National Public Data, a leading background check company, has confirmed a serious data breach affecting millions of Social Security numbers (SSNs). The company is under intense scrutiny after hackers successfully compromised its systems, leaking sensitive personal information and igniting widespread concern.
Timeline of the Breach
On Friday, National Public Data disclosed that it first detected unusual network activity in late December 2023. The breach escalated when hackers began leaking data in April 2024, with additional leaks continuing through the summer. The company attributed the breach to a third-party actor, suggesting a successful infiltration into their system.
“The breach involved a third-party hacker targeting our data starting in late December 2023. We observed leaks beginning in April 2024 and continuing through the summer,” stated the Florida-based firm. “Our investigation has revealed more about the breach over time.”
Extent of Compromised Information
The breach has exposed critical personal details, including names, email addresses, phone numbers, Social Security numbers, and mailing addresses. This sensitive information increases the risk of identity theft and fraud for those affected. National Public Data has worked with law enforcement and conducted a review of the affected records but has not clarified how individuals can verify if their information was compromised.
Public Awareness and Media Reaction
Despite cybersecurity experts being aware of the leaks since April, National Public Data only addressed the issue publicly this week, following mounting pressure and viral social media coverage. The company’s delayed response and lack of transparency heightened public anxiety as news of the massive exposure spread.
National Public Data serves various clients, including companies and private investigators, providing access to vast amounts of personal records. This broad data access makes the breach particularly alarming, as stolen data could be used for malicious purposes.
Hacker Sells Data on Dark Web
On April 7, the hacker known as “USDoD” posted a database on the dark web marketplace Breached, claiming it contained 2.9 billion records of U.S. citizens. The hacker, notorious for previous data leaks, stated the data came from another hacker named “SXUL” and offered it for $3.5 million. Although it’s unclear if the database was sold, portions of it began appearing online in June, with others continuing to sell it over the summer.
Cybersecurity experts, including Troy Hunt, have confirmed that while some data in the database is duplicated, much of it is accurate and poses significant risks. The database reportedly includes names, addresses spanning up to three decades, and Social Security numbers. Some entries also cover relatives of the affected individuals.
Legal and Regulatory Fallout
The breach has already led to legal consequences for National Public Data. A California resident filed a lawsuit in the U.S. District Court for the Southern District of Florida, alleging that the company failed to secure the personal information it collected. The plaintiff was notified by an identity-theft protection service about the breach in July.
Calls for Stronger Data Protection
The breach has sparked a debate about the need for stronger data protection regulations. Chris Deibler of DataGrail noted the current inadequacies in safeguarding personal information. “The current regulatory frameworks, like GDPR, are steps in the right direction, but they don’t fully prevent the mass collection of data,” he said.
Akhil Mittal of Synopsys Software Integrity Group highlighted the long-term impact of such breaches. “Millions of people will face identity theft and fraud for years due to this breach. It’s crucial to enforce stricter regulations to ensure companies protect personal data more effectively.”
In response, National Public Data has advised those potentially affected to monitor their financial accounts, obtain free credit reports, and consider placing fraud alerts on their records. The company also plans to notify individuals if further updates become available.