A data dump containing 2.7 billion pieces of personal information, including the Social Security Numbers of people living in the United States, was recently discovered. leaked onto the internet. The contents of the data dump were linked to National Public Data, a company that extracts information from non-public sources and sells it for background checks. Now there is company confirmed said there was a “data security incident” in which people’s names, emails, addresses, phone numbers, social security numbers and postal addresses were stolen.
The wording in the National Public Information Security Incident report is somewhat vague and confusing, but it blamed the security breach on a third-party bad actor. It says the bad actor “attempted to breach data in late December 2023” and that “potential leakage of certain data” occurred in April 2024 and the summer of 2024, indicating that the hacker successfully infiltrated its system. In April, a threat actor known as USDoD tried to sell 2.9 billion records of people living in the US, UK and Canada for $3.5 million. He claimed to have stolen the information from National Public Data. Since then, the records have been leaked online in parts, with newer ones containing more comprehensive and more sensitive information.
The company said it is working with law enforcement to review potentially affected records and will try to “notify” individuals “if there are any additional material developments that may be applicable.” It also said it has issued a notice so that those potentially affected can take action. The company advises people to monitor their financial accounts for fraudulent transactions, and also encourages them to get free credit reports and put a fraud alert on their files.
National Public Data is already facing a proposed class action lawsuit brought by a plaintiff who received a notice from an identity theft protection service in early August that his personal information was being posted on the dark web. They alleged that the company “failed to adequately protect the personally identifiable information it collects and stores as part of its regular business practices.”