LexisNexis Legal & Professional

On February 24, 2026, a threat actor known as FulcrumSec breached LexisNexis Legal & Professional's systems. The compromise was confirmed on March 4, 2026. The attackers accessed legacy database records dating back to before 2020, exposing 3.9 million records including profiles of 21,042 customer accounts and 400,000 user profiles—among them federal judges, DOJ attorneys, and SEC staff.

Customer names, user IDs, business contact details, and support tickets. But the concerning part: profiles of federal judges, Department of Justice attorneys, and SEC staff members. These are people whose contact information and professional details are now in the hands of a threat actor.

The legacy database records predate 2020, meaning historical data that should have been purged was still sitting on accessible systems.

Federal judges face targeted harassment and doxing. Their home addresses, personal contact details, and professional information can be used for intimidation—particularly concerning given the rise in threats against judicial officials. DOJ attorneys working sensitive cases face similar risks.

SEC staff profiles could be leveraged for social engineering attacks or to identify individuals involved in specific investigations. The data is a roadmap for anyone wanting to target the legal and regulatory establishment.

LexisNexis is the gold standard for legal research. Law firms, courts, and government agencies trust them with sensitive information daily. They handle attorney-client privileged materials, case research, and legal analytics. Security is supposedly core to their business model.

They had legacy systems—databases from before 2020—that they presumably thought were either inactive or sufficiently protected. The records were old, after all.

LexisNexis didn't know—or didn't act on knowing—that legacy databases from before 2020 still contained 3.9 million records of sensitive customer data. They didn't know those systems were still accessible. They didn't know that profiles of federal judges and DOJ attorneys were sitting in databases that should have been decommissioned years ago.

Legacy systems accumulate data like sediment. Without regular scanning and classification, that sediment becomes a liability.

LexisNexis had to notify 21,042 customer accounts and determine which of the 400,000 user profiles required individual notification. For federal judges and DOJ staff, this means coordinating with federal agencies, security details, and potentially law enforcement.

The reputational damage is acute: LexisNexis sells data security and information management services. They just demonstrated they couldn't secure their own legacy data.