Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
S6, E244: They didn't hack in, they just logged in: The LexisNexis Security Incident
We explore the recent LexisNexus data breach that exposed sensitive personal information of over 364,000 individuals through a third-party platform accessing their GitHub account. This incident highlights critical vulnerabilities in how data brokers handle our most sensitive information and raises questions about regulatory oversight.
• Data exposed included names, date of birth, phone numbers, social security numbers, and driver's license numbers
• The breach occurred when someone accessed the company's GitHub account through a third-party platform
• Attackers likely found hard-coded credentials that allowed them to move laterally through systems
• Data brokers operate with minimal regulation despite handling massive amounts of sensitive information
• Better governance policies and automated privacy operations could significantly reduce these risks
• Both technical solutions and regulatory approaches are needed to protect consumer data
- Breach Occurred: December 25, 2024.
- Discovery: April 1, 2025.
- Public Notification: May 27, 2025.
- Notice Letters Sent: May 24, 2025.
Shameless plus: Check out tools like Transcend's autonomous privacy operations to help prevent similar incidents and continue to monitor your privacy activities.
All righty then. Ladies and gentlemen, welcome back to another episode of Privacy. Please, cameron Ivey, here with Gabe Gumbs, we're just hanging out, we're chatting, there's some things going on every day.
Speaker 2:We're bopping and scatting. Yes, we are Bopping and scatting. By the way, have you seen Sinners yet Negative? I have not. I've heard that I should, but Absolutely yeah 100, absolutely yeah, 100, yeah.
Speaker 1:Go see it if you're a fan of music and history and just a good overall movie and a little bit of horror thrown in there I like sinners, they're my people so good, so good. I mean, anyways, we don't have to dig into that, obviously. But uh, if you ever get a chance, phenomenal movie there, a phenomenal movie. There's a lot of haters, but there's always haters. Don't at us, don't at us. Gabe, you doing all right, man, how are things?
Speaker 2:Doing well. I'm doing well out here, surviving in a land of privacy and security mostly security at the moment. But you know how are you doing over there in privacy land?
Speaker 1:Privacy. Land is good we. How are you doing over there in privacy?
Speaker 2:land, privacy, land is good. We're living the dream, are you? Because I heard there was an incident recently.
Speaker 1:One of the biggest data brokers. There definitely was. Let's talk about it. Lexisnexis, you are up on the hot seat the intersection of privacy and security.
Speaker 2:So there was a security breach at a data broker, right Like you want to talk about the ultimate of intersection of like bad things happening in privacy and bad things happening in security Companies getting breached, naughty Data broker getting breached all the naughty, oh yeah.
Speaker 1:Let's break it down.
Speaker 2:They got breached. As I understand it, someone accessed nexus lexus's github account through a third-party platform. Now what I find interesting about that as the source of the breaches we have? We have a saying amongst us hackers, ethical and otherwise, so we don't usually hack in if we're being honest, usually just log in. We don't usually hack in if we're being honest.
Speaker 1:We usually just log in Because humans suck at managing secrets.
Speaker 2:They just do the humans are really bad at managing all kinds of secrets, and so that LexisNexis had their GitHub account accessed through a third-party platform is unfortunate and, for what it's worth, I do feel for the people at LexisNexis Some really good folks over there doing some solid work. Mostly, I like the platform. I'm not a big fan of data brokers though I'm not a big fan of data brokers at all. Everyone knows how I feel about data brokers, so there's that we're not going to harp on that too much, but there was a whole lot of data exposed. What did they expose? Names, data birds, phone numbers, email, social security numbers, driver's license numbers right, not just like email addresses and passwords, but like real sensitive data, socials, driver's licenses the kind of stuff that can do a lot of actual harm, a lot of real harm.
Speaker 1:Yeah, that's why I bet you someone here listening has had their information used for someone opening up an account or a new cell phone plan or something to that matter.
Speaker 2:I don't know what the numbers are because I don't follow them, but I'd put good cash that it's a calculable percentage of our listeners that have come across.
Speaker 1:Something, Even if it was just minor, it had. What was it? Over 364,000 people were affected by this.
Speaker 2:You could say well, in a nation of 480 million people, gabe, that's not a lot of people. Huh, you could say that you could, but say that to 64,000 plus people, which you might be one of them.
Speaker 1:Right, you might be, so you might want to go find out.
Speaker 2:Yeah. So what does this mean? Why is this important? What does this mean for? And then for? The data brokers have some fabulous lobbies as well. It's been hard to raise this alarm, even amongst consumers. Honestly, I know they get it, I know they know it, but actively coming together and organizing is difficult, and those very same lobbies will will equally put efforts towards ensuring that consumers don't come together on this, but it continues to raise that alarm about how data brokers handle sensitive data.
Speaker 2:Having a third party be able to access the company's GitHub account. It's problematic enough. What we don't know is whether or not, for example, there was sensitive data sitting in the GitHub account, and that's how they then got the sensitive data, because that would be extra bad. Why do you have people's sensitive data sitting in GitHub? The truth is, they probably got to the company's GitHub account. The GitHub account probably had some secrets hard-coded inside of it. The secrets were then used to further move laterally inside of the account and then elevate privileges, et cetera, et cetera, et cetera, again logged in the whole way. They just logged their way right through the 364,000 of these.
Speaker 1:It's just like a house party going on, and then they just walked right through the front door.
Speaker 2:Grab a red cup at the door, taps in the back.
Speaker 1:Just went into all the bedrooms, yeah.
Speaker 2:Put his feet up on.
Speaker 1:just made a sandwich, yeah yeah, yeah, whoa, whoa, nobody noticed.
Speaker 2:Whoa whoa, no good, no good, yeah. And yeah, whoa whoa, nobody noticed. Whoa whoa, no good, no good, yeah. And this happened back in November of 2024, and so it's coming out now. Yep, you know, that's the other problem, that's the other problem.
Speaker 1:That's a good. I'm not a numbers guy, but that's those are bad numbers. That's well over six months of time gap.
Speaker 2:That's well over six months of time gap, the leak. It's putting too much credit on the bad guys that got in and not enough onus on the good guys and their governance around how third parties have access to their GitHub accounts and what might be in GitHub that can then possibly let someone else move further down the attack path. There is not enough of that.
Speaker 1:Gabe, do we have any more information on what the third-party tool was? We?
Speaker 2:don't know right now, but GitHub has tons of integrations, right? Right, tons of third-party integrations and, more importantly, you can simply just integrate with its API, right? Like you know, it has a beautifully well-documented API that ungodly numbers of people use. I mean, github themselves advertise. They've got over a million people in the platform. I use the platform for various projects and so, yeah, no, we don't know what that third-party tool was, but I guess what I'm getting at is that less important should even be placed on what that tool was. It was the API access granted to that tool that allowed this series of events to occur.
Speaker 1:Is this a common hack in the way that they went in?
Speaker 2:It's unfortunately a common breach vector. It's very much a common vector for breaches. At this point, the following is me guessing at things, but especially things like leaving credentials inside of code, hard-coding credentials in the scripts and codes and other things and then syncing those things with your Git repositories. There are lots of ways Git itself will search for secrets in your repositories and tell you things, and there are third-party tools that will help you search your Git repos for secrets and you know if you're doing things properly. You should have your Git ignore files, even locally, as a developer set up to not commit secrets. That's not enough, like you've got to layer that approach to do all those things.
Speaker 1:Well, aside from that, I mean, what kind of measures should those using third-party tools? Kind of, what are the basic things that should be besides what you just named? Is there anything else using third-party tools? Kind of, what are the basic things that should be besides what you just named? Is there anything else?
Speaker 2:First step is just governance being very prescriptive in what access those third-party tools have access to. And then the flip side of that coin is interrogating the things that they have access to to ensure that there are no secrets in there that the third party shouldn't have access to See. There are no secrets in there that the third party shouldn't have access to see. Part of the challenge is sometimes the secrets are in there intentionally so that the third party can, but that's not a good way to manage secrets so what do you think this means?
Speaker 1:I mean, I know that that's uh data brokers are. They seem to not have, they seem to have more leeway.
Speaker 2:Be nice to see some stricter regulations put in place in lieu of stricter regulations, I'll take bigger fines, or that yeah. I'll take bigger fines and I'm not a big regulation fine guy and I know I've gotten feedback from some of my listeners that they don't like it when I talk about things like that damn they're listening to us talk, but they don't want to hear you talk.
Speaker 1:That's right. They don't want to hear you talk.
Speaker 2:They listen to me, that's right, they don't want to hear me talk they want me to say what they want me to say. It's okay, though, the flip side of this, because you know we we also talk a lot about technology there there is are not a shortage of technology solutions to this problem also to also overlay our governance solutions, and there are robust automated privacy operations tools that can assist with you know, identifying secrets and ensuring that they don't end up in places you don't want them.
Speaker 1:Right. A lot of things that you can do, a lot of good tools out there that can automate and make things more efficient and stop collecting data you don't need.
Speaker 2:I mean when you're a data broker, there's no such thing, I guess.
Speaker 1:Yeah, well, that I mean aside from them. We know what they're doing. But good lesson learned. Hopefully they get a big fine for this one, so it makes all the others kind of LexisNexis is probably not going to.
Speaker 2:I don't see them getting fined, quite frankly, and look again, I'm not super interested in fining them. They them getting fined quite frankly. And look again, I'm not super interested in fining them. They can pay a fine and I'd rather take that fine and have them invest it in better governance policies, better automated privacy operations. I'd rather see that happen.
Speaker 1:I'd rather see the legislation.
Speaker 2:Yeah, exactly.
Speaker 1:If they're going to sell it legally, it doesn't matter Well, that's the challenge.
Speaker 2:If they're going to be legally allowed to sell it anyway, then this is where we should have some controls in place to at least enforce better behavior. You have private regulatory requirements like PCI, right Payment Card Industry Association. They get together and they say hey, if you want to be part of our little cartel here, there's some rules you have to follow. And so PCI calls explicitly for rules around how you protect cardholder data. That's a private initiative. Why can PCI not be replicated at the national level for something like a data broker? There's no reason. There's zero reasons.
Speaker 1:That's a good point. There's no reason Anything else that comes to mind about this situation, Gabe that when it comes to either privacy measures or even backup stuff, On the consumer side of things, you know a healthy, friendly reminder to continue to monitor your privacy activities.
Speaker 2:On the corporate side of things, I mean, I think I'll shamelessly plug it in there, but you know things like Transcend's autonomous privacy operations. I'm listing it because I know it. But those are the things that need to happen. And if you have to reactively wait until someone says, hey, you did the bad thing to do that you may be looking at this the wrong way. What do I get for shamelessly plugging that? By the way, send me a t-shirt.
Speaker 1:Can I get a t-shirt? I'll get you a t-shirt. All right, I'll take a t-shirt.
Speaker 2:I'll get you a t-shirt. All right, I'll take a t-shirt. I'll take a t-shirt and a mug.
Speaker 1:And a mug, all right.
Speaker 2:No, but seriously, I think the reason why I do bring up technology in this is it is a problem that is difficult to solve with just humans. Yeah, and humans are busy trying to do the work that they're trying to do, right, like whoever committed that secret into that LexisNexis GitHub repo. I don't blame that person. Again, it's not their fault. There needs to be better governance surrounding that entire community of employees performing these activities to do those things. That's what needs to happen, and then there needs to be again. I'd really prefer some freaking legislation around these data brokers. It's just a wild west for data brokers, man. It's crazy tough. It's way, way too wild west for data brokers, and every single, every single citizen is harmed by it, and any citizen that thinks they're not harmed by it just doesn't realize they're being harmed.
Speaker 1:This might be a hot take, Gabe, but I'm pretty sure that's what they want.
Speaker 2:I think you might be right.
Speaker 1:Why do you think that they have such free reign? I think you might be right why do you think that they have such free reign? I think you might be right, because there's so much power in money and personal information.
Speaker 2:Yeah, sure.
Speaker 1:Funny how that goes. Okay well, I don't think I have anything else on this topic.
Speaker 2:Some links Love to get some feedback, you should tag. Heidi. Heidi loves a good data broker.
Speaker 1:She does, she does I'm sure she's already talked about it data broker she does, she does.
Speaker 2:I'm sure she's already talked about it. I'm certain she's, she's, she's on this one hot.
Speaker 1:Yeah, but anyways, thanks for thanks for always listening guys and if, if anything, send us your questions, your comments, anything we'd love to hear back from you. It's just to make sure that we're talking about the right stuff, or if you have anyone.
