National Public Data, a firm that provides background check services, has suffered a significant data breach after hackers gained access to its systems and sold the compromised database online, exposing sensitive personal information to the public.
According to reporting by BleepingComputer, the breached dataset contains extensive personal records, including millions of Social Security numbers along with home and mobile phone numbers and other identifying details. The company has acknowledged that names, email addresses, phone numbers, Social Security numbers (SSNs), and postal addresses were potentially exposed during a hacking incident that occurred in late 2023.
National Public Data has identified at least two distinct data leak events affecting its systems: one in April 2024 and another during the summer of 2024. The company says it has alerted law enforcement, conducted internal investigations, and reviewed the records that may have been affected. It has pledged to notify people whose information was involved if any materially new findings emerge.
Access to the company’s public statement about the incident appears to be blocked from numerous IP addresses across the United States and internationally, though archived copies of the statement are available on the Internet Archive.
Security researchers report that the leaked database contains roughly 2.7 billion records and has been circulating among cybercriminals for months. In April 2024, an actor using the alias “USDoD” attempted to sell the data for $3.5 million. More recently, another threat actor known as “Fenice” released a larger version of the dataset at no cost, further widening access to the compromised information.
Preliminary analysis suggests the leak includes personal details for a large portion of the affected individuals and, in some cases, their relatives, including people who are deceased. Researcher Troy Hunt, creator of the Have I Been Pwned service, noted that one of the datasets he examined contained 134 million unique email addresses.
It is important to note that the leaked information may contain inaccuracies. Records could be mismatched—names, dates of birth, or other attributes might be incorrectly linked to the wrong people, and some addresses or locations listed in the dataset may not reflect reality.
The breach has already led to legal action: at least one class action lawsuit targets Jerico Pictures, the operator behind the National Public Data service. The suit alleges the company accessed and sold data compiled from a variety of public records, including government sources.
Affected individuals are advised to take immediate precautions: monitor bank and credit card accounts for suspicious activity, review credit reports, and promptly report any suspected fraud to the appropriate credit bureaus. Because stolen data is frequently reused in phishing and other social engineering attacks, people should remain vigilant for fraudulent messages and scams that leverage personal details from the breach.
(Image credit: Gerd Altmann)
See also: AT&T data breach affects 109 million US customers
Unified Communications is a two-day event held in California, London, and Amsterdam that explores the future of workplace collaboration in an increasingly digital world. The event runs alongside Digital Transformation Week and related industry conferences covering IoT, edge computing, intelligent automation, AI and big data, and cybersecurity.
Discover other upcoming enterprise technology events and webinars presented by TechForge.