A data dump containing 2.7 billion records of personal information of people living in the United States, including their Social Security numbers, was recently leaked online. The contents of the data dump were linked to National Public Data, a company that extracts information from non-public sources and sells it to perform background checks. Now, the company has confirmed that there had been “a data security incident” in which people's names, emails, addresses, phone numbers, social security numbers and postal addresses had been stolen.
National Public Data’s wording in its security incident report is a bit vague and convoluted, but it attributed the security breach to a malicious third party. It said the attacker “was attempting to hack data in late December 2023” and that “possible leaks of certain data” occurred in April 2024 and summer 2024, indicating the hacker had successfully infiltrated its system. In April, a threat actor known as USDoD attempted to sell 2.9 billion records of people living in the United States, the United Kingdom, and Canada for $3.5 million. It claimed it had stolen the information from National Public Data. The records have since been leaked in fragments online, with the most recent being the most complete and containing the most sensitive information.
The company said it worked with authorities to review potentially affected records and will “try to notify” people “if there are any further significant developments affecting them.” It also said it posted the notice so those who were potentially affected can take action. The company is advising people to monitor their financial accounts for fraudulent transactions and is also encouraging them to obtain free credit reports and place a fraud alert on their file.
National Public Data is already facing a class action lawsuit filed in early August by a plaintiff who received a notification from its identity theft protection service that his personal information had been posted on the dark web. They argued that the company failed to “adequately safeguard and protect the personally identifiable information it collected and maintained as part of its regular business practices.”
