National Public Data confirms breach that exposed Americans' social security numbers
The billions of records stolen from the company had been leaked online
A data dump that contains 2.7 billion records of personal information for people living in the US, including their Social Security Numbers, have recently been leaked online. The data dump's contents were linked to National Public Data, a company that scrapes information from non-public sources and sells it for background checks. Now, the company has confirmed that it did have "a data security incident" wherein people's names, emails, addresses, phone numbers, social security numbers and mailing addresses had been stolen.
National Public Data's wording in its Security Incident report is a bit a vague and convoluted, but it did blame the security breach on a third-party bad actor. It said that the bad actor "was trying to hack into data in late December 2023" and that "potential leaks of certain data" took place in April 2024 and summer 2024, indicating that the hacker had successfully infiltrated its system. In April, a threat actor known as USDoD tried to sell 2.9 billion records of people living in the US, UK and Canada for $3.5 million. It claimed that it stole the information from National Public Data. Since then, the records have been leaked in chunks online with the more recent one being more comprehensive and containing more sensitive information.
The company said it worked with law enforcement to review potentially affected records and will "try to notify" individuals "if there are further significant developments applicable" to them. It also said that it published the notice so that those who were potentially affected can take action. The company is advising people to monitor their financial accounts for fraudulent transactions, and it's also encouraging them to get free credit reports and to put a fraud alert on their file.
The National Public Data is already facing a proposed class action lawsuit that was filed in early August by a plaintiff who received a notification from their identity theft protection service that their personal information was posted on the dark web. They argued that the company failed "to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices."