In what some consider the largest data breach on record, National Public Data, a background-checking company, has released personal information on 3 billion individuals. This breach was first discovered in April 2024 and carried out by the hacker group USDoD. It has had additional legal, financial, and personal ramifications since then.
Breach Details
The data contained sensitive personal information like the full name, Social Security numbers, the address, and information about members of his family. The data was stolen, after which it appeared on a dark web market that, in turn, listed it for sale. In total, there are about 277.1 GB of leaked data, with some 2019–2024 records.
How the Breach Occurred?
National Public Data, operated by Jerico Pictures, used a method known as “scraping” to collect personally identifiable information (PII) from non-public sources without explicit consent from individuals. This data aggregation method left the information vulnerable to cyber-attacks​. The initial breach was carried out by a hacker known as SXUL, who later transferred the stolen data to USDoD, which acted as a broker, selling the data for $3.5 million​.
Data Exposed
The stolen data includes:
- Full names
- Social Security numbers
- Current and former addresses (dating back 30 years)
- Family member details​.
Geographical Impact
The majorly affected group in the breach was the US residents, with some being Canadians and from the UK. Moreover, the leaked data did not cover any persons who had opted for data opt-out services.
Legal and Financial Repercussions
The class action lawsuit filed in Florida is a result of claims of negligence and failure to offer adequate security protections against National Public Data. The main plaintiff, Hofmann, learned of the breach when his identity theft protection service notified him that his PII was breached and the files were on sale on the dark web.
The lawsuit alleges that National Public Data did not take the reasonable safeguards that the information collected was protected, thereby allowing a data breach and the ultimate exposure of personally identifiable information. Plaintiffs are seeking financial compensation and are demanding that the company purge the affected data and enhance its cybersecurity measures.
Technical and Security Failures
According to court documents, the breach occurred due to several lapses in security protocols, including:
- Lack of employee training and awareness programs
- Absence of robust spam filters to catch phishing emails
- Inadequate email scanning processes
- Insufficient firewall defenses would have blocked access to IP addresses that were known sources of malicious activities.
These failures allowed hackers to gain unauthorized access to the network and exfiltrate unencrypted and unredacted personal information, which was then sold on the dark web​.
These security failures allowed hackers to gain unauthorized access into the network, from which they were able to exfiltrate personal information without encryption and redaction and then sell the data on the dark web.
Response and Recommendations
Following the breach, security analysts counsel affected persons to take proactive steps towards self-protection promptly:
- Monitoring financial accounts closely for suspicious activity
- Using identity theft protection services to receive alerts if personal information is misused
- Regularly update passwords and use multi-factor authentication wherever possible.
This breach underlines the critical importance of solid cybersecurity measures and transparent data handling policies for companies, especially those that are responsible for a large volume of sensitive information.
Improve Your Cybersecurity with PureWL VPN
While PureWL, a white-label VPN provider for businesses, could have significantly mitigated certain risks. The use of PureWL would have gone a long way to mitigating some of the risks that may have caused disasters in the business. Secure data transport with encryption, secure remote access, and strong authentication mechanisms are some of the protection layers PureWL can contribute to an organization in protecting sensitive information from its business. A VPN like PureWL can protect businesses from unwanted exposure and snooping, playing an important part in a full-fledged security program.
Conclusion
The National Public Data breach serves as a stark reminder of the vulnerabilities inherent in large-scale data aggregation and the far-reaching consequences of inadequate cybersecurity practices. As investigations continue, National Public Data faces not only significant legal and financial consequences but also a profound loss of trust from the public.