A massive data breach reportedly exposed over 2.7 billion records on a hacker forum. These documents, reportedly taken from National Public Data (NPD), belonged to people in the United States.
Private investigators, background check companies, and criminal record search companies get access to personal information from National Public Data. It is believed that the company gathers comprehensive profiles of people in the US and other countries by scraping public sources.
The data breach occurred on April 8, when the cyber-criminal group USDoD said that it has access to 2.9 billion people’s personal information from the United States, the United Kingdom, and Canada.
According to a class action complaint, the group allegedly offered to sell this information for $3.5 million. An infamous threat actor, USDoD was previously connected to the attempted $50,000 sale of InfraGard’s user database in December 2023.
Since the first data breach, many threat actors have leaked incomplete copies of the data. Each breach has released a different amount of records and, in some cases, different data.
The nearly complete archive of stolen National Public Data was released for free on the Breached hacking forum on August 6 by a threat actor known as “Fenice.” However, Fenice claims that the breach was executed by another threat actor known as “SXUL,” rather than USDoD.
There is no proof that this leak includes information on every person in the US, but several people have confirmed that it does contain accurate information about them and family members.
Each record contains a person’s name, postal address, and Social Security number, with some entries including additional details such as associated names.
Email addresses and phone numbers from previously released samples are not included in the 2.7 billion records that have been exposed. It is also important to understand that a person may have several records, one for each known address. This indicates that the breach does not affect 3 billion unique individuals, as certain reports have incorrectly stated.
A significant risk of fraud and identity theft exists due to the 277GB of released data. It doesn’t necessarily impact 2.7 billion individual users, but the data may still be used to create fake accounts, apply for loans, or file taxes.
Teresa Murray, consumer watchdog director of the U.S. Public Information Research Group, warned that widespread identity theft, fraud, and other crimes might result from the breach, which exposed Social Security numbers and other personal data.
Allegations of poor data protection have led to many lawsuits against NPD, which is owned by Jerico Pictures. Christopher Hofmann, a California citizen, filed one such complaint against NPD, accusing the company of carelessness, breach of fiduciary obligations, and breach of third-party contracts.
Hofmann is requesting that the court order NPD to destroy all personal information it has gathered and to apply data encryption going forward. Furthermore, the plaintiff demands more than just financial compensation.
National Public Data has not publicly notified those impacted by the purported breach and has not replied to requests for comment despite the serious accusations. NPD has said that they are “aware of certain third-party claims about consumer data and are investigating these issues” in response to specific queries.
In addition to using stolen data, scammers often take advantage of those who unintentionally disclose important information. A common strategy involves impersonating your bank, employer, phone company, or another service provider you’ve dealt with, attempting to lure you in with a text or email.
Victims can even receive phishing emails claiming to be from “National Public Data,” a company purportedly addressing a suspected data breach. As a general guideline, never click on links or call phone numbers contained in unauthorised texts or emails.
Look for the company’s fraud department number, typically found on the back of your debit or credit cards, and contact them immediately for help if you have any concerns about a possible fraud notification.
Any individuals who believe their account has been compromised should change their password immediately. Businesses should also teach their employees how to spot phishing emails and report them in addition to providing Security Awareness Training.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.