Massive National Public Data Breach Exposes 2.9 Billion Records, Risks SSNs

• National Public Data, a data aggregator, disclosed a breach that could have exposed billions of personal records.
• The leaked information, including social security numbers, addresses, names, and other personal data, highlights the long-term risks of data breaches.

The Incident

A massive data breach at National Public Data (NPD), a background check service and data broker operating under the name Jerico Pictures, has become victim to a hack that compromised the information of around 2.9 billion records. The breach occurred in April 2024 and is one of the largest in history.

The breach came to light when a cybercriminal group called USDoD announced the sale of a vast database of personal data they had acquired from NPD. The database included names, addresses, details about relatives, and social security numbers.

The data covered many decades, with some of the records being 30 years old. Affected individuals are considered unaware of the breach or even the act that NPD had collected their data, as much of the data was scraped from non-public sources without consent.

The breach has now led to a class action lawsuit against Jerico Pictures, alleging that the company did not properly secure its collected information. The plaintiffs also claimed that they had never given NPD access to their information, focusing on legal and ethical concerns associated with the unauthorized collection of personal information.

See More: NIST Publishes First Three Standards Finalized for Post-Quantum Cryptography

Data Brokers

Data brokers like NPD collect, store, and sell personal information, often without the consent of the individuals in question. They source data from multiple channels such as social media, public records, and other non-public sources. Leading data brokers in the industry include Equifax, Experian, Epsilon, CoreLogic, and Acxiom. Such companies have access to vast amounts of data they sell to businesses for various purposes, such as marketing and risk management.

While people can opt out of data collection by such brokers by visiting the company website and following opt-out procedures, these processes can be cumbersome and often do not guarantee the complete removal of data.

Mitigation Measures

NPD has stated that it would be notifying those impacted by the breach. However, there is no precise official method for people to check if their data is part of the breach. However, individuals can take specific measures to minimize damage if the theft of social security numbers is suspected:

• Reporting identity theft: If suspicious activity is noted, it should be reported immediately to the Federal Trade Commission (FTC) at IdentityTheft.gov.
• Credit monitoring: Users should regularly check their credit reports for unauthorized activity. Major credit bureaus often provide these reports for free.
• Fraud alerts: Fraud alerts and credit freezes on credit files are measures that could prevent new accounts from being opened in the user’s name.
• Online activity: People should be cautious when they are online and avoid entering social security numbers on websites that claim to check if data was breached. These could be phishing attempts. Theft monitoring and reporting efforts should only be carried out on official channels.

Pentester, a cybersecurity firm, has created a free databaseOpens a new window with redacted information following the breach to allow people to check if their information was leaked. Individuals can do this by entering their name, state, and birth year.

Paul Laudanski, director of security research at Onapsis, spoke about the implications of the attack:

“This incident is part of a larger, ongoing trend we’ve seen over the past several years. The proliferation of sensitive data online has created a lucrative target for cybercriminals. As this continues to grow, there can be an anticipated rise in data breaches as attackers refine their tactics and exploit emerging vulnerabilities and security gaps.

Businesses must remain vigilant for potential crimes such as IRS tax refund fraud. Monitoring financial accounts, credit reports, and IRS correspondence is essential. Businesses, meanwhile, must ensure the security of their supply chains, infrastructures, and applications. This includes conducting regular security assessments, implementing strong encryption, and training employees to follow security best practices.

While complete prevention is challenging due to the evolving nature of the landscape, proactive measures can be taken to significantly reduce the risk of attacks at this scale. Investing in strong cybersecurity defenses, employee training, and incident response planning is essential. By staying informed and adaptable, organizations can better protect themselves against these attacks and mitigate these threats swiftly.”

Takeaways

The breach of National Public Data highlights the risks associated with data aggregation and the need for more robust data protection measures. As the incident’s implications continue to become more evident, individuals and companies should remain vigilant in protecting personal data.

LATEST NEWS STORIES

• MIT Unveils Comprehensive Database of Artificial Intelligence Risks
• Megaupload Founder Kim Dotcom To Be Extradited from New Zealand to the US
• Cisco to Layoff 7% of Global Workforce to Focus on AI and Security