National Public Data Confirms Massive Breach

Data aggregator National Public Data (NPD) has finally confirmed a breach that has exposed personal identity records belonging to potentially hundreds of millions of consumers across the US, UK, and Canada.

In a statement that offered little details, the Coral Springs, Fla.-based company acknowledged what numerous others have reported in recent days about a "third-party bad actor" accessing data from NPDs databases sometime in April 2024. The company described the data which the threat actor accessed as including full names, email addresses, phone numbers, Social Security numbers, and mailing addresses belonging to an unknown number of people.

Real and Accurate Data

NPD's advisory contained the usual boilerplate language about the company taking steps to protect against a similar incident but left it entirely up to victims to take measures to protect themselves against ID theft and other fraud resulting from its security lapse. NPD is a data aggregator that claims businesses, private investigators, human resources departments, and staffing agencies use its data for background checks, to obtain criminal records and other uses.

News of the breach has been circulating since at least April when Dark Web Intelligence posted on X about "USDoD" a hacker with a reputation for previous data heists, having obtained a database from NPD containing some 200 gigabytes of personal information on residents in the US, UK, and Canada. The threat actor claimed the NPD database contained some 2.9 billon rows of records. Many have incorrectly reported that as the number of victims instead in characterizing the breach as one of the biggest ever of private data.

VX-underground, a community focused on malware and cybercrime, reviewed the dataset and assessed the leaked data as being "real and accurate" and containing the first name, last name, SSN, current address, and addresses for individuals going back over 30 years. "It also allowed us to find their parents, and nearest siblings," VX-underground said. "We were able to identify someone's parents, deceased relatives, Uncles, Aunts, and Cousins."

In addition, the NPD database contains information on deceased individuals, some of whom had been deceased more than 20 years.

Troy Hunt, who maintains the "Have I Been Pwned" site, reported finding 134 million unique email addresses and millions of rows of criminal records. He assessed the massive dataset as containing a kludge of useful data (to criminals) as well as useless, incorrect, and redundant data that NPD appears to have built by scraping publicly available data from countless — and now untraceable — sources.

A Need to Stop Use of SSNs for ID Verification

The massive breach has prompted the usual concerns about the need for organizations to implement stronger controls for protecting data that consumers entrust to them. An Apple study last year found data breaches compromised a staggering 2.5 billion consumer records in 2021 and 2022.

But it has also resurfaced a long-standing sentiment among many about the need for organizations, government entities, and others to stop using SSNs as the primary identifier for pretty much any and all transactions.

"NPD should have done lots of things better but there is one thing that's on us: it's past time to get rid of SSN," says Ambuj Kumar, CEO of Simbian. Replacing SSN with a digital ID similar to what's used in cryptography and in a technology like Apple Wallet is relatively easy and straightforward he says.

"The impediments are purely psychological and inertia," Kumar says. "Think of a digital ID as a government issued credit card number that is known only to the government and the individual," he notes. "When applying for a mortgage, for example, a token is generated from the original number and this new number is shared with the bank. If there is a breach at the bank, the original number is still safe since the bank only saw the token."

A Limit to What Consumers Can Do?

The breach has also focused attention on the limits to what consumers can do to protect their data. Chris Deibler, vice president of security at DataGrail, says none of the usual recommendations — such as using password managers, adding multi-factor authentication, and paying attention to accounts resets — would have helped in the NPD breach. The real effort now has to come at the corporate and regulatory level and more effort should be focused on disincentivizing mass data aggregation.

"Corporations don't respond to the same stimuli as individuals, so advocating for better education and letting the moral arc of the universe do its thing probably isn't going to cut it," Deibler notes. "You need levers that actually change the conversation about data collection and handling risk at the board level. In that context, corporations respond to specific liabilities — reputational, civil, criminal, existential."

He argues that harmed parties in a data breach have specific, statutorily defined compensations available to them that go well beyond just one year's worth of free credit monitoring. Similarly, executives at companies that knowingly put customer data at risk should share criminal liability for a breach. "In the most egregious of circumstances, if you mess up hard on customer data, you should not be permitted to have the opportunity to do so again, either at the corporate or individual level."