Anika Begay
Data breaches are a seemingly endless plague with no simple answer, but the breach of background-checking service National Public Data in recent months shows just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now starting to come together, with National Public Data finally acknowledging the breach on Monday, just as a trove of stolen data was publicly leaked online.
In April, a hacker known for selling stolen information, known as USDoD, began selling a batch of data on cybercriminal forums for $3.5 million that he claimed included 2.9 billion records and impacted “the entire population of the US, CA, and UK.” As the weeks went by, samples of the data began to surface as other legitimate actors and researchers worked to understand the source and validate the information. By early June, it was clear that at least some of the data was legitimate, containing information such as names, emails, and physical addresses in various combinations.
The data isn’t always accurate, but it appears to involve two sets of information. One that includes more than 100 million legitimate email addresses along with other information, and a second that includes Social Security numbers but no email addresses.
“It appears that there has been a data security incident that may have involved some of your personal information,” National Public Data wrote Monday. “The incident is believed to have involved a third-party malicious actor attempting to hack data in late December 2023, with potential data leaks of some data in April 2024 and summer 2024… The information suspected to have been compromised included your name, email address, phone number, Social Security number, and postal address(es).”
The company says it has been cooperating with “law enforcement and government investigators.” NPD is facing potential class-action lawsuits over the breach.
“We’ve become numb to the endless leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”
When information is stolen from a single source, such as Target customer data stolen from Target, it’s relatively easy to determine that source. But when information is stolen from a data broker and the company doesn’t come forward about the incident, it’s much more complicated to determine whether the information is legitimate and where it came from. Typically, the people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data had their information in the first place.
In a Wednesday blog post about the contents and provenance of the trove of National Public Data, security researcher Troy Hunt wrote: “The only parties who know the truth are the anonymous threat actors passing the data around and the data aggregator… We are left with 134 million email addresses in public circulation and no clear source or accountability.”
