A massive data breach that exposed billions of records’ worth of personal information is currently being investigated by federal lawmakers.
National Public Data, a Florida-based credit and criminal history reporting company, confirmed earlier this month that at least 1.3 million people were affected by a December 2023 breach.
In a letter sent on August 22 to the head of the National Commission for Public Data, Salvatore Bellini, the House of Representatives Oversight Committee requested an immediate report on the case, which is already the subject of a class action lawsuit.
“The Oversight and Accountability Committee is investigating recent reports of a possible cyber attack carried out by a cybercrime group identified as the Department of Defense against national public data,” the lawmakers wrote, citing a lawsuit filed earlier this month.
The letter was signed by Rep. James Comer (R-Ky.), chairman of the Oversight Committee, and Rep. Nancy Mace (R-South Carolina), chair of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
The lawsuit alleges that the Department of Defense hackers offered the stolen data — including Social Security numbers, phone numbers, email addresses, and mailing addresses — for sale on the dark web for $3.5 million. The total number of people affected by the breach is unclear, but the lawsuit says it could be as high as 2.9 billion.
“If true, this data breach would likely be one of the largest cyberattacks in history in terms of individuals affected,” the Republicans wrote. “The Committee will request a report to confirm the veracity of the attack and, if accurate, evaluate the potential impact of the breach on the U.S. government, businesses, and the American people, as well as the National Public Data response to the attack.”
National Public Data confirmed that “there appears to have been a data security incident” on its website involving a “third-party malicious actor.” The company also said that a “potential breach of certain data” may have occurred as early as April of this year.
The Maine Attorney General’s Office also released a notice of the hack filed by Bellini on August 17, revealing that 2,760 Maine residents were affected.
Many of the people whose information was exposed in the breach were not customers of National Public Data, and their information was “scraped” by unauthorized third parties and provided to the company without their knowledge, according to the lawsuit.
The lawsuit also alleges that the company stored personal information unencrypted, making it easily accessible to hackers, and that it failed to properly notify affected people about the breach.
“The lack of transparency surrounding National Public Data’s cyberattack is astonishing, given the information allegedly leaked and the potential damage to numerous victims,” Comer and Mace wrote, noting that the company has yet to provide a detailed explanation of what happened.
To resolve the issue, they asked for the requested information session to be held by August 30th.
“To the extent known, we expect the briefing to describe the timing and nature of the breach, including how it occurred, a description of the data that was exposed, and the steps National Public Data is taking in response to the breach,” they wrote.
The Epoch Times has reached out to National Public Data for comment.
Rachel Asenath and Jack Phillips contributed to this report.
From The Epoch Times