A data dump containing 2.7 billion personal details of US residents, including social security numbers, was recently leaked online. The contents of the data dump were linked to National Public Data, a company that collects information from undisclosed sources and sells it for background checks. The company has now admitted to a “data security incident” in which individuals’ names, emails, addresses, phone numbers, social security numbers, and mailing addresses were stolen.
The language in National Public Data’s security incident report is somewhat vague and convoluted, but it does attribute the security breach to a third-party malicious actor. It states that the malicious actor “attempted to hack into the data in late December 2023,” and that “potential exposure of certain data” occurred in April 2024 and summer 2024, indicating that the hackers had penetrated the system. In April, a threat actor known as USDoD attempted to sell 2.9 billion records of people living in the United States, the United Kingdom, and Canada for $3.5 million. They claimed to have stolen the information from National Public Data. Since then, the records have been leaked online in pieces, with the more recent ones being more comprehensive and containing more sensitive information.
The company said it is working with law enforcement to investigate records that may have been affected and “will endeavour to notify” individuals “if further significant developments occur.” It also said it has published a notice so those who may have been affected can take action. The company is advising people to monitor their financial accounts for fraudulent transactions and also encourages them to obtain a free credit report and place a fraud alert on their file.
National Public Data is already facing a proposed class action lawsuit filed in early August by plaintiffs who were notified by an identity theft protection service that their personal information had been posted on the dark web. The plaintiffs allege that the company “failed to adequately safeguard and secure the personally identifiable information it collected and maintained as part of the ordinary course of business.”
