Background-check giant confirms security incident leaked millions of SSNs
Background-check giant confirms security incident leaked millions of SSNs
National Public Data released a statement about an incident that went viral on social media recently but has been known to cybersecurity experts for months.
One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.
In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.
“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.
“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”
The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.
Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.
Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.
On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.
While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.
Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.
The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.
Some have noted that people who use data opt-out services were not included in the database.
While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.
The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.
National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.
DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”
“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.
Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.
Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.
“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.
Most important point for me:
the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data
Yep decentralization is key to avoid these kind of problems... A single point of failure will have consequences some day.
Well, considering that a SS number can't start with a 9, that basically means all the SS numbers were leaked. ☹️
Yep.
Combined with previous leaks, the closest scientific term for the percentage of SSNs leaked is "all of them".
While there are people out there who haven't had their SSN leaked to the dark web, it's now too few of them to treat at anything other than a novelty outlier.
If you want to freeze your credit with the three major agencies, I called Experian first and they said they were sending the request to the other two agencies. I did this for another reason earlier in the year. Your mileage may vary now as I hear they’re getting crushed with requests.
Get ready to answer a grip of extremely specific questions to prove who you are.
I called Experian first and they said they were sending the request to the other two agencies.
Personally, I would trust Experians's word about as far as the word of someone who was actively in the process of robbing my living room.
That’s fine, but they did what they said and if you want to turn off your credit line because dishonest fuckfaces are stealing from you, you don’t have a lot of choices. I offered up what I did as an anecdote of how I accomplished it.