National Public Data confirms breach, scope unknown

Data aggregator National Public Data disclosed a breach Tuesday that could contain billions of personal records. But the reality behind the breach is more complicated.

NPD is a data aggregator that offers businesses background check services such as those involving criminal records. According to its website, customers can search "billions of records" and its services are used by "private investigators, consumer public record sites, human resources, staffing agencies and more."

On Tuesday, NPD published a breach disclosure to its website, disclosing that a "third-party bad actor" first attempted to access data in the company's possession in December before seemingly leaking said data in April and this summer. Personal records including names, email addresses, phone numbers, Social Security numbers (SSN) and mailing addresses may have been accessed, NPD said.

A threat actor known as USDoD in April allegedly offered 2.9 billion personal records for sale, claiming to have records belonging to the entirety of the U.S., Canada and U.K.'s population within its stolen data. The asking price was $3.5 million USD in bitcoin or Monero.

"We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you," the disclosure read. "We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."

Troy Hunt, longtime security practitioner as well as operator of data breach record checker Have I Been Pwned (HIBP), published a blog post Wednesday detailing his thoughts behind the NPD breach, which has received news coverage claiming it is one of the largest data breaches of all time because of the alleged presence of billions of personal records.

Despite this fervor and a class action lawsuit, Hunt said, "we're talking about a data aggregator most people had never heard of where a 'threat actor' has published various partial sets of data with no clear way to attribute it back to the source."

Hunt analyzed samples of the data and found that while it was possible the data was obtained from a data aggregator like NPD, the records seemed to belong to a much smaller number of people than the 3 billion figure being reported. That would, at best, refer to the total amount of data points in the leak. Moreover, Hunt found inaccurate data and data belonging to individuals who had been deceased for up to 20 years.

A large amount of personal data clearly made its way into the wild, which is problematic. But Hunt noted that the data present in the breach is largely likely already in circulation.

"The problem with verifying breaches sourced from data aggregators is that nobody willingly -- knowingly -- provides their data to them, so I can't do my usual trick of just asking impacted HIBP subscribers if they'd used NPD before. Usually, I also can't just look at a data aggregator breach and find pointers that tie it back to the company in question due to references in the data mentioning their service. In part, that's because this data is just so damn generic," Hunt wrote. "Take the earlier screenshot with the SSN data. How many different places have your first and last name, address, SSN, etc.? Attributing a source when there's only generic data to go by is extremely difficult."

TechTarget Editorial contacted NPD to gain more information about the scale of the breach but did not receive a response at press time.

Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, told TechTarget Editorial in an email that even if the breach includes information previously compromised, its massive scale warrants attention.

"Even if this breach doesn't add significantly to the pool of exposed data, it underscores the ongoing risks of identity theft and fraud, highlighting the need for vigilance in protecting personal information," he said. "This breach serves as a critical reminder that even if personal data has been exposed before, the concentration of such information in one place amplifies the risks, providing a one-stop shop for cybercriminals. Whether it's new data or a reshare, the sensitivity and scale of the exposed information mean this incident should not be underestimated, posing a significant threat to millions globally."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.