Risk & Repeat: National Public Data breach questions remain

The breach of data aggregator and background check service National Public Data has quickly become one of the most widely discussed security stories of the year, but core details regarding the incident remain in question.

On Aug. 13, National Public Data (NPD) disclosed that a "third-party bad actor" first attempted to access data belonging to the company in December. NPD said in its breach notification that the threat actor stole personal data that included names, email addresses, phone numbers, Social Security numbers (SSN) and mailing addresses.

The apparent threat actor behind the attack, who goes by "USDoD," claimed in a BreachForums post that they had access to billions of records belonging to the complete populations of the U.S., U.K. and Canada; samples of the alleged stolen data were leaked in April and again this summer.

But while there was significant fervor over the alleged 2.9 billion records stolen, it's still unclear how many individuals are affected and what risks they may be facing. In a breach notification published by the Office of the Maine Attorney General, NPD said 1.3 million individuals were affected by the breach. Additionally, Troy Hunt, owner of data breach record checker Have I Been Pwned (HIBP), noted in a blog post that the collection of records appears to include incorrect information, information already circulating in the wild, and information based on dead people.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi break down the NPD breach and discuss some of the big questions that are unanswered nearly two weeks later.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.