Data breaches are a seemingly endless plague with no easy answer, but the recent months' breach of background check service National Public Data illustrates how dangerous and unmanageable they have become. And after four months of uncertainty, the situation is only now beginning to become clear with National Public Data finally recognize The breach occurred on Monday, just as much of the stolen data became public online.
In April, a hacker known for selling stolen information known as USDoD began selling a trove of data on cybercriminal forums for $3.5 million, which they said included 2.9 billion records and affected “the entire population of the US, CA, and the UK.” As the weeks went by, samples of the data began to surface as other actors and legitimate researchers worked to understand the source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information such as names, email addresses, and physical addresses in various combinations.
The data isn't always accurate, but it appears to be two troves of information. One with more than 100 million legitimate email addresses and other information, and a second with Social Security numbers but no email addresses.
“There appears to have been a data security incident that may have impacted some of your personal information,” National Public Data wrote Monday. “The incident is believed to have involved a malicious third party attempting to compromise data in late December 2023, with potential breaches of some data in April 2024 and the summer of 2024. … The information believed to have been breached included name, email address, phone number, social security number, and mailing address(es).”
The company says it has cooperated with “law enforcement and government investigators.” NPD is facing potential class action lawsuits across the breach.
“We’ve become desensitized to the endless leaks of personal data, but I would say there is a serious risk,” said security researcher Jeremiah Fowler, who is tracking the situation with National Public Data. “It may not be immediate, and it may take years before one of the many criminal actors figures out how to use this information, but the bottom line is that a storm is coming.”
When information is stolen from a single source, such as Target Customer Data Stolen from Targetit’s relatively easy to determine that source. But when information is stolen from a data broker and the company doesn’t report the incident, it’s much more complicated to determine whether the information is legitimate and where it came from. Typically, the people whose data is compromised in a breach — the real victims — aren’t even aware that National Public Data had their information in the first place.
In a blog post Wednesday about the contents and origins of the National Public Data trove, security researcher Troy Hunt said wrote“The only parties who know the truth are the anonymous threat actors pushing the data around and the data aggregator. … We are left with 134 million email addresses in public circulation and no clear origin or accountability.”