A massive data breach involving nearly 3 billion personal records was reported by National Public Data in December 2023.
According to CNET, the extensive data breach, orchestrated by the cybercriminal group USDoD, involved the theft of sensitive information including Social Security numbers and emails.
National Public Data, a prominent data broker, acknowledged the breach occurred due to unauthorized network access by USDoD. Initial reports suggest the breach was first detected due to unusual network activity towards the end of December 2023.
After detecting the intrusion, officials revealed that hackers compromised a vast amount of personal information, including names, Social Security numbers, email addresses, phone numbers, and mailing addresses.
The scope of the breach, which amounted to approximately 2.9 billion records, immediately raised concerns regarding identity theft and personal privacy.
Estimates of the number of individuals affected vary widely. For example, Maine's Attorney General's office estimated that the breach might impact up to 1.3 million residents, while cybersecurity expert Troy Hunt reported that hackers compromised around 134 million unique email addresses.
Moreover, this discrepancy underscores the challenges in assessing the full impact of data breaches, which often involve disparate datasets and varying degrees of sensitivity.
Additionally, hackers reportedly obtained the stolen data by unauthorized scraping of nonpublic sources, raising legal and ethical concerns. As a result, this action led to a proposed class action lawsuit, highlighting the consequences of such breaches on collective privacy rights.
The dissemination of the stolen data appears to have occurred in phases, starting with the initial breach in late December 2023. Furthermore, officials noted subsequent leaks in April 2024, which they expected to continue into the summer, complicating efforts to secure affected accounts.
In a statement, National Public Data detailed the ongoing nature of the leaks, suggesting that the stolen data might surface intermittently. This indicates that the phased release of information may be a strategy by the perpetrators to avoid immediate detection and mitigation efforts.
Meanwhile, as part of their response, National Public Data has been actively cooperating with law enforcement to track down the perpetrators and mitigate the consequences of the breach.
Atlas Privacy and Pentester, cybersecurity firms, set up dedicated websites to help individuals determine if their data has been compromised. These platforms allow users to check whether their personal information is part of the leaked data.
Authorities advise individuals to closely monitor their financial accounts for signs of unauthorized activity, consult with the Federal Trade Commission and the Internal Revenue Service about identity theft, and employ credit monitoring services.
This breach has left many individuals vulnerable, prompting widespread calls for enhanced cybersecurity measures and greater accountability for data brokers who handle sensitive personal information.
In response to the breach, National Public Data has expressed its commitment to reviewing all potentially affected records and enhancing its security measures.
The company has also pledged to notify individuals of significant developments related to the breach. "It will try to notify you if there are further significant developments applicable to you," the company advised.
Moving forward, the data broker faces the significant task of rebuilding trust with its clients and the public, amidst growing scrutiny over data privacy practices and the responsibilities of data brokers.