Data breaches are a seemingly endless scourge with no simple answer, but the breach in recent months of the background-check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to come into focus with National Public Data finally acknowledging the breach on Monday just as a trove of the stolen data leaked publicly online.
In April, a hacker known for selling stolen information, known as USDoD, began hawking a trove of data on cybercriminal forums for $3.5 million that they said included 2.9 billion records and impacted “the entire population of USA, CA and UK.” As the weeks went on, samples of the data started cropping up as other actors and legitimate researchers worked to understand its source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information like names, emails, and physical addresses in various combinations.
The data isn’t always accurate, but it seems to involve two troves of information. One that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.
“There appears to have been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024 … The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es).”
The company says it has been cooperating with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits over the breach.
“We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”
When information is stolen from a single source, like Target customer data being stolen from Target, it’s relatively straightforward to establish that source. But when information is stolen from a data broker and the company doesn’t come forward about the incident, it’s much more complicated to determine whether the information is legitimate and where it came from. Typically, people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data held their information in the first place.
In a blog post on Wednesday about the contents and provenance of the National Public Data trove, security researcher Troy Hunt wrote, “The only parties that know the truth are the anonymous threat actors passing the data around and the data aggregator … We’re left with 134M email addresses in public circulation and no clear origin or accountability.”
Even in a situation where a data broker has admitted to being breached—as is now the case with National Public Data—the stolen data may not be reliable and may have been combined with other datasets or processed in other ways. Hunt found, for example, that many email addresses in the dataset seemed to be paired with inaccurate personal information, and there were many duplicates and redundancies.
“There were no email addresses in the Social Security number files,” noted Hunt, who runs the website Have I Been Pwned (HIBP), which allows people to search their email addresses to see which, if any, data breaches they appear in. “If you find yourself in this data breach via HIBP, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”
For people whose information was in the Social Security number dump, though, the risk of identity theft looms, forcing victims to freeze their credit, scour their credit reports, and set up financial monitoring services. Indeed, over the past few days, many people included in the data have begun receiving notifications about the breach from credit monitoring and threat intelligence services. And while the stolen data is imperfect, researchers warn that every trove of information that attackers can get their hands on ultimately fuels scamming, cybercrime, and espionage when combined and reconciled with the larger corpus of personal data that has been compiled by bad actors over the years.
“Each data breach is a puzzle piece, and we know that the bad guys and specific nations are also collecting this data,” Fowler says. “When numerous breaches are combined in a systematic, organized, and searchable way they can provide a complete picture and data profile of individual citizens.”
