National Public Data, a US background check company, suffered a data breach in April 2024 that could have exposed sensitive data records of millions of US, UK and Canadian residents.
The Florida-based data broker, which provides access to data from various public record databases, court records, state and national databases and other repositories nationwide, confirmed the rumor of a breach on August 15, 2024.
“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024,” the firm said in a public advisory.
Class Action Lawsuit in Florida
In April 2024, threat actor USDoD claimed it had stolen 2.9 billion data records on US residents.
The hackers placed the database, named ‘National Public Data,’ up for sale for $3.5m on Breached, a cybercriminal marketplace.
In June, USDoD threatened to leak the whole database.
In July, Christopher Hofmann, a Florida resident, received a notification from his identity theft protection service provider that personally identifiable information (PII) was compromised as a direct result of the breach and was shared on the dark web.
Hofmann filed a class action complaint in US District Court in Fort Lauderdale, Fla.
Jack Chapman, SVP of threat intelligence at KnowBe4-owned Egress, said that if confirmed, this breach will be one of the largest in history.
Security Researchers Analyze National Public Data Breach’s Data Accuracy
On X, security researchers’ group Vx-underground confirmed the data present in the database is real and accurate. It includes:
- First names
- Last names
- Addresses
- Address history over at least three decades
- Social security numbers
It also allowed the researchers to find people’s parents and nearest siblings, even when they were deceased.
However, the researchers said the database does not contain information from individuals using data opt-out services.
Additionally, Vx-underground said that the persona behind USDoD was a broker and/or a middleman for the initial posting. The compromise was allegedly conducted by an individual operating under the SXUL moniker.
In its security advisory, National Public Data (NPD) confirmed that names and social security numbers appear on the stolen data and added that phone numbers were also included.
The company did not confirm the scale of the breach.
PII Security Wake-Up Call for Governments
Chapman said the most alarming aspect of the breach is that “the compromised data was scraped from non-public sources, meaning many people were unaware that NPD even had access to their personal information.”
“While individuals can go to great lengths to secure their digital identities online, their efforts are in vain if organizations fail to safeguard their data by neglecting essential protections like encryption, which could have significantly mitigated any potential damage,” he added.
For Guy Golan, CEO and founder of Performanta, if the scale of the breach might be unprecedented, such a breach is quite common. “it happens all day, every day in smaller chunks. It’s likely that every social security number has been leaked on the dark web multiple times over, long before this most recent attack.
However, Golan argued that the NPD breach could serve as a wake-up call for governments to protect sensitive data like Social Security numbers differently in the future.
“It may well be that the government needs to reconsider the whole concept of social security numbers in light of the technology we now have to defend against attacks and protect the security of its citizens,” he said.