Data breaches continue to be a relentless issue with no straightforward solution. The recent dilemma surrounding National Public Data’s background-check service underscores how severe and complex these incidences can become. Four months of uncertainty have only now begun to clarify as National Public Data publicly acknowledged their breach coinciding with the leak of the stolen data.
In April, a notorious hacker who specializes in selling pilfered data, referred to as USDoD, started offering a collection of data on the dark web priced at $3.5 million. The hacker claimed the data consisted of 2.9 billion records affecting individuals from the USA, CA, and UK. As time passed, data samples emerged on various platforms as other malicious actors and legitimate researchers endeavored to pinpoint the data’s origin and confirm its authenticity. By early June, it was evidently established that some of the data was genuine, which included personal details such as names, emails, and physical addresses.
Though not consistently accurate, the disclosed data seemingly involves two batches of information. One batch contains over 100 million valid email addresses among other pieces of data, while the other includes Social Security numbers but lacks any email addresses.
National Public Data issued a statement on the recent Monday, alerting possibly affected individuals. “We experienced a data security incident which might have involved some of your personal data,” the service mentioned. The company believes the breach was orchestrated by an unauthorized external party attempting to infiltrate their databases around late December 2023, with potential subsequent leaks occurring in April and the summer of 2024. The suspected compromised data includes names, email addresses, phone numbers, Social Security numbers, and mailing addresses.
The company has stated that it is working with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits following the breach.
“We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” comments security researcher Jeremiah Fowler, who is closely monitoring the developments with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”
When information is stolen from a single source, such as Target customer data being stolen from Target, it’s relatively straightforward to pinpoint that source. However, when data is taken from a data broker and the company does not disclose the incident, it becomes more complex to verify the legitimacy of the information and its origin. Typically, individuals whose data is compromised in such breaches—the real victims—aren’t even aware that National Public Data possessed their information initially.
In a blog post on Wednesday concerning the contents and origin of the National Public Data trove, security researcher Troy Hunt wrote, “The only parties who know the truth are the anonymous threat actors dispersing the data and the data aggregator … We’re facing 134M email addresses in public circulation with no confirmed origin or accountability.”
Even when data brokers like National Public Data acknowledge a security breach, the compromised data might still be compromised, mingled with other data sets, or manipulated in various ways. For instance, Hunt discovered numerous inconsistencies such as email addresses linked to wrong personal details and extensive duplications throughout the data.
“The dataset containing Social Security numbers did not include any email addresses,” observed Hunt, who operates the website Have I Been Pwned (HIBP). This platform enables individuals to check if their email addresses have been compromised in breaches. “If your data shows up in this breach on HIBP, it does not necessarily mean your SSN is compromised, and like my case, the accompanying personal data may also be incorrect.”
For those whose details surfaced in the compromised Social Security number segment, the threat of identity theft becomes a significant concern, compelling them to lock their credit, meticulously review their credit reports, and establish credit monitoring services. Recently, some victims have started to get breach notices from such monitoring services. Despite its flaws, experts caution that every piece of stolen data contributes to scams, cybercrime, and espionage when merged with other extensive collections of personal data accumulated over time by malevolent entities.
“Every breach adds a piece to the puzzle, and malicious actors, including certain countries, are collecting this data,” stated Fowler. “When multiple breaches are systematically compiled in an organized and searchable manner, they form a comprehensive and detailed profile of individuals.”