The company whose data breach potentially exposed every American's Social Security number to identity thieves has finally acknowledged the data theft and said hackers obtained even more sensitive information than previously reported.
National Public Data, a Florida-based company that collects personal information for background checks, posted a “Security Incident” notice on its site to report “potential breaches of certain data in April 2024 and the summer of 2024.” The company said the breach appeared to involve a third party “that was attempting to hack data in late December 2023.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, the USDoD hacking group claimed in April to have stolen the personal records of 2.9 billion people from National Public Data. On a forum popular with hackers, the group offered to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
Last week, a purported member of the U.S. Department of Defense, identified only as Felice, told the hacker forum that they were offering “the entire NPD database,” according to a screenshot taken by BleepingComputer. The information consists of some 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and dates of birth, Felice said.
None of the information was encrypted.
Such a disclosure would be problematic enough, but according to National Public Data, the leak also included email addresses, a crucial piece of information for identity thieves and scammers.
Having a person's email address makes it easier for them to be targeted with phishing attacks, which attempt to trick them into revealing financial account passwords or downloading malware that can extract sensitive personal information from their devices. Additionally, because many people use their email address to log into online accounts, it could be used to try to hijack those accounts through password resets.
It’s not clear what exactly has been leaked on the dark web in the wake of the breach. In a very small sample of scans conducted using Google One, email addresses taken during the national public data breach did not appear. But a free tool from cybersecurity firm Pentester found that other personal data allegedly exposed by the breach, including Social Security numbers, was on the dark web.
National Public Data said on its website that it will notify people if there are “significant new developments” that affect them. “We have also implemented additional security measures in an effort to prevent the recurrence of such a breach and protect our systems,” it said.
Earlier, in an email sent to people who had requested information about their accounts, the company said it had “purged the entire database, in its entirety, of any and all entries, which basically excluded everyone.” As a result, it said, it has removed any “non-public personal information” about people, though it added: “We may be required to retain certain records to comply with legal obligations.”
The company did not respond to a request for comment. Under several state laws, including California's, companies are required to notify anyone whose personal information they reasonably believe has been taken by an unauthorized person.
At this time, it appears that the only notice provided by National Public Data is the page on its website, which states: “We are notifying you so that you can take steps to help minimize or eliminate potential harm. We strongly encourage you to take preventative steps to help prevent and detect any misuse of your information.”
Steps recommended by National Public Data include checking your financial accounts for unauthorized activity and placing a free fraud alert on your accounts at the three major credit bureaus, Equifax, Experian and TransUnion. Once you've placed a fraud alert on your account, the company advised that you request a free credit report and then review it for accounts and inquiries you don't recognize. “These can be signs of identity theft.”
Security experts also recommend freezing your credit files at the three major credit bureaus. You can do this for free, and it will prevent criminals from taking out loans, applying for credit cards, and opening financial accounts in your name. The trick is that you'll need to remember to temporarily lift the freeze if you're getting or applying for anything that requires a credit check.
In the meantime, security experts say, make sure all your online accounts use two-factor authentication to make them harder to hijack.
It's also important to look for signs that an email or text message isn't legitimate, given the proliferation of “imposter scams.” Using messages disguised to look like an urgent inquiry from your bank or service provider, these scams attempt to trick you into revealing the keys to your identity and, potentially, your savings. Any request for sensitive personal information is a big red flag.
Aleksandr Valentij of cybersecurity firm Surfshark suggested carefully checking the sender's email address to see if it doesn't exactly match the name of the organization they purport to represent and looking for typos or grammatical errors — two telltale signs of a scam. And if the message comes from someone you've never interacted with before, Valentij said, avoid clicking on links, including an “unsubscribe” link or button, because malicious actors will use them for malicious purposes.
“If you suspect you have received a phishing email, do not interact with it and report it to your email provider,” Valentij said. “If it is someone impersonating a legitimate organization, you should also report it to that organization. Once you have done this, delete the email and be on the lookout for similar emails in the future.”