The data broker at the center of what could be one of the most significant breaches this year has told authorities that just 1.3 million people were affected.
While news of a breach affecting 1.3 million people would normally be shocking, this latest breach is unusual given that many investigators in recent weeks had previously put the figure much higher.
Florida-based National Public Data (NPD) confirmed the number of people affected through a filing with the Maine Attorney General on Friday, which requires organizations to list separately the total number of people affected and how many were affected in Maine alone.
The digital intrusion occurred in December 2023, according to NPD, but the company acknowledged that the data breach began in April of this year and continued throughout the summer.
These leaks were committed by criminals using the name USDoD, who in April began selling the stolen database, which purportedly consists of 2.9 billion rows of data on citizens of the United States, Canada, and the United Kingdom, for $3.5 million.
When Troy Hunt, information security expert and administrator of HaveIBeenPwned, looked through the database, he found 134 million unique email addresses, so while it’s unlikely that all 1.3 million affected people had 100 email addresses, it’s possible that more people are affected than the number NPD told the Maine Attorney General.
This situation is not unprecedented: it is not uncommon for organizations that have reported data breaches to U.S. government authorities to update their reports as investigations into potentially compromised data continue.
Something similar happened in June when Financial Business and Consumer Solutions updated its notice to reflect a broader impact: The company initially said 2 million people were affected, but later raised that to 3.2 million.
“It appears that there has been a data security incident that may have involved some of your personal information,” reads the letter sent to affected individuals from NPD. “The incident is believed to have involved a third-party malicious actor attempting to hack data in late December 2023, potentially resulting in the exposure of certain data in April 2024 and summer 2024. We have investigated and subsequent information has come to light.”
“The information allegedly leaked included names, email addresses, phone numbers, Social Security numbers and mailing addresses.”
“We have cooperated with law enforcement and government investigators to conduct an investigation of potentially affected records, and will notify you of any further significant developments that concern our customers. We have also implemented additional security measures to prevent a recurrence of such a breach and to protect our systems.”
A breach disclosure webpage launched by NPD last week used similar language, rekindling interest in the case, but the page, like the Maine Attorney General’s filing, does not list the number of individuals affected.
In addition to 134 million unique email addresses, Hunt also found what appears to be criminal history data — an astounding 70 million records that NPD did not include in its disclosure documents.
Atlas Data Privacy, a company that helps remove customer data from data intermediaries like NPD, also found 272 million unique Social Security numbers scattered throughout the massive data trove.
It turns out that these services actually worked, because the data of people who signed up for these services was not included in the leak, and a significant portion of the data was about people who had passed away. For example, it included millions of records of people over 120 years old, and the average age of the affected individuals was 80 years old.®
