Data breaches are a seemingly endless scourge with no simple solution, but last month’s breach of the background check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now starting to become clearer with National Public Data finally recognizing The breach occurred on Monday just as a large amount of stolen data was publicly leaked online.
In April, a hacker known for selling stolen information, known as USDoD, began selling a large amount of data on cybercriminal forums for $3.5 million that he said included 2.9 billion records and affected “the entire population of the US, California, and the UK.” As the weeks went by, samples of the data began to appear as other legitimate actors and researchers worked to understand its source and validate the information. By early June, the data had been stolen. It is clear that at least some of the data was legitimate. and contained information such as names, emails and physical addresses in various combinations.
The data is not always accurate, but appears to include two sources of information: one that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.
“It appears that a data security incident has occurred that may have affected some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a malicious third party attempting to hack data in late December 2023, with potential breaches of certain data in April 2024 and summer 2024… The information suspected to have been breached contained name, email address, phone number, Social Security number, and mailing address(es).”
The company says it has been cooperating with “law enforcement and government investigators.” NPD is against possible class action lawsuits over the gap.
“We’ve become desensitized to the incessant leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the end result is that a storm is brewing.”
When information is stolen from a single source, such as when customer data was stolen from Target, it’s relatively easy to determine the source. But when information is stolen from a data broker and the company doesn’t report the incident, it’s much harder to determine whether the information is legitimate and where it came from. Typically, the people whose data is compromised in a breach (the real victims) don’t even know that National Public Data had their information in its possession.
In a Wednesday blog post about the contents and provenance of the trove of public national data, security researcher Troy Hunt wrote“The only parties who know the truth are the anonymous threat actors passing the data and the data aggregator… We are left with 134 million email addresses in public circulation with no clear origin or accountability.”