Given all of the major news events that have dominated headlines this summer, you'd be forgiven for missing yet another: reports that a massive data breach may have disclosed billions of details, including names, social security numbers, and addresses.
National Public Data (NPD), a background-check data aggregator based in Coral Springs, Florida, recently admitted on its website that "a data security incident"—which was "believed to have involved a third-party bad actor" in December 2023—led to data leaks in April of this year. Bloomberg Law reports that 2.9 billion documents were leaked and then sold on the dark web for $3.5 million.
Moreover, in recent days, it has become clear that the leak may be worse than previously thought. Brian Krebs, a cybersecurity investigative researcher, revealed on his KrebsOnSecurity website this week that National Public Data exposed its own credentials as part of the breach.
“KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today,” Krebs noted.
While the breach seems to be getting worse, National Public Data says it is working with law authorities and recommends that users freeze their credit.
The breach was made public earlier this month, following the filing of a class-action lawsuit against National Public Data's parent business, Jerico Pictures, in federal court in Fort Lauderdale. There have also been numerous further lawsuits filed. Since early August, at least 14 complaints have been filed in federal court against National Public Data, according to a Justia database search.
To get an understanding of what these lawsuits are alleging, in one such filing, filed on August 19, lawyers argue that National Public Data "breached its duties by, among other things, failing to implement and maintain reasonable security procedures and practices to protect individuals' PII [personally identifiable information] from unauthorised access and disclosure," and that "Defendant has not provided any notice to affected individuals, including Plaintiff, who only learnt that her SSN and other PII was posted on the dark web as a result of the Data Breach from LifeLock.”
People who are concerned that their data has been compromised by fraudsters should freeze their credit and monitor their accounts as a first step. You can also use tools like npdbreach.com to see if your data is included in the repository of leaked information. There are other similar tools available, but they need you to enter your name or other information.
This year is shaping up to be a significant one for cybercrime: The number of data breaches increased by 490% in the first half of 2024 when compared to the same period in 2023.