THREAT ALERT

What to Know about the NPD Breach

Thursday, August 15th, 2024

VIEW ALL THREAT ALERTS

Cyber security risk management solutions from DefenseStorm.

In April 2024, a known threat actor calling themselves USDoD claimed to possess and sell approximately 2.9 billion records from National Public Data, which included individuals’ personal data from people in the US, UK, and Canada.

What is the NPD?

NPD stands for National Public Data, a company that, according to their website, “is a public records data provider specializing in background checks and fraud prevention. We obtain information from various public record databases, court records, state and national databases, and other repositories nationwide.” Reports indicate that the company had amassed records totaling around 2.9 billion, though this does not seem to represent individual people. This information is thought to include first names, last names, addresses, years of address history, and social security numbers.

What Happened?

In April of this year, a known threat actor calling themselves USDoD claimed to possess and sell approximately 2.9 billion records of individuals’ personal data from people in the US, UK, and Canada. Reports suggest that USDoD somehow obtained the data from NPD. The situation became more interesting when USDoD allegedly put the data for sale on the dark web for $3.5 million. However, reports from Zdnet and Bleeping Computer state that another threat actor called Fenice swiped the data from USDoD and released it for free in August of this year.

According to Bleeping Computer:

  • The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, rather than the original 2.9 billion number shared by USDoD.
  • While Bleeping Computer can’t confirm if this leak contains data for every person in the US, numerous people have confirmed that it included their and their family members’ legitimate information, including those who are deceased.
  • Each record consists of a person’s name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.
  • Previously leaked samples of this data also included phone numbers and email addresses, but these are not included in this 2.7 billion record leak.
  • It is important to note that a person will have multiple records, one for each address they are known to have lived at. This also means that this data breach did not impact 3 billion people, as has been erroneously reported in many articles that did not properly research the data.
  • Some people have also told Bleeping Computer that their social security numbers were associated with other people they don’t know, so not all the information is accurate.
  • Finally, this data may be outdated, as it does not contain the current address for any of the people checked, potentially indicating that the data was taken from an old backup.

The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people’s data. If you live in the US, this data breach has likely leaked some of your personal information.

What Do You Need to Do?

Here are a few tips to help you out:

  • Monitor your credit and immediately report any suspicious activity to credit bureaus.
  • If you think or know your data was compromised, freeze your credit through any of the credit bureaus.
  • If you don’t want to freeze your credit, research and find a legitimate credit monitoring company.
  • Be aware of call, phishing, and smishing campaigns trying to leverage this incident to get you to sign up for bogus services or provide additional sensitive information. Always verify when individuals call asking you to sign up for something or provide sensitive information over the phone, text, email, or any other way.

References:

[hxxps://www[.]bleepingcomputer[.]com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers/]

[hxxps://www[.]zdnet.com/article/was-your-social-security-number-leaked-to-the-dark-web-heres-how-to-know-and-what-to-do/#ftag=RSSbaffb68]

James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.