National Public Data (NPD) has recently been hit by a major data breach, exposing personal identity records of potentially millions of individuals in the US, UK, and Canada. The breach, confirmed by data aggregator NPD, involved a “third-party bad actor” gaining unauthorized access to NPD’s databases in April 2024. This breach compromised sensitive information including full names, email addresses, phone numbers, Social Security numbers, and mailing addresses of an unknown number of people.
The acknowledgment of the breach by NPD came with a generic statement, lacking in specific details and guidance for affected individuals on protecting themselves against potential identity theft and fraud. NPD, a data aggregator used by businesses, private investigators, and human resources departments, has been a popular source for background checks and accessing criminal records.
Reports of the breach first surfaced in April, with Dark Web Intelligence revealing that a hacker known as “USDoD” had obtained a database from NPD containing a massive amount of personal information. The database reportedly contained 2.9 billion records, affecting residents in the US, UK, and Canada. However, many misconstrued this figure as the number of victims, depicting the breach as one of the largest in private data history.
Further analysis of the leaked data by VX-underground confirmed the authenticity of the information, which included details such as first and last names, Social Security numbers, current and previous addresses dating back over 30 years. The dataset even allowed for the identification of individuals’ relatives, deceased relatives, and extended family members.
Notably, the NPD database also contained information on deceased individuals, some of whom had passed away over two decades ago. Security researcher Troy Hunt discovered significant data, including 134 million unique email addresses and millions of criminal records within the breached dataset. Hunt highlighted the mix of valuable and irrelevant data within the database, attributing it to NPD’s collection of information from diverse and untraceable sources.
The breach has reignited concerns about data security and the need for organizations to enhance their protective measures in safeguarding consumer data. A study by Apple in the previous year revealed a staggering 2.5 billion compromised consumer records due to data breaches in 2021 and 2022. This breach has also sparked conversations about the continued use of Social Security numbers (SSNs) as primary identifiers, with experts advocating for a shift towards secure digital IDs to mitigate identity theft risks.
Ambuj Kumar, CEO of Simbian, emphasized the urgency of replacing SSNs with encrypted digital IDs to enhance data protection. The misuse of SSNs for various transactions poses a significant threat, and a transition to digital IDs akin to those used in cryptography and secure technologies could offer a more secure alternative.
Furthermore, the breach has underscored the limitations faced by consumers in safeguarding their data and the need for stronger corporate and regulatory measures. Chris Deibler, VP of Security at DataGrail, emphasized the importance of holding corporations accountable for data breaches and implementing stringent consequences for mishandling customer data.
Deibler stressed the need for specific liabilities and penalties for companies that fail to secure consumer data adequately. In cases of severe data breaches, executives and organizations should face criminal repercussions to deter future incidents and prioritize data protection at the highest organizational levels.
In conclusion, the NPD data breach serves as a stark reminder of the critical need for robust data security practices, the urgency of transitioning away from vulnerable identifiers like SSNs, and the necessity of holding organizations accountable for safeguarding consumer data.