In August, a hacker dumped 2.7 billion data records, including Social Security numbers, on a dark web forum, in one of the biggest breaches in history. National Public Data, the owner of the data, has now acknowledged the incident, blaming a “third-party bad actor” that hacked the company in December 2023.
The background-checking service acknowledged the breach in a statement posted on Aug. 12. It explained how it has applied “additional security measures” to protect itself against future incidents; however, it recommends that those affected “take preventative measures” rather than offering any remediation.
Troy Hunt, security expert and creator of the Have I Been Pwned breach checking service, investigated the leaked dataset and found it only contained 134 million unique email addresses as well as 70 million rows from a database of U.S. criminal records. The email addresses were not associated with the SSNs.
Other records in the dataset include a person’s name, mailing address, and SSN, but some also contain other sensitive information, such as names of relatives, according to Bloomberg.
How the data was stolen
This breach is related to an incident from April 8, when a known cybercriminal group named USDoD claimed to have access to the personal data of 2.9 billion people from the U.S., U.K., and Canada and was selling the information for $3.5 million, according to a class action complaint. USDoD is thought to have obtained the database from another threat actor using the alias “SXUL.”
This data was supposedly stolen from National Public Data, also known as Jerico Pictures, and the criminal claimed it contained records for every person in the three countries. At the time, the malware website VX-Underground said this data dump does not contain information on people who use data opt-out services.
“Every person who used some sort of data opt-out service was not present,” it posted on X.
SEE: Nearly 10 Billion Passwords Leaked in Biggest Compilation of All Time
A number of cybercriminals then posted different samples of this data, often with different entries and containing phone numbers and email addresses. But it wasn’t until earlier this month that a user named “Fenice” leaked 2.7 billion unencrypted records on the dark web site known as “Breached,” in the form of two csv files totaling 277 GB. These did not contain phone numbers and email addresses, and Fenice said that the data originated from SXUL.
National Public Data’s sister property might have provided an entry point
According to research by Krebs on Security, hackers might have gained initial access to the National Public Data records via its sister property, RecordsCheck, another background-checking service.
Up until August 19, “recordscheck.net” hosted an archive called “members.zip” that included the source code and plain text usernames and passwords for different components of its site, including its administrator. The archive indicated that all of the site’s users were given the same six-character password by default, but many never got around to changing it.
Furthermore, recordscheck.net is “visually similar to nationalpublicdata.com and features identical login pages,” Krebs wrote. National Public Data’s founder, Salvatore “Sal” Verini, later told Krebs that “members.zip” was “an old version of the site with non-working code and passwords” and that RecordsCheck will cease operations “in the next week or so.”
As well as the plaintext passwords, there is other evidence that RecordsCheck would have provided a point of entry into Verini’s properties. According to Krebs, RecordsCheck pulled background checks on people by querying the National Public Data database and records at a data broker called USInfoSearch.com. In November, it was revealed that many USInfoSearch accounts have been hacked and are being exploited by cybercriminals.
Not all 2.7 billion leaked records are accurate or unique, but some of them are
As individuals will each have multiple records associated with them, one for each of their previous home addresses, the breach does not expose information about 2.7 billion different people. Furthermore, according to BleepingComputer, some impacted individuals have confirmed that the SSN associated with their info in the data dump is not correct.
BleepingComputer also found that some of the records do not contain the associated individual’s current address, suggesting that at least a portion of the information is out of date. However, others have confirmed that the data contained their and their family members’ legitimate information, including those who are deceased.
The class action complaint added that National Public Data scrapes the personally identifying information of billions of individuals from non-public sources to create their profiles. This means that those impacted may not have knowingly provided their data. Those living in the U.S. are particularly likely to be impacted by this breach in some way.
Several websites have been set up to help individuals check if their information has been exposed in the National Public Data breach, including npdpentester.com and npdbreach.com.
Experts who TechRepublic spoke to suggest that individuals impacted by the breach should consider monitoring or freezing their credit reports and remain on high alert for phishing campaigns targeting their email or phone number.
Businesses should ensure any personal data they hold is encrypted and safely stored. They should also implement other security measures such as multi-factor authentication, password managers, security audits, employee training, and threat-detection tools.
SEE: How to Avoid a Data Breach
TechRepublic has reached out to Florida-based National Public Data for a response. The company is currently under investigation by Schubert Jonckheer & Kolbe LLP.
Named plaintiff Christopher Hofmann said he received a notification from his identity-theft protection service provider on July 24 notifying him that his personal information had been compromised as a direct result of the “nationalpublicdata.com” breach and had been published on the dark web.
What security experts are saying about the breach
Why are the National Public Data records so valuable to cybercriminals?
Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon, said that the value of the National Public Data records from a criminal’s perspective comes from the fact that they have been collected and organized.
He told TechRepublic in an email, “While the information is largely already available to attackers, they would have had to go to great lengths at great expense to put together a similar collection of data, so essentially NPD just did them a favor by making it easier.”
SEE: How organizations should handle data breaches
Oren Koren, CPO and co-founder at security platform Veriti, added that information about deceased individuals could be reused for nefarious purposes. He told TechRepublic in an email, “With this ‘starting point,’ an individual can try to create birth certificates, voting certificates, etc., that will be valid due to the fact they have some of the info they need, with the most important one being the social security number.”
How can data aggregator breaches be stopped?
Paul Bischoff, consumer privacy advocate at tech research firm Comparitech, told TechRepublic in an email, “Background check companies like National Public Data are essentially data brokers who collect as much identifiable information as possible about everyone they can, then sell it to whomever will pay for it. It collects much of the data without the knowledge or consent of data subjects, most of whom have no idea what National Public Data is or does.
“We need stronger regulations and more transparency for data brokers that require them to inform data subjects when their info is added to a database, limit web scraping, and allow data subjects to see, modify, and delete data.
“National Public Data and other data brokers should be required to show data subjects where their info originally came from so that people can take proactive steps to secure their privacy at the source. Furthermore, there is no reason the compromised data should not have been encrypted.”
Miller added, “The monetization of our personal information — including the information we choose to expose about ourselves publicly — is far ahead of legal protections that govern who can collect what, how it can be used, and most importantly, what their responsibility is in protecting it.”
Can businesses and individuals prevent themselves from becoming victims of a data breach?
Chris Deibler, VP of security at security solutions provider DataGrail, said many of the cyber hygiene principles available for businesses and individuals would not have helped much in this instance.
He told TechRepublic in an email, “We are reaching the limits of what individuals can reasonably do to protect themselves in this environment, and the real solutions need to come at the corporate and regulatory level, up through and including a normalization of data privacy regulation via international treaty.
“The balance of power right now is not in the individual’s favor. GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data.”
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday