National Public Data Breach: 2.7B Records, with Social Security Numbers, Leaked to Dark Web
Last Updated on October 23, 2024
October Update: National Public Data Bankruptcy, USDoD Hacker Arrested
NPD’s parent company, Jerico Pictures, has filed for Chapter 11 bankruptcy. The company faces overwhelming litigation, including regulatory actions from the Federal Trade Commission and over 20 states. With only $75,000 remaining in assets and no insurance coverage, Jerico’s owner, Salvatore Verini, stated that the company cannot meet its financial obligations or provide credit monitoring for those affected.
One of the hackers known as USDoD, responsible for the National Public Data and FBI InfraGard data breaches, has been arrested in Brazil. The individual, identified as Luan BG, had a history of leaking stolen data online and had previously taunted victims, including cybersecurity firm CrowdStrike. His actions led to a law enforcement operation dubbed “Operation Data Breach”, resulting in his arrest in Belo Horizonte.
[Update: August 29, 2024]
National Public Data finally confirmed the data breach last week after intense pressure and media speculation. On a dedicated support page, the company writes:
“There appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024 […] The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
Meanwhile, researchers at Constella have reported that the data amounts to:
- Unique individuals affected: 294 million
- Unique Social Security numbers: 272 million, equivalent to 60% of all SSNs
- Unique emails: 32 million
- Those most affected were born 1950 – 1969
Only 51% of the SSNs pose a risk to identity theft. Nonetheless, this still amounts to approximately 138 million — a staggering number of potential victims. Stay tuned for more details as investigations continue.
* * *
Four months after notorious hacking group USDoD claimed to have stolen a vast amount of personal information from National Public Data (NPD), a major background check service, the group has reportedly released most of the data for free on a dark web marketplace. The stolen data, 2.7 billion records totaling 277GB, allegedly includes:
- Social Security numbers (SSN)
- Dates of birth
- Full names
- Residential addresses
- Phone numbers
- Email addresses
- Employment information
- Criminal records
- Credit histories
- Driver’s license numbers
- Vehicle registrations
- Mortgage records
National Public Data Breach: What Happened?
A class-action lawsuit filed in Florida has revealed that USDoD claimed in April to have stolen the personal records of 2.9 billion people from NPD, which provides personal information to employers, investigators, staffing agencies, and others conducting background checks. The group initially offered to sell the data back for $3.5 million, but when they were unsuccessful a USDoD member known only as Felice decided to share the data on “Breach Forums”, offering “the full NPD database”.
The breach has been heavily criticized, particularly regarding National Public Data’s delayed response. Despite the scale of the breach, the company has been slow to notify those affected and has yet to provide a comprehensive plan to address the situation. This has intensified concerns about NPD’s data protection practices and led to several lawsuits against the company. Consumer protection groups and legal experts are pushing for stricter regulations on data brokers and companies that handle large amounts of personal information.
National Public Data has not responded to requests for comment or formally notified those affected by the breach. However, the company has been informing individuals who contact them via email that they are “aware of certain third-party claims about consumer data and are investigating these issues.” In the same email, the company mentions that it has “purged the entire database, as a whole, of any and all entries, essentially opting everyone out.” The company also stated that it has deleted any “non-public” personal information.
What to Do?
This breach, one of the largest in history, has compromised around 2.7 (formerly 2.9) billion records and while the number of affected individuals remains to be seen, it is likely to be many millions in the US, Canada, and the UK. A breach of this scale could lead to widespread identity theft, fraud, and other crimes, raising significant concerns about data security. We recommend taking the following five steps to mitigate the risks if your information was compromised:
- Monitor credit reports: Regularly check for unauthorized activities.
- Freeze your credit: Prevent new accounts from being opened in your name.
- Update passwords: Secure your online accounts with strong passwords.
- Enable multi-factor authentication (MFA): Add an extra layer of security to accounts.
- Be cautious of phishing: Be vigilant against suspicious emails or messages trying to exploit your information.
The broader implications of this breach highlight the urgent need for stronger data protection laws, with growing demands for more robust regulations governing data brokers, including requirements for transparency, consent, and data security. As investigations continue, the full impact of the National Public Data breach will likely unfold, potentially leading to significant changes in how personal data is managed and protected globally. Watch this space for more updates.
Protecting Your Identity and Personal Info
Compromised personal data can have serious consequences, including identity theft, financial fraud, and job losses. We would encourage readers to head over to our new ID Protection portal, which has been designed to meet these challenges.
With ID Protection, you can:
- Check to see if your data (email, number, password, credit card) has been exposed in a leak, or is up for grabs on the dark web
- Secure your social media accounts with our Social Media Account Monitoring tool, with which you’ll receive a personalized report
- Create the strongest tough-to-hack password suggestions from our advanced AI (they’ll be safely stored in your Vault)
- Enjoy a safer browsing experience, as Trend Micro checks websites and prevents trackers
- Receive comprehensive remediation and insurance services, with 24/7 support.
Offering both free and paid services, ID Protection will ensure you have the best safeguards in place, with 24/7 support available to you through one of the world’s leading cybersecurity companies. Trend Micro is trusted by 8 of the top 10 Fortune 500 Companies — and we’ll have your back, too. Why not give it a go today?
As ever, if you’ve found this article an interesting or helpful read, please SHARE it with friends and family to help keep the online community secure and protected. Also, please consider clicking the LIKE button or sharing your experience in a comment below. Here’s to a secure 2024!