Data breaches seem like an endless scourge with no simple answers, but the recent breach of background check service National Public Data illustrates It is dangerous and difficult to cure. They have become. And after four months of ambiguity, the situation is only just beginning to be clarified with the final National Public Data admit Monday’s breach also saw a large amount of stolen data leaked publicly online.
In April, a hacker known for selling stolen information, known as USDoD, began selling a trove of data on cybercrime forums for $3.5 million that they said included 2.9 billion records and affected “the entire population of the US, CA, and UK.” As the weeks went on, patterns began to emerge in the data as other actors and legitimate researchers worked to understand its origins and authenticate the information. By early June, it had It is clear that at least some of the data is valid. and contain information such as name, email, and physical address in various combinations.
The data isn’t always accurate, but it appears to include two troves of information. One trove includes more than 100 million valid email addresses along with other information, and the second trove includes Social Security numbers but no email addresses.
“It appears that there has been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “This incident is believed to involve a third-party malicious actor attempting to hack into data in late December 2023, with the potential for some data to be leaked in April 2024 and summer 2024… Information that is suspected to have been compromised includes names, email addresses, phone numbers, Social Security numbers, and mailing addresses.”
The company said it was cooperating with “law enforcement agencies and government investigators.” NPD is facing potential class action lawsuits through violation.
“We’ve become numb to the never-ending flow of personal data, but I think there’s a serious risk,” said security researcher Jeremiah Fowler, who has been tracking the situation with National Public Data. “It may not be immediate, and it may take years for one of the many criminals to figure out how to use this information successfully, but the bottom line is that there’s a storm coming.”
When information is stolen from a single source, such as Target customer data stolen from TargetDetermining that source is relatively straightforward. But when information is stolen from a data broker and the company doesn’t say anything about the incident, determining whether the information is legitimate and where it came from is much more complicated. Often, the people whose data was compromised in a breach—the real victims—don’t even know that National Public Data had their information in the first place.
In a blog post Wednesday about the contents and origins of the national public data repository, security researcher Troy Hunt wrote“The only parties who know the truth are the anonymous threat actors who are passing on the data and the data aggregators… We are left with 134 million email addresses circulating publicly with no clear source or accountability.”
