National Public Data admits security breach that leaked social security numbers of millions in the US

A recent data breach exposed 2.7 billion records of personal information of individuals in the United States, including Social Security numbers.

The data theft is linked to National Public Data, a company known for harvesting information from non-public sources for background checks. The company has now confirmed a “data security incident” and admitted that names, emails, addresses, phone numbers, social security numbers and mailing addresses were compromised.

In its report on the security incident, National Public Data vaguely attributed the breach to a malicious third-party actor. The company stated that this actor attempted to hack into its data in late December 2023, with “potential leaks of certain data” occurring in April 2024 and summer 2024. These statements suggest that the hacker successfully infiltrated the system.

In April, a threat actor identified as USDoD attempted to sell 2.9 billion records from the US, UK and Canada for $3.5 million, claiming the data was stolen from National Public Data. Since then, parts of the data have been leaked online, with the most recent release being particularly comprehensive and sensitive.

National Public Data said it is working with law enforcement to assess the impact of the breach and plans to “attempt to notify” affected individuals “if there are any further significant developments relevant to them.”

The company has urged anyone potentially affected to monitor their bank accounts for fraudulent activity, obtain free credit reports and consider placing a fraud alert on their files.

The company is already facing a class action lawsuit filed in early August. The plaintiff, who was alerted by its identity theft protection service that its information had been posted on the dark web, claims that National Public Data failed to “adequately secure and protect the personal information it collected and maintained as part of its normal business practices.”