A breach of National Public Data first announced in April is making news again in August as lawsuits start to pile on. The data breach may be one of the biggest breaches affecting Americans, Canadians, and UK persons. If you never heard of National Public Data, do not breathe a quick sigh of relief. You may never have heard of them, but there’s a good chance the background check service has some detailed information about you. Donna Levalley reports at Kiplinger:
Nearly three billion individuals had their personal data leaked during a cyber attack targeting National Public Data (NPD), a background checking service also known as Jerico Pictures. The data breach is one of the biggest in history and surfaced when a proposed class action lawsuit was filed two days ago.
[Note: It actually surfaced in April when a threat actor known as @USDoD posted it for sale on BreachForums, as shown below. The original post was subsequently removed but the data have been leaked for free since then. It just seems to have taken a few lawsuits to get the attention of some mainstream outlets — Dissent]
The lawsuit alleges that personal data from nearly three billion people was leaked during a cyber attack targeting the company in April. Neither NPD, nor Jerico Pictures have yet confirmed a cyberattack.
What Types of Information Were Involved?
The seller advertised this as 2.9 billion records. If there is more than one record per person, the total number of unique individuals may be smaller than 2.9 billion. Eventually, we may find out the number of unique persons.
According to the forum user who subsequently leaked the entire data set for free, the types of information in the data set reportedly include:
ID, firstname, lastname, middlename, name_suff, dob, address, city, county_name, st, zip, phone1, aka1fullname, aka2fullname,aka3fullname, StartDat, alt1DOB, alt2DOB, alt3DOB, ssn
The first published attempt to verify the data was by VX-underground, who reported on Telegram:
We reviewed the massive file – 277.1GB uncompressed, and can confirm the data present in it is real and accurate. We searched up several individuals who consented to having their information looked up.
1. The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.
2. People who did not use data opt-out services and resided in the United States were immediately found. It showed their:
– First name
– Last name
– Address
– Address history (3 decades+)
– Social security numberIt also allowed us to find their parents, and nearest siblings. We were able to identify someones parents, deceased relatives, Uncles, Aunts, and Cousins. Additionally, we can confirm this database also contains information on individuals who are deceased. Some individuals located had been deceased for nearly 2 decades.
How Has National Public Data Responded?
They haven’t. It is now four months since the data were first listed on a hacking forum, yet there has been no notice by National Public Data or Jerico Pictures. Many states have laws requiring notification in the event of a breach, and with Social Security numbers involved, breach notification laws were probably triggered in states all over the country. Regulators such as the Federal Trade Commission are also likely to open a formal investigation into this incident.
Hopefully, someone will set up a way to check to see if your data has been caught up in the incident. But don’t wait for others to help. Take steps to protect yourself from fraud and caution relatives and friends who may not have heard about this breach in the news not to give out information to anyone who contacts them claiming to be calling them about the breach or on behalf of National Public Data or Jerico Pictures.
Thanks to Joe Cadillic for suggesting covering this breach on PogoWasRight.org. This incident likely affects most Americans, so if you’ve been meaning to learn how to protect yourself from fraud or misuse of your information, this may be a great time to start getting serious about it.