LexisNexis Breach Exposes 400,000 Cloud User Profiles as UK Data Hack Transparency Crisis Deepens

LexisNexis Legal Professional confirmed on March 3rd that hackers breached its AWS cloud infrastructure and exfiltrated approximately 2GB of company files, including around 400,000 cloud user profiles containing real names, emails, phone numbers, and job functions. Among those profiles: 118 users with .gov email addresses belonging to U.S. government employees, federal judges, Department of Justice attorneys, and SEC staff, according to The Register and BleepingComputer.

The breach was executed by the threat actor FulcrumSec, who exploited the React2Shell vulnerability — a known security flaw in unpatched React frontend applications — to gain initial access to LexisNexis's AWS environment. Once inside, the attacker leveraged an over-permissive ECS task role that provided read access to all AWS Secrets Manager secrets, including production Redshift master credentials and detailed VPC infrastructure mapping, Rescana reported.

FulcrumSec exfiltrated 536 Redshift tables, over 430 VPC database tables, 53 plaintext AWS Secrets Manager secrets, 3.9 million database records, 21,042 customer accounts, 5,582 attorney survey respondents, 45 employee password hashes, and a complete VPC infrastructure map. The compromised data primarily consisted of legacy, deprecated information from before 2020, including customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.

LexisNexis emphasized that no sensitive personally identifiable information such as Social Security numbers, driver's license numbers, financial data, active passwords, or customer search queries were included in the breach. The company asserts the incident has been contained, with no evidence of compromise to its products or services. Law enforcement and external cybersecurity experts have been engaged for investigation and remediation.

The LexisNexis breach arrives as the BBC revealed that Transport for London's 2024 hack affected approximately 10 million people — making it one of the biggest hacks in British history. TfL only disclosed at the time that "some customers" had been affected, but has now confirmed the true scale after the BBC obtained a copy of the stolen database from someone in the hacking community.

The TfL database contains names, email addresses, home phone numbers, mobile phone numbers, and physical addresses of an estimated 10 million people. The cyber-attack, carried out by hackers from the so-called Scattered Spider crime group between late August and early September 2024, breached TfL's internal computer systems, disrupting online services and causing £39 million in damages.

TfL admitted it sent emails to 7,113,429 customers with an email address registered to their account to notify them of the incident. But those emails had a 58% open rate — suggesting millions of impacted people did not read the statutory notification or, like BBC correspondent Joe Tidy, did not have an active email registered and were not warned that criminals had their data.

The pattern of opacity extends beyond the UK. In the Netherlands, telecom provider Odido is currently experiencing the fourth consecutive day of data publication after refusing to pay ransom demands from hackers linked to ShinyHunters. According to NOS, the newly published dataset contains information on more than 6.5 million individuals and about 600,000 companies, including slightly more than 5 million unique identification documents such as driver's licenses and passports.

The Odido breach involves personal data tied to millions of current and former customers. The published files contain dates of birth, phone numbers, email addresses, and for about 71,000 people, the email address of a court-appointed administrator or another caregiver. The hackers broke into Odido's systems in early February, initially demanding about 1 million euros in ransom, later reduced to 500,000 euros. Odido publicly refused to pay, saying it would "not allow itself to be blackmaked," citing advice from police and cybersecurity firms.

The contrast in transparency is stark. While Odido has been explicit about the 6.2 million accounts affected, UK companies falling victim to cyber-attacks are not legally required to publicly disclose the total number affected by breaches. Last year the Co-op admitted — when asked during a live TV interview on the BBC — that 6.5 million people were affected by its breach. Neither Marks and Spencer nor Harrods have put a number on breaches occurring around the same time.

"After a breach it's essential that individuals are informed exactly what has happened to their data and what the potential risk might be to their privacy," says data protection consultant Carl Gotleib. He adds that knowing the scale of the breach is important as "large datasets can be more valuable to attackers and more likely to be used in future fraud attempts."

Security researcher Kevin Beaumont said informing the public of the scale of a breach was "the most basic requirement for transparency," adding that UK regulation or the law should change to help victims of data theft. TfL was cleared by the UK's data watchdog, the Information Commissioner's Office (ICO), of any wrongdoing for the breach and its handling of the aftermath. The regulator told the BBC it was informed of the full extent of the TfL breach but ruled in February 2025 no further action was needed.

The technical details of the LexisNexis breach underscore fundamental cloud security failures. FulcrumSec publicly criticized the company for poor cloud security practices, specifically the use of a single ECS task role with broad read access to secrets and production credentials. The group claimed to have contacted LexisNexis prior to the public leak, but stated that the company declined to engage with them.

The attack sequence aligns with several MITRE ATT&CK techniques: exploit of public-facing application (React2Shell exploit), abuse of valid accounts (ECS task role credentials), unsecured credentials in files (plaintext secrets in AWS Secrets Manager), data exfiltration from cloud storage, and exfiltration over command and control channels. No specific malware was identified — the attack was conducted using public exploits for React2Shell and standard AWS tools to access and exfiltrate data.

What's particularly galling about these breaches is their preventability. The React2Shell vulnerability exploited by FulcrumSec is a known security flaw in unpatched applications. The over-permissive cloud permissions that allowed wholesale data exfiltration represent basic configuration failures. These aren't sophisticated nation-state operations — they're opportunistic criminals exploiting negligence.

The risk to individuals remains low but being a victim of a data breach increases the likelihood of being targeted in scams and fraud attacks. Stolen databases are often traded or shared in hacker communities and forums. The person who shared the TfL database with the BBC says they are not aware of the data being used to carry out any secondary attacks yet — but "yet" is the operative word.

The regulatory environment is clearly failing to incentivize proper disclosure. When the ICO can examine the "full circumstances" of a 10 million person breach and conclude that "formal regulatory action was not proportionate," something is broken. Companies have no commercial incentive to be transparent about the scale of their failures, and regulators are declining to force the issue.

Meanwhile, in jurisdictions with clearer expectations, companies are responding differently. In Japan, beer maker Asahi explained exactly what data was stolen from around two million people during a ransomware attack. In South Korea, e-commerce giant Coupang told the public 33 million customers had been affected and even offered vouchers as compensation. These aren't acts of corporate altruism — they're responses to regulatory environments that demand accountability.

The LexisNexis breach, affecting legal professionals and government employees, carries particular reputational risk. The exposure of legacy data, even if not highly sensitive, poses regulatory and reputational challenges, especially when government and legal sector information is involved. For a company whose business is managing sensitive legal information, the optics of having 45 employee password hashes and complete VPC infrastructure maps stolen by hackers exploiting a known vulnerability are devastating.

As cloud infrastructure becomes the default architecture for enterprise data, the attack surface expands exponentially. The LexisNexis breach demonstrates how a single misconfigured ECS task role can provide the keys to the kingdom. Organizations must conduct comprehensive reviews of cloud infrastructure permissions, ensuring that service accounts follow the principle of least privilege. Critical patching of all public-facing applications, especially those using frameworks with known vulnerabilities, isn't optional — it's baseline hygiene.

The UK faces a choice: continue allowing companies to obscure the true impact of their security failures, or follow the lead of jurisdictions that demand transparency. Until the regulatory environment changes, expect more revelations like TfL's — where the public learns the real scale of breaches only when journalists obtain the stolen databases themselves. That's not a sustainable model for digital trust in an increasingly cloud-dependent economy.