Background-check giant confirms security incident leaked millions of SSNs
One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.
In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.
“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.
“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”
The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.
Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.
Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.
On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.
USDoD Allegedly Breached National Public Data Database, Selling 2.9 Billion Records https://t.co/emQIZ0lgsn pic.twitter.com/Tt8UNppPSu
— Dark Web Intelligence (@DailyDarkWeb) April 8, 2024
While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.
Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.
The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.
Some have noted that people who use data opt-out services were not included in the database.
While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.
The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.
National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.
DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”
“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.
Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.
Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.
“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.