Billions of records stolen from this company have been disclosed online.
Recently, a data dump containing 2.7 billion records of personal information of U.S. residents, including Social Security numbers, was circulated online. This data dump was linked to National Public Data, a company that gathers information from non-public sources and sells it for background checks. The company has confirmed that it experienced a “data security incident” in which names, emails, addresses, phone numbers, Social Security numbers, and postal addresses were stolen.
National Public Data’s report on this security incident is somewhat vague, but the company attributed the breach to the actions of a malicious third party. They indicated that this actor “attempted to access the data in late December 2023” and that “possible leaks of certain data” occurred in April and during the summer of 2024, suggesting that the intruder successfully infiltrated their system. In April, a threat group known as USDoD attempted to sell 2.9 billion records of people living in the United States, the United Kingdom, and Canada for $3.5 million, claiming that the information was stolen from National Public Data. Since then, the records have been leaked in parts, with the most recent being the most complete and sensitive.
The company stated that it has worked with authorities to review the potentially affected records and that it “will seek to notify” individuals “if significant new developments that impact them arise.” Additionally, it issued a notice so that those who might have been affected can take preventive measures. National Public Data is advising people to monitor their financial accounts for suspicious transactions, obtain free credit reports, and activate a fraud alert on their files.
National Public Data is already facing a class-action lawsuit filed in early August by a plaintiff who received a notification from their identity theft protection service, informing them that their personal information had been posted on the dark web. The plaintiff argues that the company did not “adequately safeguard the personally identifiable information it collected and maintained as part of its regular business practices.”
By: Nestor Castillo, ForAllTEchNews Director