The Truth Behind the National Public Data (NPD) Breach

National Public Data Breach

In July, one of the largest data breaches in history occurred, involving the company National Public Data (NPD). The incident garnered widespread media attention and became the subject of a class-action lawsuit, despite the company being relatively unknown to the public before the breach. Researchers Troy Hunt and Brian Krebs published detailed reviews of the vast trove of stolen data.

National Public Data is a company that collects and processes large volumes of personal information to offer various services. Their operations include checking records from the U.S. criminal database, generating background reports, and selling data to mobile apps and background check websites. According to experts, the breach affected not only the living but also the deceased, further complicating the situation.

Image: Troy Hunt

The data breach came to light in April when the hacker “USDoD” posted over 4 TB of data on the Breachforums. It was reported that the breach included data on approximately 2.9 billion individuals, including Social Security Numbers (SSNs), addresses, and other personal information. However, many experts pointed out discrepancies in the numbers: the actual number of affected individuals is significantly lower than the claimed data volume. For instance, SSNs are primarily linked to U.S. residents, whereas different identifiers are used in Canada and the U.K. Such inconsistencies raised questions about the authenticity and origin of the leaked data.

Many media outlets misinterpreted the amount of leaked data, suggesting that 2.9 billion people were affected. In reality, this figure reflects the number of rows in the stolen datasets, not the number of affected users. Moreover, the data was found to contain duplicate entries, further complicating the situation. For example, many rows contain identical SSNs but with different names and addresses. In other words, the claimed 2.9 billion rows may include many duplicates, casting doubt on the actual number of affected individuals.

Image: Troy Hunt

Specialists at Atlas Data Privacy Corp. analyzed the stolen data and reported that it contains 272 million unique SSNs. Most records include the name, SSN, and home address, with 26% of records also containing phone numbers. Interestingly, a significant portion of the data pertains to deceased individuals, with the average age of those affected being 70 years.

In July, the leaked data became accessible to a wide audience, and NPD notified its clients about the data compromise. It was particularly noteworthy that the breach did not include data on individuals who had previously opted out of data collection and processing, confirming the legality of the company’s actions. NPD claims it is cooperating with law enforcement and conducting an investigation, promising to inform users of further developments in the situation.

Despite the gravity of the incident, the exact origin of the data remains unclear. The hackers involved in disseminating the information regularly posted new fragments of data, but the total volume of data did not match the claimed 4 TB. Additionally, there were overlaps with previous data breaches from other sources, raising suspicions that part of the data may have been aggregated from various sources, including NPD.

Particularly troubling was the discovery that some of the data contained inaccurate information. For example, the database included records with incorrect birthdates and mismatched names. This created additional challenges for those attempting to assess the scale of the breach and its consequences.

NationalPublicData.com is operated by Jerico Pictures Inc., founded by former Broward County Deputy Sheriff Salvatore Verini. In addition to his work in data collection, Verini is also known for his roles in films and for producing various documentaries. However, the company does not disclose the sources from which it obtains data for its services.

Users whose data may have been compromised are strongly advised to freeze their accounts to prevent potential fraud. It is also important to regularly monitor accounts and promptly dispute any suspicious activities.

Related Posts: