Major background check firm National Public Data was recently hit with a class-action lawsuit claiming that the personal data of nearly three billion people was leaked online.
A cybercriminal group known as ASDoD put the database up for sale online for $3.5 million, but there is no evidence anyone has yet paid the sum.
If confirmed, it could be one of the largest data breaches on record, or not? Troy Hunt, one of the most recognized security experts and founder of the data breach site I have been defeatedinvestigated the breach and found that much of the information surrounding the incident did not seem to add up.
Did ASDoD increase the numbers?
First, Hunt notes, the database's initial posting on the dark web claimed it contained 2.9 billion rows of data and that this was the entire population of the US, Canada and the UK, which, at last count, do not have a combined population of 2.9 billion.
ASDoD also claimed the database contained social security numbers (SSNs), which Hunt notes, “are a fairly American construct, as Canada has SINs (social insurance numbers) and the UK has, well, NIs (national insurance) numbers are probably the closest equivalent.”
Second, ASDoD’s post claimed that the database is 200GB compressed, which expands to 4TB uncompressed, but when Hunt and cybersecurity repository vx-underground checked, the total file size only amounted to 277.1GB uncompressed. What’s more, when checking the database for verifiable data and social security numbers, Hunt found that the first six rows were for the same person, just with alternating first and last names, and they were listed at different addresses in the same city.
Taking a larger sample of the data, Hunt found that of the 100 million rows in the sample, only 31% contained a unique Social Security number. This means that a significant amount of the data contains legitimate personal information and Social Security numbers for thousands of victims, but the scale may be slightly lower at 2.9 billion people and instead only 2.9 billion rows of duplicate data.
As for the legitimacy of the data, Hunt had difficulty attributing the database to a single source because of how generic it was. In Hunt’s words, “How many different places have your first and last name, address, social security number, etcetera?”
Curious, Hunt also looked up his information to see if it had been included in the leak. His email appeared in 28 different rows, but without his name, address or correct birth date, indicating that much of the data could be inaccurate and not matched between victims.
Hunt speculates that the leak was so widely disseminated on social media and in the news media because of the initial legitimacy of the social security numbers in the first leak, as subsequent data breaches were swallowed up in the “biggest data breach in history” hype. Hunt also suggests that since NPD is a data brokerage firm, they could have siphoned off a massive amount of publicly available data into the database before it was stolen.
Ultimately, there are a number of Social Security numbers that could be legitimate, but the data included in the leak shows that they may not be displayed with the correct names and addresses. However, there are 134 million email addresses in public circulation that could be used to conduct phishing attacks or target people who do not have adequate protection against identity theft.
