Background check provider National Public Data (NPD) has confirmed a data breach after hackers leaked a stolen database containing millions of Social Security numbers and other sensitive information. The compromised data reportedly includes names, email addresses, phone numbers, Social Security numbers (SSNs), and mailing addresses.
The breach has been linked to a hacking attempt from late 2023. NPD acknowledged data leaks in April and summer 2024, attributing them to the same threat actor responsible for the December 2023 incident. The company has since investigated the breach, cooperated with law enforcement, and reviewed the affected records. If significant developments arise, impacted individuals will be notified.
However, BleepingComputer reports that NPD’s security incident statement has been blocked for specific US and international IP addresses, though archived versions are available online.
The data leak began in April with a malicious actor offering to sell 2.9 billion records for $3.5 million. It escalated when another actor, Fenice, released a more comprehensive variant with 2.7 billion records for free. Multiple records may refer to the same individuals, and not all information appears accurate or up-to-date.
Troy Hunt, creator of the Have I Been Pwned (HIBP) service, analyzed one version of the leaked database and identified 134 million unique email addresses. Some records contained mismatched names and outdated details, raising concerns about data accuracy.
In the wake of the breach, NPD faces at least one class-action lawsuit against its operator, Jerico Pictures. The company is believed to source data from public records, including government files related to individuals.
Those affected by the NPD breach are advised to monitor financial accounts for fraudulent activity and report suspicious behavior to credit bureaus. Additionally, due to the exposure of contact information, there is an increased risk of phishing attempts.
Guy, CEO and Founder of global cybersecurity firm Performanta, says this isn’t anything new. “Granted, we haven’t seen a breach of social security numbers on this scale before, but it happens all day, every day, in smaller chunks.”
Every social security number was likely leaked on the dark web multiple times before this most recent attack. Golan says the idea that you can’t give out your social security number because it’s ‘your biggest secret’ no longer exists.
“But importantly, the world hasn’t collapsed. The right controls are in place to ensure attacks like this don’t cause mass chaos. It just brings awareness that having social security numbers is an outdated concept. We now live in an age of two-factor authentication and biometrics. It may well be that the government needs to reconsider the whole concept of social security numbers in light of the technology we now have to defend against attacks and protect the security of its citizens.”
What is essential to understand that cybersecurity is not the individual’s responsibility, stresses Golan. “Following basic guidance is useful, but corporations and governments must defend their citizens. Make no mistake: these are attacks. Just because they lack physicality doesn’t make them any less real, and they’ll only become more dangerous to society and the economy. It’s time to take a cyber safety approach, pushing past mere compliance and tick-boxing exercises and treat the threat with the severity it requires.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.