The company whose data breach potentially exposed every American’s Social Security number to identity thieves finally has acknowledged the data theft — and said hackers obtained even more sensitive information than previously reported.
National Public Data, a Florida-based company that collects personal information for background checks, posted a “Security Incident” notice on its site to report “potential leaks of certain data in April 2024 and summer 2024.” The company said the breach appeared to involve a third party “that was trying to hack into data in late December 2023.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data. Posting in a forum popular among hackers, the group offered to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.
None of the information was encrypted.
Such a release would be problematic enough. But according to National Public Data, the breach also included email addresses — a crucial piece for identity thieves and fraudsters.
Having a person’s email address makes it easier to target them with phishing attacks, which try to dupe people into revealing passwords to financial accounts or downloading malware that can extract sensitive personal information from devices. In addition, because many people use their email address to log into online accounts, it could be used to try to hijack those accounts through password resets.
It’s not clear what, exactly, has been leaked on the dark web from the breach. In a very small sampling of scans using Google One, email addresses taken during the National Public Data breach did not appear. But a free tool from the cybersecurity company Pentester found that other personal data purportedly exposed by the breach, including Social Security numbers, were on the dark web.
National Public Data said on its website that it will notify individuals if there are “further significant developments” applicable to them. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems,” it said.
Previously, in an email sent to people who’d sought information about their accounts, the company said that it had “purged the entire database, as a whole, of any and all entries, essentially opting everyone out.” As a result, it said, it has deleted any “non-public personal information” about people, although it added, “We may be required to retain certain records to comply with legal obligations.”
The company did not respond to a request for comment. Laws in California and essentially every other state require companies to notify any individual whose sensitive personal information has been taken in a breach, said Timothy Toohey, head of the privacy and data security practice at law firm Greenberg Glusker in Los Angeles.
There’s no specific deadline for the notification, Toohey said, just an expectation that it be done expeditiously. But the scope of this case poses a challenge for National Public Data, he said, because it will have to figure out which of the affected individuals are still alive and where they currently live, then comply with the specific requirements in that state.
“Logistically, this is kind of mind-boggling,” Toohey said.
At this point, it appears that the only notice provided by National Public Data is the page on its website, which states, “We are notifying you so that you can take action which will assist to minimize or eliminate potential harm. We strongly advise you to take preventive measures to help prevent and detect any misuse of your information.”
That sort of notice would not satisfy the requirements of California law, which also requires the state attorney general’s office to be informed of any breach that affects more than 500 state residents, Toohey said.
The steps recommended by National Public Data include checking your financial accounts for unauthorized activity and placing a free fraud alert on your accounts at the three major credit bureaus, Equifax, Experian and TransUnion. Once you’ve placed a fraud alert on your account, the company advised, ask for a free credit report, then check it for accounts and inquiries that you don’t recognize. “These can be signs of identity theft.”
So far, the company hasn’t offered free credit monitoring services for people whose information was stolen, unlike other companies that have suffered massive data breaches. “Normally, with a data breach notification, you offer something because you want to appear to be proactive and to be helping people,” Toohey said.
“The way that companies look at it, a bad thing has happened. The company of course feels it’s the victim, but that’s not the impression from the general public.”
Security experts also advise putting a freeze on your credit files at the three major credit bureaus. You can do so for free, and it will prevent criminals from taking out loans, signing up for credit cards and opening financial accounts under your name. The catch is that you’ll need to remember to lift the freeze temporarily if you are obtaining or applying for something that requires a credit check.
In the meantime, security experts say, make sure all of your online accounts use two-factor authentication to make them harder to hijack.
It’s also important to look for signs that an email or text is not legitimate, given the spread of “imposter scams.” Using messages disguised to look like an urgent inquiry from your bank or service provider, these scams try to dupe you into giving up keys to your identity and, potentially, your savings. Any request for sensitive personal information is a giant red flag.
Aleksandr Valentij of cybersecurity company Surfshark suggested checking the sender’s email address carefully to see if it doesn’t precisely match the name of the organization they purportedly represent, and looking for typos or grammatical errors — two telltale signs of a scam. And if the message is from someone you’ve never interacted with before, Valentij said, avoid clicking on links, including an “unsubscribe” link or button, because bad actors will use them for malicious purposes.
“If you suspect that you’ve received a phishing email, don’t interact with it and report it to your email provider,” Valentij said. “If it’s someone pretending to be a legitimate organization, you should also report it to that organization. Once that’s done, delete the email and stay vigilant for similar emails in the future.”