National Public sued over apparent data breach, exposure of 2.9 billion people
Take action: This is nearly the biggest data breach in history - rivaling the Yahoo breach of 2013. If you were ever online, you are part of the breach. It's also a great lesson of how data greed comes back to hurt you. Unless you have a lot of money for a lawsuit, limit your data collection and enforce stringent data deletion. And push your lawmakers to adopt GDPR or similar regulation protecting personal data.
Learn More
In April 2024, National Public Data (NPD), experienced a significant data breach that compromised sensitive personal information of more than 2.9 billion individuals. This breach is now the subject of a class-action lawsuit.
National Public Data, compiles information from public record databases, national and state databases, and court records, provides data to various clients, including background check websites, investigators, mobile app developers, and data resellers.
The company fell victim to a breach executed by a cybercriminal group known as USDoD. This group posted on the Breached forum on April 8th, claiming to possess a database titled "National Public Data," which contained personal data of 2.9 billion people. The stolen data was subsequently offered for sale for $3.5 million.
The breach exposed sensitive personal data of over 2.9 billion individuals. The stolen data was reportedly offered for sale on the dark web for $3.5 million. VX-Underground, a group that monitors malware and cybersecurity threats, confirmed the authenticity of the stolen data, verifying a 277.1GB file containing accurate information.
The compromised data included:
- Names
- Current and previous addresses (dating back at least three decades)
- Social Security numbers
- Information about parents, siblings, and other relatives (some deceased for over 20 years)
No details are disclosed about the nature of the attack.
The lawsuit argues that National Public Data failed to adequately protect the personal information it collected. The plaintiffs allege that the company scraped data from non-public sources without consent and failed to implement necessary security measures to protect this data. The plaintiffs also argue that by collecting, using, and benefiting from this personal information, National Public Data assumed a duty to protect it from unauthorized access and breaches.
Update - as of 17th of August 2024, NPD posted on its website a notice that "there appears to a have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024."
NPD said the breached data include:
- names,
- email addresses,
- phone numbers
- mailing addresses,
- Social Security numbers.
They claim to cooperate with investigators and have "implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."
Update - as of 19th of August 2024, NPD informed Maine’s attorney general that the breach affected just 1.3 million individuals.
Security expert Troy Hunt, who runs HaveIBeenPwned, reviewed the leaked database and identified 134 million unique email addresses. This finding casts doubt on NPD’s claim that only 1.3 million individuals were impacted, as it seems unlikely that each affected person would have 100 or more email addresses.
The conflicting reports may mean potential underreporting of the breach’s scope.
