Data breaches seem like a never-ending scourge with no easy fix, but the recent breach at background check service National Public Data shows just how dangerous and intractable they’ve become. And after four months of uncertainty, things are finally starting to clear up when National Public Data finally acknowledged the breach on Monday and published reams of stolen data online.
In April, USDoD, a hacker known for selling stolen information, began selling a trove of data on cybercrime forums for $3.5 million. The hacker said the data contained 2.9 billion records, affecting “the entire population of the United States, Canada, and the United Kingdom.” As the weeks passed, more and more samples of the data began to emerge as other actors and legitimate researchers worked to uncover its origins and verify the information. By early June, it became clear that at least some of the data was legitimate, containing various combinations of information such as names, emails, and addresses.
The data isn’t necessarily accurate, but it appears to include two sources: one that contains more than 100 million legitimate email addresses and other information, and another that contains social security numbers but no email addresses.
“It appears that there has been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party malicious actor attempting to hack into your data in late December 2023, potentially resulting in the exposure of certain data in April 2024 and summer 2024…The information suspected to have been compromised included names, email addresses, phone numbers, Social Security numbers, and mailing addresses.”
The company said it is cooperating with “law enforcement and government investigators.” NPD faces a potential class-action lawsuit over the breach.
“We’ve become desensitized to the constant leaks of personal information, but I think there’s a serious risk,” said Jeremiah Fowler, a security researcher who has been tracking the situation for National Public Data. “It may not happen immediately, and it may take years for one of the many criminals to figure out how to use this information, but at the end of the day, a storm is coming.”
When information is stolen from a single source, for example, when Target customer data is stolen from Target, it is relatively easy to identify the source. However, when information is stolen from a data broker and that company does not publicly disclose the incident, it becomes much more complicated to determine if the information is legitimate and where it came from. Typically, the people whose data was compromised in a breach — the true victims — don’t even know that National Public Data had their information in the first place.
In a blog post Wednesday about the contents and provenance of the mountain of public state data, security researcher Troy Hunt wrote: “The only people who know the truth are the anonymous threat actors and data aggregators disseminating it. There are 134 million exposed email addresses, with no known origins or accountability.”
