On July 21, 2024, a significant data breach was reported involving NationalPublicData.com, a consumer data broker based in Florida known for collecting information for background checks. An alarming 4 terabytes of data were released on Breachforums, an underground platform frequented by cybercriminals. This incident has shaken the trust of many consumers, with reports indicating the exposure of sensitive personal information, including names, addresses, and Social Security Numbers (SSNs).
Investigators from cybersecurity services, including HaveIBeenPwned.com and the Twitter account vx-underground, traced the leaked data back to its initial offer on Breachforums in April 2024. Cybercriminal known as “USDoD” claimed responsibility for the sale, offering what they described as a vast repository of consumer information—specifically, 2.9 billion rows of records—including SSNs. While many outlets inaccurately reported that this breach affected 2.9 billion individuals, it was later clarified that the dataset comprised various records, including those belonging to millions of American individuals, both living and deceased.
In a public acknowledgment made by National Public Data on August 12, the company pointed to a data security incident that began with hacking attempts as early as December 2023 and resulted in data leaks in the following months. Their statement suggested that the breach may have compromised a range of personal details, including name, email address, phone number, SSN, and physical addresses.
Troy Hunt, a data security expert, conducted an analysis and noted the presence of 137 million unique email addresses in the breached dataset, but reassured that no email addresses were associated with the SSN records. It was determined that the potentially compromised information predominantly belonged to individuals aged 70 and older, with many entries linked to people who are now likely deceased.
National Public Data operates under Jerico Pictures Inc., a company with connections to Salvatore Verini Jr., a former deputy sheriff and actor. The sources of data for National Public Data remain largely ambiguous; however, previous affiliations of Verini suggest a reliance on public records collected from various government entities, such as property tax records and marriage licenses.
As the breach’s implications unfold, the concern skyrockets among business owners and consumers alike. Attack vectors may have included initial access via phishing methods or exploitation of software vulnerabilities, which are consistent with techniques outlined in the MITRE ATT&CK framework. Persistence methods could have allowed the perpetrators to maintain access while privilege escalation tactics may have been employed to access more sensitive areas of the network.
In light of the breach, individuals are advised to take protective steps, including credit freezes and monitoring for suspicious activity. The incident underscores the pressing need for comprehensive consumer data protection laws, an area where current regulations lag significantly behind technological advances and data brokerage practices. As vulnerabilities continue to evolve, the cadences of breaches like that of National Public Data highlight the imperative for stringent cybersecurity measures and enhanced regulatory frameworks to safeguard sensitive information.
