some software artifacts as well as some personal information was accessed. The personal information involved was limited to name, contact information (such as phone number, postal or email address), Social Security number, driver’s license number or date of birth."

LexisNexis Risk Solutions has said the December 25, 2024 acquisition of data from GitHub exposed personal information for approximately 364,000 people, and emphasized that its own networks, infrastructure and client-facing products were not compromised. A company notice put the timeline succinctly: "On April 1, 2025, we learned that on December 25, 2024, an unauthorized third party acquired certain LNRS data from a third party platform used for software development. The issue did not affect LNRS's own networks or systems." The firm has offered two years of free identity protection and credit monitoring to affected individuals and warned them to monitor account statements and credit reports.

The incidents underscore two related risks for firms that house or process large volumes of personal data: exposure through third-party development platforms and exposure via direct intrusion into servers. LexisNexis Risk Solutions, which provides risk analytics and identity verification services to enterprises worldwide, holds large and sensitive data sets. Its parent, the RELX group, reported annual revenues exceeding $12 billion in 2024 and serves customers across more than 180 countries.

Regulatory and legal attention is likely to follow. LexisNexis Risk Solutions has filed notifications with state authorities and outside counsel has recorded formal discovery dates in regulatory filings. The company has not confirmed whether any ransom demand was made in connection with the GitHub incident. For the March 2026 server access, LexisNexis Legal & Professional has not disclosed the specific servers or data types involved, whether it has engaged a forensic firm, or whether notifications will be issued to clients or individuals.

Key unanswered questions include whether the two incidents are connected, what precise records are contained in the 2.04 GB FulcrumSec dump, and whether stolen data has been abused. Journalists and regulators will be pressing LexisNexis, its divisions and parent company for full disclosure of timelines, affected datasets and remediation steps as the company continues its investigations.