Data analytics giant LexisNexis has confirmed its Legal & Professional division suffered a data breach days after the Fulcrumsec cybercrime crew claimed responsibility for the hack.
Following an investigation, LexisNexis told The Register the matter is now contained, and that neither its products nor its services were ever compromised, although the company was forced to bring in a third-party digital forensics crew to manage the cleanup.
A spokesperson said only "a limited number of servers" were accessed, and the data stored on them was "mostly legacy, deprecated data from prior to 2020."
This included customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.
"The impacted information did not contain Social Security numbers, driver's license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts," the spokesperson added.
"We take our responsibility to safeguard customer information extremely seriously and have informed impacted current and previous customers of this matter. We are continuing to investigate and have implemented containment and remediation steps, in coordination with our expert cybersecurity forensic firm."
LexisNexis did not comment on the scale of the breach, although Fulcrumsec offered its take on this amid efforts to publicly shame the company.
Per the criminals' listing, which claims to contain a little more than 2 GB of company data, Fulcrumsec reckons it exfiltrated the files from a LexisNexis AWS instance by exploiting a vulnerable React container - specifically, an unpatched React2Shell vulnerability.
The listing claims the data dump includes 400,000 cloud user profiles, complete with personally identifiable information (PII) points, including names, emails, and phone numbers. This is unverified. It also claims more than 118 appeared to belong to US government staff, including federal judges, DoJ attorneys, SEC staff, and court clerks.
Among the other files are 17 VPC databases and more than 430 VPC database tables, 536 Redshift tables, 3.9 million database records, and 53 secrets swiped from AWS Secrets Manager, Fulcrumsec claims.
The cyber crew alleges it leaked more than 21,000 customer account records belonging to government agencies, insurance companies, law firms, and universities.
Further, it claims more than 300,000 records included in the dump pertain to customer contracts, revealing which products individual organizations pay for, the associated renewal dates, and pricing tiers.
"This is the complete commercial relationship database," Fulcrumsec wrote. "If you wanted to know exactly what Gibson Dunn pays for Lexis Advance, or what the SEC subscribes to, or which Newsdesk package the Ellen MacArthur Foundation uses – it is all here."
As always, criminals' assertions should be taken with a pitch of salt. ®
Source: The register