Data breaches are a seemingly never-ending scourge with no easy answers, but the breach that occurred in recent months at the background check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to unfold, with National Public Data finally acknowledging the breach on Monday, just as much of the stolen data was publicly leaked online.
In April, a hacker known for selling stolen information, known as USDoD, began selling a trove of data on cybercrime forums for $3.5 million. The data, he said, included 2.9 billion records and impacted “the entire population of the United States, California, and the United Kingdom.” Over the weeks, samples of the data began to surface as other actors and legitimate researchers worked to understand their source and validate the information. By early June, it was clear that at least some of the data was legitimate, containing information such as names, emails, and physical addresses in various combinations.
The data isn’t always accurate, but it appears to contain two types of information. One includes more than 100 million legitimate email addresses and other information, and the other includes Social Security numbers but no email addresses.
“It appears that a data security incident may have involved some of your personal information,” National Public Data wrote Monday. “The incident is believed to have involved a malicious third party attempting to breach data in late December 2023, with potential breaches of some data in April 2024 and summer 2024… The information suspected to have been breached included name, email address, phone number, Social Security number, and mailing address(es).”
The company says it has cooperated with “law enforcement and government investigators.” NPD faces potential class action lawsuits in connection with the breach.
“We’ve become numb to the constant leaks of personal data, but I would say there’s a serious risk,” says Jeremiah Fowler, a security researcher who follows the situation with National Public Data. “The risk may not be immediate, and it may take years for one of the many criminal actors to figure out how to use this information, but the fact is that there’s a storm brewing.”
When information is stolen from a single source, such as Target’s customer data, it’s relatively easy to establish that source. But when information is stolen from a data broker and the company doesn’t report the incident, it’s much harder to determine whether the information is legitimate and where it came from. Typically, the people whose data is compromised in a breach (the real victims) don’t even know that National Public Data had their information in the first place.
In a blog post Wednesday about the contents and provenance of the nation’s public data trove, security researcher Troy Hunt wrote: “The only parties who know the truth are the anonymous threat actors who are passing the data along and the data aggregator… We’re left with 134 million email addresses in public circulation and no clear origin or accountability.”
