The personal data of nearly 3 billion individuals has been exposed as a result of a massive data breach affecting the National Public Data – a background checking service also known as Jerico Pictures.
A proposed class-action lawsuit filed two days ago has revealed the sheer size of the hack and is already sending shockwaves across the cybersecurity community and raising concerns about how billions of consumers may be in danger.
The scale of the breach is unprecedented and can only be compared with an incident from 2013 when Yahoo was hacked and the data of 3 billion users was exposed. The NPD leaked database is reportedly being sold on the dark web for $3.5 million.
The stolen data contains sensitive personal information from users including their Social Security Numbers (SSNs), current and past addresses spanning decades, full names, information about their relatives, email addresses, phone numbers, and other similar data points that can be used to illegally access multiple systems and applications.
Although the geographic location of those who are affected is unclear, the class-action lawsuit documents cite that residents from the United States, United Kingdom, and Canada are among the affected parties.
USDoD is the Name of the Hacking Group Behind the Attack
A criminal entity known as USDoD claimed to have accessed the database in April this year. Meanwhile, in late July, an individual known as Christopher Hofmann filed a class-action lawsuit against NPD upon receiving a notification that his data was compromised.
The origins and goals of USDoD are a topic of debate. Some claim that they are a pro-Russian group while others indicate that they operate from Latin America. The group has been behind other high-profile hacks and data breaches including an attack on the cybersecurity company CrowdStrike.
They reportedly gained access to a top-secret FBI database used to share national security and cybersecurity intelligence.
In August, a user named “Fenice” reportedly leaked the unencrypted records of 2.7 billion people in a dark web site called “Breached”.
The method used to access the database has not been disclosed yet. However, the lawsuit alleges that NPD failed to “effectively secure hardware containing protected PII [personally identifiable information].”
Compared to previous data breaches, the NPD incident stands out as the number of exposed individual data sets surpasses those of previous recent instances including the 2017 Equifax breach, which affected 147 million Americans, and a cybersecurity attack that exposed the data of 500 million guests from Marriott International.
No Official Comments Have Been Made by Authorities
No public statement has been made yet by law enforcement agencies about the breach. The scale and sensitivity of the incident may be the reason why authorities have been silent as both the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) are probably investigating the situation.
NPD has told those who have sent inquiries about their potential exposure that they are “aware of certain third-party claims about consumer data and are investigating these issues.”
However, the company claims that they have “purged the entire database” and eliminated all “non-public personal information.”
Also read: Data Breaches Are More Serious Than You Think
All of the people whose data has been leaked as a result of this breach are at risk of being targeted by criminals via phishing and social engineering attacks and may be heavily exposed to identity theft and financial fraud.
Cybercriminals can use the sensitive data they obtained through the hack to create fake accounts, apply for loans, file fraudulent tax returns, and impersonate these users for multiple purposes with both public and private institutions and organizations.
Experts Weigh in to Make Recommendations to Those Affected by the NPD Hack
Consumers can protect themselves from becoming victims of these bad actors by enrolling in credit monitoring services, placing freezes on their credit files if they believe that their data has been compromised, and enhancing the safety of their personal financial and user accounts by activating two-factor authentication (2FA).
In addition, users should stay vigilant about any unsolicited contacts coming from alleged representatives of financial institutions, government officials, investment advisors, and other similar parties.
Jon Miller, CEO of Halcyon, stated that while the information was largely already available to the attackers, NPD essentially made it easier for them by compiling it in one place.
“The monetization of our personal information — including the information we choose to expose about ourselves publicly — is far ahead of legal protections that govern who can collect what, how it can be used, and most importantly, what their responsibility is in protecting it,” Miller highlighted.
Also read: Top 10 Cybersecurity Companies in the World by Market Cap
Meanwhile, Paul Bischoff, a consumer privacy advocate at Comparitech, emphasized the need for stronger regulations and more transparency for data brokers.
“Background check companies like National Public Data are essentially data brokers who collect as much identifiable information as possible about everyone they can, then sell it to whoever will pay for it. It collects much of the data without the knowledge or consent of data subjects, most of whom have no idea what National Public Data is or does,” Bischoff asserted.
Teresa Murray from the US Public Information Research Group also weighed in to comment. She argues that “if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”
“These bad guys, this is what they do for a living,” she stressed. They will usually send out thousands of emails or messages to potential victims. If they get one hit, that could be translated into thousands of dollars siphoned from unwary individuals.
“That’s a pretty good return on investment,” she told Los Angeles Times. “That’s what motivates them.”
Americans May Be Targeted En-Masse
The lawsuit against NPD claims that the company was negligent in its duties to protect consumers’ data and violated its contractual obligations and fiduciary duties. Moreover, they are being accused of unjust enrichment as some of this data was collected without the express consent of users.
Also read: 100+ Cybersecurity Statistics Updated for August 2024
The size of the breach highlights the critical issues that the tech industry faces as personal data from users is being collected by companies that don’t necessarily have adequate protection measures to safeguard it from being accessed by unauthorized parties.
The NPD hack reminds consumers about the vulnerabilities of today’s increasingly digital world. As investigations continue and more details emerge, the incident will likely attract the attention of lawmakers and regulators who may be concerned about the safety of American citizens who could now be targeted by criminals en-masse considering the scale of this recent breach.