During August, a perpetrator released 2.7 billion data records, containing social security numbers, on a secretive online platform, marking one of the largest breaches ever witnessed.
The information may have been pilfered from National Public Data, a service specializing in background checks, approximately four months ago. Each entry includes an individual’s name, residential address, and SSN, with some records also encompassing additional confidential details, such as familial names, as mentioned in an article on Bloomberg.
Details of the Data Breach
The recent data leak is linked to an occurrence in early April, where a notorious hacker group known as USDoD declared possession of personal data from 2.9 billion individuals across the U.S., U.K., and Canada, offering to sell it for $3.5 million, according to a lawsuit filing. It is believed that USDoD acquired the data from another cyber threat actor operating under the alias “SXUL.”
The stolen information purportedly originated from National Public Data, also recognized as Jerico Pictures, and the criminal affirmed that it covered profiles for all citizens in the three mentioned countries. At that time, the malicious site VX-Underground indicated that the leak did not include details of people utilizing data exclusion services.
According to the post on X, “People who opted out of data services were not included.”
Reference: Largest Compilation Ever: Nearly 10 Billion Passwords Exposed
Various cyber offenders subsequently shared different snippets of this data, often containing diverse entries with phone numbers and email addresses. However, it wasn’t until the recent past that an individual identified as “Fenice” disclosed 2.7 billion unencrypted entries on the underground web platform named “Breached,” presented in two csv files totaling 277GB. These files did not contain phone numbers or email addresses, and Fenice mentioned that the data had its origins with SXUL.
Since each individual may have multiple records linked to them, corresponding to their past addresses, the breach does not expose the details of 2.7 billion distinct individuals. Additionally, as per details from BleepingComputer, some affected persons have confirmed that the SSN connected to their account in the data dump is inaccurate.
BleepingComputer’s investigation revealed that some entries lack the present address of the associated person, indicating that a part of the information may be outdated. Nonetheless, others have affirmed that the data includes legitimate information about them and their family members, including those who are no longer alive.
The lawsuit highlighted that National Public Data retrieves the identifiable information of billions of individuals from private sources to generate profiles. This implies that the affected individuals may have unknowingly had their data taken. Individuals residing in the U.S. are expected to be significantly impacted by this breach in some manner.
Experts interviewed by TechRepublic suggest that affected individuals should contemplate monitoring or securing their credit reports and be vigilant against potential phishing endeavors targeting their email or phone numbers.
Organizations must guarantee that any personal data under their custody is encrypted and securely saved. They should also deploy additional security measures like two-factor authentication, password vaults, security assessments, staff training, and threat-sensing technologies.
Reference: Guidance on Preventing Data Breaches
Florida-based National Public Data has been contacted by TechRepublic for a statement, but there has been no response regarding the breach or notification to affected individuals. Information on the incident was derived from the legal documents, and the firm is presently being probed by Schubert Jonckheer & Kolbe LLP.
Christopher Hofmann, the lead plaintiff, disclosed receiving a warning from his identity theft protection provider on July 24, informing him about the compromise of his personal details due to the breach at “nationalpublicdata.com,” and its subsequent publishing on the dark web.
Insights from Security Authorities on the Breach
Why are the National Public Data records coveted by cyber offenders?
Jon Miller, Chief Executive Officer and co-founder of anti-ransomware solution Halcyon, explained that the appeal of National Public Data records to criminals stems from their comprehensive and organized nature.
In an email to TechRepublic, he shared, “Even though the information is readily accessible to attackers, assembling a similar dataset would have required significant effort and expense, consequently, NPD simplified this process for them.”
Reference:Best practices for managing data breaches in organizations
Oren Koren, Chief Privacy Officer and founding member at security platform Veriti, pointed out that information related to deceased individuals might be repurposed for malicious intents. He mentioned in an email to TechRepublic, “Starting from this point, an individual could attempt to forge birth certificates, voting certificates, and more, all of which will hold validity because they possess some of the necessary information, with the crucial one being the social security number.”
Strategies to prevent breaches by data aggregators
Paul Bischoff, advocate for consumer privacy at technology research company Comparitech, expressed to TechRepublic via email, “Companies conducting background checks like National Public Data act as data agents who amass as much identifiable data as they can about every possible person, and subsequently sell it to whoever is willing to pay. They gather a significant portion of this data without the awareness or consent of the data subjects, most of whom are unaware of the activities of National Public Data.”
“We must have stricter regulations and increased transparency for data agents mandating them to notify data subjects when their information is included in a database, restrict web scraping, and allow data subjects to view, amend, and erase their data.
“National Public Data and other data agencies should be obligated to disclose to data subjects the origin of their information so that people can proactively safeguard their privacy from the source. Additionally, there is no justification for the compromised data to remain unencrypted.”
Miller stated, “The commercialization of our personal data — encompassing the details we opt to disclose publicly — supersedes the legal safeguards dictating who can gather what information, how it can be utilized, and most critically, the duties in ensuring its protection.”
Steps for businesses and individuals to fend off data breaches
Chris Deibler, Vice President of security at DataGrail, a provider of security solutions, mentioned that numerous cybersecurity fundamentals accessible to businesses and individuals would have had limited effectiveness in this particular case.
He conveyed in an email to TechRepublic, “We are reaching a point where individuals have exhausted their capacity to safeguard themselves in this milieu, and concrete solutions must emerge at the organizational and regulatory levels, extending to the normalization of data privacy regulations through international agreements.
“The current state of affairs tilts the power balance against individuals. While GDPR and the various regional and national regulations being introduced are positive steps, the current models for prevention and repercussions clearly do not discourage the widespread accumulation of data.”
About Author
