National Public Data, a background check company, has allegedly been hacked, with over 2.9 billion records impacted.
What happened
Recent reports suggest at least 2.7 billion records (and some estimate 2.9) have been leaked on an online hacking form.
The data reportedly comes from background check company, National Public Data (NPD), owned by Jericho Pictures. According to its website, the organization allows customers to search billions of records and is used by private investigators, human resources, staffing agencies, and others.
The data allegedly holds personal information from people in the United States, the United Kingdom, and Canada, including their names, Social Security numbers, all known physical addresses, and possible aliases. Some individuals may be listed multiple times, as every new address is considered a separate record.
The threat initially emerged in April of 2024, when a threat actor under the name USDoD claimed to be selling the records for $3.5 million. The actor claimed to have records for every single individual in the three listed countries.
Going deeper
At the time, Bleeping Computer reached out to NPD but never received a response.
Often, cybercriminals will claim to have vast amounts of data in an attempt to extort victims, leading the validity of this threat to be highly questioned.
Yet more recently, different threat actors have released partial copies of the data. On August 6th, a threat actor known as “Fenice” leaked the most complete version of the data for free on the hacking form Breached. The organization claims the true hackers were threat organization SXUL.
What was said
Recently, NPD released a statement online, saying “There appears to have been a data security incident that may have involved some of your personal information.” The statement said an actor had attempted to “hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
The organization said that had conducted an investigation and “subsequent information has come to light.”
NPD did not say how many individuals were impacted. They stated they are cooperating with law enforcement and government investigators and are implementing additional security measures.
What’s next
At least one class action lawsuit has been initiated against Jericho Pictures. The Plaintiff argues that NPD failed to “properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices.”
The Plaintiff also argues that he and the class members “at no point knowingly provided their PII to Defendant and Defendant instead scraped their PII from non-public sources.”
In NPD’s statement, the organization is suggesting potentially impacted individuals “take preventive measures to help prevent and detect any misuse of your information.” They recommend monitoring financial accounts and credit.
It is important to note that 2.7 billion individuals have not been affected; rather, 2.7 billion records have. Duplicates likely exist, and the number of impacted individuals is expected to be lower. Some organizations have incorrectly reported this information.
The bottom line
The incident at NPD adds to the list of already record-breaking breaches this year, following the massive Change healthcare incident. It’s clear that hackers are becoming increasingly sophisticated and targeting organizations in new and unexpected ways. Organizations must critically examine their current security systems and protocols to prevent and prepare for potential breaches.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
