In the latest data breach, nearly 2.7 billion records containing personal information of individuals in the United States were exposed on a hacking forum. This alarming breach has compromised the privacy of millions by revealing names, Social Security numbers, known physical addresses, and possible aliases.
Origins of the Exposed Data
The exposed data allegedly originates from National Public Data, a company that specializes in collecting and selling personal information for various purposes such as background checks, criminal records, and investigations by private detectives. The company is believed to have gathered this information from public sources, compiling detailed profiles of individuals in the United States and other countries.
The Initial Data Breach and Sale Attempt
Bleeping Computer that a notorious threat actor known as USDoD claimed to be in possession of 2.9 billion records containing personal data from the US, UK, and Canada, all allegedly stolen from National Public Data.
It was in April when the hacker attempted to sell this vast dataset for $3.5 million, asserting that it included records of every individual in these three countries. USDoD has a history of involvement in similar cybercrimes, including an attempt to sell InfraGard's user database for $50,000 in December 2023.
Free Release of Stolen Data
Following the initial sale attempt, various threat actors began releasing portions of the stolen data, each sharing different amounts of records with varying content.
On Aug. 6, a hacker known as "Fenice" released the most complete version of the stolen National Public Data information for free on the Breached hacking forum. Fenice clarified that another threat actor, "SXUL," carried out the breach. To clarify, this was different from USDoD.
What the Leaked Data Contain
The leaked data consists of two text files, totaling 277GB, containing almost 2.7 billion plaintext records. Although this is slightly less than the original 2.9 billion records claimed by USDoD, the sheer volume of exposed information is staggering.
Numerous individuals have confirmed that the leak includes legitimate personal details, such as the names, mailing addresses, and Social Security numbers of both living and deceased family members. Some records even contain additional information like aliases, though none of the data is encrypted.
Previously leaked samples of this data also included phone numbers and email addresses, but these details are absent from the 2.7 billion record leak.
It's important to note that a single person may have multiple records associated with different addresses, leading to inflated numbers of affected individuals. Consequently, the breach did not impact 3 billion people, as some reports erroneously suggested.
Concerns Over Data Accuracy and Age
There are concerns about the accuracy of the leaked information. Some individuals have reported that their Social Security numbers were linked to people they do not know, raising questions about the reliability of the data. Additionally, the data may be outdated, as it does not include current addresses for the individuals checked, indicating that the breach may involve older, archived information.
Class-Action Lawsuits Against National Public Data
The data breach has sparked multiple class-action lawsuits against Jerico Pictures, the company believed to be operating as National Public Data. These lawsuits accuse the company of failing to protect personal information adequately.
If you reside in the United States, it's highly likely that some of your personal information has been compromised in this breach.
With millions of Social Security numbers exposed, it's crucial to monitor your credit report for any signs of fraudulent activity and report any suspicious behavior to the credit bureaus immediately. Additionally, be vigilant against phishing attempts and fraudulent SMS messages that may seek to exploit this data breach by tricking you into revealing further sensitive information.