In what some are describing as one of the worst data hacks in history, a notorious hacking group has reportedly stolen and released records of potentially 2.9 billion people, which may include social security numbers and sensitive data from every American.
In the wake of news that the data breach was being leaked online, public advocates fear an unprecedented wave of identity fraud and theft is on the horizon.
Data Breach
A hacking group was revealed in a new class action lawsuit to have allegedly stolen the personal records of 2.9 billion people from a records database known as National Public Data back in April.
The records include sensitive data from citizens in the US, Canada, and the UK.
Selling the Data
At first, the hackers tried to sell the data on the dark web, requesting millions of dollars.
“2.9 billion records of USA, Canada, and UK citizens allegedly for sale for $3.5 million,” said an X post from HackManac, a cybersecurity company which included a screenshot of the listing. “The threat actor USDoD claims to be selling a 4 TB database containing 2.9 billion rows apparently exfiltrated from National Public Data, a public records data provider specializing in background checks and fraud prevention.”
What’s in the Data?
According to news outlets who have examined portions of the data, it appears to contain real people’s information.
“Each record consists of the following information – a person’s name, mailing addresses, and Social Security number, with some records including additional information, like other names associated with the person. None of this data is encrypted,” said the website Bleeping Computer.
Free Release
Although initially shopping for a buyer for their data treasure trove, the hacking group reportedly decided to release the information completely free on an online marketplace for stolen personal data.
A screenshot posted by Bleeping Computer of a group member known as Fenice advertised that the “full NPD database” is now available to be downloaded.
Accuracy of Information
According to reports, some have reached out to news outlets to say their information has been associated with other people they don’t know, so the data in the leak may not be entirely accurate.
It’s also possible that some of the information may be outdated, with Bleeping Computer suggesting this might indicate the data was taken from an old backup file.
Breach Lawsuit
The data breach that allegedly happened back in April generated multiple class action lawsuits against Jerico Pictures, also known as National Public Data.
A lawsuit filed in Florida District Court alleges that NPD failed to properly secure the data and that “Plaintiff and Class Members at no point knowingly provided their [personal information] to Defendant and Defendant instead scraped their [personal information] from non-public sources.”
Wake Up Call
Tesersa Murray, consumer watchdog director for the U.S. Public Information Research Group, feels like this massive hack should be a wake-up call for people to take better precautions.
“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than prior breaches, Murray said in an interview. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”
A Wave of Identity Theft
Public policy experts are now warning of a wave of identity crime that may start sweeping the country given the leak of important information that includes social security numbers, email addresses, and phone numbers.
“For somebody who’s really suave at it,” Murray said, “the possibilities are really endless.”
Unsuspecting Victims
Murray also warned about a possible incoming wave of attempts to gain more information and defraud unsuspecting people by leveraging information obtained in the leak.
“These bad guys, this is what they do for a living,” Murray said. “Ten thousand dollars in one day for having one hit with one victim, that’s a pretty good return on investment. That’s what motivates them.”
Demanding Accountability
In the wake of the hacking news, some are demanding accountability not just from NPD, but politicians as well.
“It is disturbing and unacceptable that Americans are just now learning of this massive hack, which allowed criminal hackers to gain access to and now offer for sale approximately 2.9 billion records,” said Florida Senator Rick Scott in a statement. “While we learn more about this breach, the Biden-Harris administration must detail what is being done to hold the contractor that was holding this data, National Public Data, accountable for its failure to protect against this hack.”
Informing Users
It is unclear if NPD took adequate steps to properly inform those affected of the months-old data breach in the wake of the hack.
According to the Florida lawsuit, the “Defendant has still not provided any notice or warning to Plaintiff and Class Members. In fact, upon information and belief, the vast majority of Class Members were unaware that their sensitive [personal information] had been compromised.”
