Nearly 2.7 billion records containing personal information of individuals in the United States were leaked on a hacking forum, exposing sensitive data such as names, social security numbers, all known physical addresses, and potential aliases.
Here’s what we know so far.
National Public Data: Background
The data reportedly originates from National Public Data, a company owned by Jericho Pictures. This firm specializes in collecting and selling access to personal information for purposes such as background checks, obtaining criminal records, and assisting private investigators.
However, National Public Data’s data collection practices do not necessarily rely on user consent. It is believed that the company compiles individual profiles by scraping information from public sources, affecting individuals in the U.S. and other countries. As a result, most of those impacted likely did not knowingly provide their data to the company.
Incident timeline
In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of individuals in the U.S., U.K., and Canada, allegedly stolen from National Public Data.
At the time, the hacker sought $3.5 million for the data, claiming it included records for every person in the three countries. Since the initial claim, various threat actors have released partial copies of the data, with each leak sharing different quantities.
On August 6th, a threat actor known as “Fenice” leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum.
The leaked data, comprising two text files totaling 277GB, contains nearly 2.7 billion plaintext records—slightly fewer than the 2.9 billion originally claimed by USDoD.
While it is not confirmed whether this leak includes data for every person in the U.S., numerous individuals have verified that the files contain legitimate information about themselves and their family members, including those who are deceased.
Each record includes a person’s name, mailing addresses, and Social Security number, with some entries also featuring additional details like other names associated with the individual. None of the data is encrypted.
Notably, certain key pieces of information are absent from the hackers’ collection. Missing elements include email addresses, which are commonly used for logging into services, and driver’s license or passport photos, which are often used by government agencies for identity verification.
Despite the absence of some key details, the leaked information presents significant risks. The most concerning threat is the potential for bad actors to attempt account takeovers, targeting bank accounts, investment portfolios, insurance policies, and email accounts.
Armed with a person’s name, social security number, date of birth, and mailing address, fraudsters could create fraudulent accounts in that person’s name or attempt to convince others to reset passwords for existing accounts.
Additionally, criminals might combine this data with information from previous breaches, potentially adding email addresses to the records leaked from National Public Data.
The fallout
The exact timing and nature of the breach remain unclear, and the provider has yet to notify or warn affected individuals.
However, a class-action lawsuit has been filed against Jericho Pictures for the exposure of nearly 3 billion individuals’ personal information in the April data breach.
Christopher Hofmann, for example, a California resident and named plaintiff in the lawsuit, reported receiving a notification from his identity theft protection service on July 24. The notice informed him that his data had been compromised and leaked on the dark web.
Hofmann accuses National Public Data of negligence, unjust enrichment, and violations of fiduciary duty and third-party beneficiary contract.
We will keep you updated on this story as it progresses.