In a new and concerning development, a massive data breach may have exposed the personal information of billions of individuals, including sensitive details such as Social Security numbers, current and past addresses, and even the names of siblings and parents. This breach could allow fraudsters to infiltrate financial accounts or take out loans in the names of unsuspecting victims. The breach is now at the center of a lawsuit that sheds light on the extent of the damage and the parties involved.
Contents
- 1 The Lawsuit: A Dark Web Alert
- 2 National Public Data’s Response
- 3 Understanding National Public Data
- 4 The USDoD Hack: What Happened?
- 5 Impact of the Breach: How Many People Were Affected?
- 6 How to Find Out if Your Data Was Compromised
- 7 Protecting Your Information: Steps You Should Take
- 8 Final Thoughts
The Lawsuit: A Dark Web Alert
The breach was brought to public attention through a lawsuit filed by Christopher Hofmann, a resident of California. Hofmann’s identity theft protection service alerted him that his personal information had been leaked to the dark web, specifically by a breach related to “nationalpublicdata.com.” This lawsuit, which Bloomberg Law first reported, outlines the alarming scope of the breach.
The breach allegedly occurred around April 2024, orchestrated by a hacker group known as USDoD. This group managed to exfiltrate unencrypted personal data from a company called National Public Data (NPD), a background check service. The stolen data was later leaked on a hacker forum, with reports from tech site Bleeping Computer indicating that 2.7 billion records were made available. Each record reportedly includes a person’s full name, address, date of birth, Social Security number, and phone number. Although the exact number of affected individuals remains unclear, the sheer scale of the breach suggests that nearly everyone with a Social Security number may have been impacted.
Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, emphasized the significance of this breach. “It’s a reminder of the importance of protecting yourself because companies and the government aren’t doing it for us,” Steinhauer told CBS MoneyWatch.
National Public Data’s Response
In response to the breach, National Public Data posted a statement on its website, acknowledging that a “third-party bad actor” attempted to hack into their data in late December 2023. The potential leaks of certain data occurred in April 2024 and throughout the summer of the same year. The company claims it works closely with law enforcement and government investigators to address the situation. NPD also assured that they would notify individuals if any significant developments might affect them directly.
Understanding National Public Data
National Public Data, based in Coral Springs, Florida, is a data company that provides background checks for employers, investigators, and other businesses. The company’s services include searches for criminal records, vital records, Social Security number traces, and more. However, NPD is just one of many companies that scrape public data to create consumer files, which are then sold to other businesses.
“They are data brokers that collect and sell data about people, sometimes for background check purposes,” Steinhauer explained. The U.S.’s lack of a national privacy law allows these companies to collect data without individuals’ consent, creating a significant privacy concern.
The USDoD Hack: What Happened?
The lawsuit claims that on April 8, the USDoD posted a database called “National Public Data” on the dark web, offering records for approximately 2.9 billion individuals for a purchase price of $3.5 million. However, as mentioned earlier, the file was leaked for free on a hacker forum.
Impact of the Breach: How Many People Were Affected?
The exact number of individuals affected by the breach remains uncertain. While the lawsuit claims that “billions of individuals” had their data stolen, the total population of the U.S. is only about 330 million. This discrepancy suggests that the number of affected individuals could be lower than initially reported. Additionally, the data may include the personal information of deceased individuals, further complicating the scope of the breach.
Bleeping Computer reports that the hacked data involves 2.7 billion records, with individuals possibly having multiple records in the database. For instance, one person might have separate records for each address they’ve lived at, which means the number of impacted individuals could be far lower than the lawsuit claims. The data also appears to date back at least three decades, according to law firm Schubert Jonckheer & Kolbe, who investigated the breach.
How to Find Out if Your Data Was Compromised
For those concerned about whether their data was part of the hack, tools are available to monitor what information about them is available on the dark web. Michael Blair, managing director of cybersecurity firm NukuDo, advises consumers to use reputable companies to check for breaches. These tools can help identify if your addresses, passwords, and email have been exposed.
Hofmann, the plaintiff in the lawsuit, discovered his information was leaked as part of the NPD breach through such a service.
Protecting Your Information: Steps You Should Take
Security experts strongly recommend that consumers immediately protect their personal information. One of the most important steps is to freeze your credit files at the three major credit bureaus: Experian, Equifax, and TransUnion. Freezing your credit is free and will prevent bad actors from taking out loans or opening credit cards in your name.
“The biggest thing is to freeze your credit report so it can’t be used to open new accounts in your name and commit other fraud,” Steinhauer advised.
Additionally, Steinhauer suggests several other steps to secure your data and finances:
- Ensure that your passwords are at least 16 characters long and complex.
- Use a password manager to store these long, complex passwords securely.
- Enable multifactor authentication, which adds an extra layer of security beyond just a password.
- Be vigilant against phishing and other scams; scammers often try to create a sense of urgency to manipulate their victims.
- Keep your security software updated on your computer and other devices, including downloading the latest security updates from Microsoft or Apple.
- Consider using a tracking service to alert you if your data appears on the dark web.
“You should assume you have been compromised and act accordingly,” Steinhauer cautioned.
Final Thoughts
In the wake of this massive breach, taking proactive steps to protect your personal information is crucial. With billions of records potentially exposed, the threat of identity theft and other forms of fraud looms large. Following the recommended security measures can help safeguard your data and minimize the risks associated with this breach.
