Over 2.7 Billion Records from National Public Data Exposed in Breach

A massive data breach has exposed nearly 2.7 billion records of personal information from the United States on a hacking forum. The leaked data includes names, social security numbers, addresses, and possible aliases.  

‍

This information is believed to have been scraped from public sources by National Public Data, a company that sells personal data for background checks and other purposes, Bleeping Computer reports.

‍

The data was allegedly stolen and offered for sale by a threat actor known as USDoD, who previously attempted to sell similar data from the US, UK, and Canada for $3.5 million.  

‍

However, the most recent and complete version of the stolen data was leaked for free on August 6th by a different threat actor named "Fenice."

‍

The leaked data consists of two text files totaling 277GB, containing unencrypted records, though it is unclear if it covers every individual in the US. Some records include outdated information and incorrect social security numbers.  

‍

The breach has resulted in class action lawsuits against National Public Data for failing to protect this sensitive information.

US residents are advised to monitor their credit reports for fraudulent activity and be cautious of phishing attempts, as previous leaks also contained phone numbers and email addresses.  

‍

This breach highlights the severe risks of inadequate data protection and the potential widespread impact on individuals across the country.

‍

Takeaway: This is part of a pattern we have been witnessing for about two decades now: wherever there is a concentration of valuable, sensitive, exploitable data we will see threat actors make efforts to compromise that data for financial gain.  

‍

Information is the new currency, which is why we see companies and criminals putting so much focus on getting and maintaining access to it - especially when it may contain otherwise non-public information.  

‍

What makes it valuable is that it has been aggregated and organized by individual, so while the information is largely already available to attackers, they would have had to go to great lengths at great expense to put together a similar collection of data, so essentially NPD just did them a favor by making it easier.  

‍

These bits of data on their own are not very valuable, but when aggregated together they are - the sum is more valuable than the parts.

‍

So far it sounds like the database was a collection of publicly available information, but nonetheless it is all personally identifiable information that can be leveraged in phishing attacks or for identity theft and other forms of fraud.  

‍

What is of some concern is that the breach may contain some information that is not commonly collected and stored on individuals, such as nicknames and aliases, which can be very useful if attackers decide to target close associates like friends and family.  

‍

Individuals and businesses need to be aware of how this kind of data can be exploited in criminal operations, and everyone should be more wary about the kinds of information they choose to share freely in public forums like social media or choose to store about people when there is no compelling reason to store it.

‍

This is a case where an ostensibly legitimate company was collecting, organizing and storing massive amounts of information on individuals without their explicit permission and failing to ensure it is protected, which really puts them on almost the same level as the criminals who will now be looking to use the information for nefarious purposes.  

‍

The monetization of our personal information - including the information we choose to expose about ourselves publicly - is far ahead of legal protections that govern who can collect what, how it can be used, and most importantly what their responsibility is in protecting it.  

‍

It's sad to say that luckily most of these kinds of information are already public or has been exposed in other breaches, so individuals are likely no more exposed today than they were last week because we collectively do a poor job of ensuring PII data is protected.  

‍

Unfortunately, this genie is never going back in the bottle.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.