In August, a hacker dumped 2.7 billion data records, including Social Security numbers, on a dark web forum in one of the largest breaches in history.
The data may have been stolen from the background check service National Public Data at least four months ago. Each record contains a person's name, mailing address and Social Security number, but some also contain other sensitive information, such as the names of their relatives, according to Bloomberg.
How the data was stolen
This data breach is related to an incident on April 8, when a notorious cybercriminal group called USDoD claimed to have access to the personal data of 2.9 billion people from the United States, the United Kingdom, and Canada and was selling the information for $3.5 million, according to a class action lawsuit. USDoD is believed to have obtained the database from another threat actor using the alias “SXUL.”
This data was allegedly stolen from National Public Data, also known as Jerico Pictures, and the criminal claimed it contained records of all individuals from all three countries. At the time, malware website VX-Underground said this data dump contained no information about people using data opt-out services.
“Not everyone who used some kind of data opt-out service was present,” he posted on X.
WATCH: Nearly 10 billion passwords leaked in biggest hacker ever
Various cybercriminals then published different samples of this data, often with different entries and containing phone numbers and email addresses. But it was not until earlier this month that a user named “Fenice” leaked 2.7 billion unencrypted records on the dark website known as “Breached”, in the form of two csv files totalling 277 GB. These did not contain phone numbers or email addresses, and Fenice claimed the data came from SXUL.
Since each individual will have multiple records associated with them, one for each of their previous home addresses, the leak does not expose information on 2.7 billion different people. Additionally, according to BleepingComputer, some affected individuals have confirmed that the social security number associated with their information in the data dump is incorrect.
BleepingComputer also found that some of the records do not contain the associated person's current address, suggesting that at least some of the information is outdated. However, others have confirmed that the data did contain legitimate information about them and their family members, including those who have passed away.
The class action lawsuit added that National Public Data extracts personal information of billions of people from non-public sources to create their profiles. This means that the affected individuals may not have knowingly provided their data. People living in the US are the most likely to be affected by this breach in some way.
Experts TechRepublic spoke to suggest that people affected by the breach should consider monitoring or freezing their credit reports and remain on high alert for phishing campaigns targeting their email or phone number.
Companies should ensure that all personal data they hold is encrypted and stored securely. They should also implement other security measures such as multi-factor authentication, password managers, security audits, employee training, and threat detection tools.
SEE: How to avoid a data breach
TechRepublic has reached out to Florida-based National Public Data for a response. However, it has not yet acknowledged the breach or informed those affected. Existing details about the incident have been extracted from the lawsuit materials, and the company is currently under investigation by Schubert Jonckheer & Kolbe LLP.
The plaintiff, identified as Christopher Hofmann, said that on July 24 he received a notification from his identity theft protection service provider notifying him that his personal information had been compromised as a direct result of the “nationalpublicdata.com” breach and had been posted on the dark web.
What security experts say about the breach
Why are national public data records so valuable to cybercriminals?
Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon, said the value of national public data records from a criminal's perspective comes from the fact that they have been collected and organized.
In an email to TechRepublic, he told us: “While the information is already largely available to attackers, they would have had to go to great effort and expense to gather a similar collection of data, so essentially NPD just did them a favor by making it easier.”
SEE: How organizations should handle data breaches
Oren Koren, COO and co-founder of security platform Veriti, added that information about deceased people could be reused for malicious purposes. In an email to TechRepublic, he told TechRepublic: “With this ‘starting point,’ a person can try to create birth certificates, voting certificates, etc., which will be valid due to the fact that they have some of the information they need, the most important being the social security number.”
How can data breaches by aggregators be stopped?
Paul Bischoff, a consumer privacy advocate at tech research firm Comparitech, told TechRepublic in an email: “Background check companies like National Public Data are essentially data brokers that collect as much identifiable information as possible on as many people as they can, and then sell it to whoever is willing to pay for it. They collect much of the data without the knowledge or consent of the data subjects, most of whom have no idea what National Public Data is or does.
“We need stronger regulations and more transparency for data brokers that require them to inform data subjects when their information is added to a database, limit web scraping, and allow data subjects to view, modify, and delete data.
“National Public Data and other data intermediaries should be required to show data subjects where their information originally came from so that people can take proactive steps to protect their privacy at the source. Furthermore, there is no reason why compromised data should not have been encrypted.”
Miller added: “The monetization of our personal information, including information we choose to expose publicly about ourselves, is far ahead of the legal protections that govern who can collect what, how it can be used, and most importantly, what their responsibility is to protect it.”
Can businesses and individuals avoid becoming victims of a data breach?
Chris Deibler, vice president of security at security solutions provider DataGrail, said many of the cyber hygiene principles available to businesses and individuals would not have helped much in this case.
In an email, he told TechRepublic: “We are reaching the limits of what people can reasonably do to protect themselves in this environment, and real solutions must come at the corporate and regulatory level, including a standardization of data privacy regulation through an international treaty.
“The balance of power is currently not in favour of individuals. The GDPR and the various state and national regulations being implemented are good steps, but the prevention and consequence models in place today clearly do not discourage mass data aggregation.”