Nearly 2.7bn records, purportedly from data broker National Public Data, have been exposed. The data, which reportedly contains the personal information of millions of US citizens, was published on the ‘Breached’ hacking form late last week. The records contain names, social security numbers, physical addresses and online aliases used in background checks and sourced by National Public Data. The breach is the second of its type this year following the attempted sale of 2.9bn records by a threat actor named “USDoD” for $3.5m, which the hacker claimed were sourced from National Public Data’s trove of information on US, UK and Canadian citizens.
At least four class action lawsuits have been filed against the organisation in response to the alleged breach. One of these suits claims that its signatories have already been exposed to a “heightened and imminent risk of fraud” as a result of the incident, adding that they “must now and in the future closely monitor their financial accounts to guard against identity theft.”
Multiple attempts to sell National Public Data records
Several threat actors in recent months have attempted to sell data they claim has been siphoned from National Public Data and other such repositories. For their part, USDoD had previously been linked to attempts at selling data from several stolen databases, including an attempt in December 2023 to sell the InfraGard user database for $50,000.
The newest leaked dataset from National Public Data comprises two text files totalling 277GB, with 2.7 billion records in plaintext. According to a hacker named Fenice, the trove originated not from USDoD but from another actor, “SXUL”. The authenticity and scope of the data have been verified by multiple individuals who found their and their deceased relatives’ legitimate information included.
National Public Data’s most recent breach does not reflect the actual number of affected individuals, as one person may appear multiple times for different addresses. Additionally, the information might be outdated, suggesting it was possibly extracted from an older backup, as none of the checked records showed current addresses. Perhaps unsurprisingly, the disclosure has led to several class action lawsuits against Jerico Pictures, which is alleged to operate as National Public Data, accusing the company of failing to secure personal data adequately.
Potential victims warned to monitor credit reports
Given the exposure of millions of social security numbers and prior leaks including phone numbers and email addresses, affected individuals are advised to monitor their credit reports for potential fraud and remain alert to phishing and deceptive SMS schemes that may exploit the leaked information.
A recent study by IBM has highlighted a sharp increase in the financial impact of data breaches, with annual costs now averaging $4.88m. According to IBM’s annual ‘Cost of a Data Breach Report,’ this represents a 10% increase in costs year-on-year – the most substantial rise since the pandemic.
The report also found that 70% of organisations affected by breaches experienced significant disruptions. IBM cites escalated costs due to lost business and the subsequent responses from customers and third parties as key factors driving this increase.
Read more: UK ICO slaps Advanced Computer Software with £6m fine for data breach
