National Public Data (NPD), a reseller of collected personal data, has confirmed a significant data breach of approximately three billion records, including names, social security numbers, and physical addresses.
The breach was first brought to light last week by dark web forum posters, who have been advertising and sharing the stolen data for several months. National Public Data has now acknowledged the breach via a Security Incident page on its website, though many details remain undisclosed.
The breach is believed to have been instigated by a threat actor in late December 2023, with subsequent potential data leaks in April 2024 and the summer of 2024.
Troy Hunt, operator of Have I Been Pwned, analysed the files posted to hacking forums and noted inconsistencies in the data’s linkage to specific individuals.
National Public Data has stated that it is collaborating with law enforcement and governmental investigators, is reviewing the potentially affected records, and will notify individuals of any significant developments.
However, the company’s website does not specify the number of people impacted, nor does it offer compensation or provide direct contact avenues for further information. Instead, it advises individuals to monitor their credit reports closely.
The exposed records were reportedly first published on the ‘Breached’ hacking forum and purported to contain the personal information of millions of US citizens.
The latest dataset leaked from National Public Data includes two text files, totalling 277GB and containing 2.7 billion records in plaintext.
A hacker known as Fenice disclosed that this data originated not from the previously suspected actor, USDoD, but from another source named “SXUL.” The validity and breadth of this data have been confirmed by several individuals who discovered legitimate information about themselves and their deceased relatives within the files.
This breach follows the attempted sale of 2.9 billion records by a threat actor known as “USDoD” earlier this year, claiming the data were sourced from National Public Data’s extensive information on US, UK, and Canadian citizens.
In response to these breaches, at least four class action lawsuits have been initiated, with one claiming the signatories face a heightened risk of fraud and will need to monitor their financial accounts vigilantly.
Major data breaches around the world in recent times
Recent cybersecurity incidents have unveiled significant vulnerabilities across diverse industries, affecting millions globally. In one of the largest breaches, project management tool Trello was compromised in January 2024, with hackers leaking information related to 15 million users, including names and email addresses, emphasising the risks tied to digital tools.
Norton Healthcare also faced a breach in May 2023, impacting 2.5 million people by granting unauthorised access to patient and employee information, spotlighting concerns in healthcare data security.
Another breach hit AnyDesk in February 2024, when its production systems were compromised, affecting countless remote desktop users, and showcasing vulnerabilities in remote access software.
Read more: Over half of data breaches at UK law firms caused by staff, says new research
