Only 134 million individual emails were leaked, the company admits the incident

In August, a hacker dumped 2.7 billion records, including social security numbers, on a dark web forum, making it one of the largest data breaches in history. National Public Data, the owner of the data, has now acknowledged the incident and blamed a “third-party malicious actor” who hacked the company in December 2023.

The background check service confirmed the breach in a statement released on August 12, saying it had implemented “additional security measures” to protect against future incidents, but recommends that those affected “take preventative measures” rather than offering remedial action.

Troy Hunt, a security expert and developer of the hacker verification service Have I Been Pwned, examined the leaked dataset and found that it contained only 134 million unique email addresses, as well as 70 million rows from a database of US criminal records. The email addresses were not linked to the SSNs.

Other entries in the dataset include a person's name, mailing address and Social Security number, but some also contain other sensitive information, such as the names of relatives, according to Bloomberg.

This is how the data was stolen

This breach is related to an incident on April 8, when a well-known cybercriminal group called USDoD claimed to have access to the personal data of 2.9 billion people from the U.S., U.K., and Canada and sold that information for $3.5 million, according to a class action lawsuit. The USDoD allegedly obtained the database from another threat actor using the pseudonym “SXUL.”

This data was allegedly stolen from National Public Data, also known as Jerico Pictures, and the criminal claimed it contained records on every person in the three countries. At the time, malware website VX-Underground said this data dump did not contain any information on people using data opt-out services.

“Not all people who used any kind of data opt-out service were present,” X said.

SEE: Nearly 10 billion passwords leaked in largest compilation ever

Several cybercriminals subsequently published various samples of this data, often with different entries and phone numbers and email addresses. However, just earlier this month, a user named “Fenice” on the darknet site “Breached” published 2.7 billion unencrypted records in the form of two CSV files with a total size of 277 GB. These contained neither phone numbers nor email addresses, and Fenice stated that the data came from SXUL.

National Public Data’s sister company may have offered an entry point

According to an investigation by Krebs on Security, hackers may have initially gained access to the National Public Data records through its sister company RecordsCheck, another background checking service.

By August 19, recordscheck.net hosted an archive called members.zip that contained the source code and plaintext usernames and passwords for various components of the site, including the administrator. The archive showed that all users of the site were given the same six-character password by default, but many never got around to changing it.

In addition, recordscheck.net is “visually similar to nationalpublicdata.com and has identical login pages,” Krebs wrote. National Public Data founder Salvatore “Sal” Verini later told Krebs that “members.zip” was “an old version of the site with non-working code and passwords” and that RecordsCheck would cease operations “in the next week or so.”

In addition to the plaintext passwords, there is other evidence that RecordsCheck would have provided an access point to Verini's property. According to Krebs, RecordsCheck conducted background checks on people by querying the National Public Data database and records at a data broker called USInfoSearch.com. In November, it was revealed that many USInfoSearch accounts had been hacked and were being exploited by cybercriminals.

Not all of the 2.7 billion leaked records are accurate or unique, but some of them are

Because each person has multiple records, one for each of their previous home addresses, the data breach does not reveal information about 2.7 billion different people. In addition, according to BleepingComputer, some affected individuals have confirmed that the Social Security number associated with their information in the data dump is incorrect.

BleepingComputer also found that some of the records did not include the current address of the person in question, suggesting that at least some of the information is out of date. However, others confirmed that the data included their own and that of their family members, including those who have died.

The class action lawsuit added that National Public Data collects the personal information of billions of people from non-public sources to create their profiles, meaning those affected may not have knowingly provided their data. People living in the United States are particularly affected by this breach.

Several websites have been set up to help individuals check whether their information was exposed in the National Public Data breach, including npdpentester.com and npdbreach.com.

Experts TechRepublic spoke to advise affected individuals to monitor or freeze their credit reports and exercise increased caution against phishing campaigns targeting their email address or phone number.

Companies should ensure that any personal data they hold is encrypted and stored securely. They should also implement other security measures such as multi-factor authentication, password managers, security audits, employee training, and threat detection tools.

SEE: How to avoid a data breach

TechRepublic has reached out to Florida-based National Public Data for a response. The company is currently under investigation by Schubert Jonckheer & Kolbe LLP.

Named plaintiff Christopher Hofmann said he received a notification from his identity theft protection provider on July 24 informing him that his personal information had been compromised and published on the dark web as a direct result of the nationalpublicdata.com data breach.

What security experts say about the breach

Why are National Public Data records so valuable to cybercriminals?

Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon, said the value of the National Public Data records from a criminal's perspective is that they have been collected and organized.

In an email to TechRepublic, he said: “Even though most of the information is already available to the attackers, they would have had to go to great lengths and expense to compile a similar dataset. So essentially NPD just did them a favor by making their job easier.”

SEE: How companies should deal with data breaches

Oren Koren, CPO and co-founder of security platform Veriti, added that information about the deceased could be reused for nefarious purposes. In an email to TechRepublic, he said, “With this 'starting point,' a person can attempt to create birth certificates, voting records, etc. that are valid because they have some of the information needed, the most important being the Social Security number.”

How can data aggregator breaches be prevented?

Paul Bischoff, consumer protection officer at technology research firm Comparitech, told TechRepublic in an email: “Background check companies like National Public Data are basically data brokers who collect as much identifiable information as they can on anyone they can and then sell it to anyone who will pay for it. They collect much of the data without the knowledge or consent of the subjects, most of whom have no idea what National Public Data is or does.

“We need stricter regulations and more transparency for data brokers. They must inform data subjects when their information is added to a database. They must also limit web scraping and allow data subjects to view, modify and delete the data.

“National Public Data and other data brokers should be required to show data subjects where their information originally came from so that people can take proactive steps to protect their privacy at the source. Furthermore, there is no reason why the compromised data should not have been encrypted.”

Miller added: “The monetization of our personal data – including the information about ourselves that we disclose publicly – far outpaces the legal protections that govern who can collect what, how it can be used and, most importantly, what responsibility individuals have in protecting that data.”

Can companies and individuals prevent themselves from becoming victims of a data breach?

Chris Deibler, vice president of security at security solutions provider DataGrail, said many of the cyber hygiene principles available to businesses and individuals did not help much in this case.

In an email to TechRepublic, he said: “We are reaching the limits of what individuals can reasonably do to protect themselves in this environment. Real solutions must be found at the corporate and regulatory level, up to and including normalizing data protection rules through international treaties.”

“The balance of power is currently not in favour of the individual. The GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not prevent the mass aggregation of data.”