LexisNexis Risk Solutions, a data broker that collects and uses consumers’ personal data to help its paying corporate customers detect possible risk and fraud, has disclosed a data breach affecting more than 364,000 people. 

The company said in a filing with Maine’s attorney general that the breach, dating back to December 25, 2024, allowed a hacker to obtain consumers’ sensitive personal data from a third-party platform used by the company for software development. LexisNexis did not name the platform.

The stolen data varies, but includes names, dates of birth, phone numbers, postal and email addresses, Social Security numbers and driver’’s license numbers.

It’s not immediately clear what circumstances led to the breach. A spokesperson for LexisNexis did not return TechCrunch’s request for comment.

Data brokers like LexisNexis are part of a billion-dollar industry of companies that profit from collecting and selling access to large amounts of Americans’ personal and financial data. LexisNexis uses swathes of consumer information to help companies detect potentially fraudulent transactions, as well as to perform risk assessment and due diligence on would-be customers. 

Last year, The New York Times reported that car manufacturers were among several companies that shared data on vehicle driving habits with LexisNexis without car owners’ explicit permission. The data was then sold on to insurance companies, which used the mileage and driving data to determine the drivers’ insurance premiums.

Law enforcement agencies also use LexisNexis for obtaining personal information on suspects, such as names, home addresses, and call records. 

Earlier this month, the Trump administration scrapped a plan that would have restricted data brokers from selling Americans’ personal and financial information, including Social Security numbers. White House official Russell Vought wrote in a Federal Register notice that the Biden-era rule, which would have required data brokers to follow the same federal privacy rules as credit bureaus and renter-screening companies, was “not necessary or appropriate,” despite long-standing calls by privacy advocates to close the loophole.