The National Public Data Breach Says Everything About How Identities and PII are Not Being Protected

Jericho Pictures, Inc., d/b/a/ National Public Data (“NPD”) confirmed last week that it fell victim to a significant security breach dating back to December 2023. The breach resulted in the theft of a massive database containing an estimated 2.9 billion lines of highly sensitive personal data, including Social Security numbers.

The stolen data was initially advertised for sale on the dark web in April by a hacker group known as USDoD for $3.5 million. Unfortunately, the data has since been publicly released in various locations, making it readily available to malicious actors a8nd virtually impossible to contain.

Discovering the Breach

The breach first came to light when USDoD announced its possession of the vast trove of personal information, including names, addresses, details about relatives, and social security numbers, spanning several decades. Some records date back as far as 30 years.

What is especially interesting is that many affected individuals were likely unaware of the breach or even the fact that NPD had collected their data in the first place. NPD's practice of scraping data elements from non-public sources without consent raises serious ethical and legal concerns. It is clear that this should force discussions about the rigor with which our governmental and private institutions handle PII (personally identifiable information). Even when strict compliance frameworks achieve their goals, they are not enough to put the necessary restrictions on the usage of this type of data.

The breach has triggered a class action lawsuit against NPD. The plaintiffs allege that the company failed to adequately secure the collected information and that they never granted NPD access to their personal data.

A thorough investigation by Krebs On Security revealed a near-identical website to NPD called recordscheck.net, which was hosting an archive containing site logins and source code for some of the site's tools in plaintext. This exposed information could have potentially provided unauthorized access to the same consumer records as NPD. The now-removed file contained email data belonging to NPD founder Salvatore Verini.

Timeline of the National Public Data Breach

Based on details from Krebs and other sources, the NPD breach appears to have unfolded as follows:

• April, 2024: A cybercriminal, USDoD, began selling data stolen from NPD.
• July, 2024: A leak exposed the stolen data, comprising names, addresses, phone numbers, and sometimes email addresses of over 272 million individuals, including deceased people.
• August 12, 2024: NPD acknowledged the breach, stating it originated from a security incident in December 2023. USDoD attributed the July leak to another hacker with access to the NPD database, claiming it has been circulating in underground forums since December 2023.

Over the past week, a number of discoveries have been uncovered, including: 

• Post-Breach Discovery: KrebsOnSecurity, alerted by a reader, found that RecordsCheck.net, a sister site of NPD, was hosting an archive containing site administrator login credentials.
• Exposed Archive: The archive, available until August 19, 2024, included source code and plaintext usernames/passwords for RecordsCheck.net components. The site shares visual similarities with NPD and identical login pages.
• Password Vulnerabilities: The archive revealed that RecordsCheck users were initially assigned the same weak password and many failed to change it.
• Connection to NPD Founder: Constella Intelligence, a service that performs breach tracking, found that passwords in the archive matched credentials exposed in past breaches involving email accounts of Salvatore Verini, NPD's founder.
• Response: Verini confirmed the removal of the exposed archive and stated that RecordsCheck.net would cease operations shortly.

It's still uncertain how the data was initially stolen from National Public Data. KrebsOnSecurity was able to connect with USDoD (which is also infamously known for hacking into the FBI's Infragard program) to get to the bottom of the issue.

USDoD confirmed selling the same dataset leaked on the cybercrime community Breachforums but denied responsibility for the leak. They stated the stolen data had changed hands multiple times since the initial theft in December 2023, highlighting the data's widespread circulation within the cybercriminal underworld.

Individuals working with USDoD apparently attributed the original theft to a hacker known as SXUL, whose Telegram account appears to have been recently deleted, possibly in response to the extensive media coverage surrounding the breach.

The Organizational Responsibility to Prevent Identity Theft

Since the NPD breach, there has been a subsequent surge in online traffic to credit bureaus, which can be explained through the increase in onboarding for new subscribers enrolling in identity and credit monitoring services as consumers look to protect themselves.

Ultimately, this is a positive sign as it demonstrates that consumers are taking an active role in  protecting their own identities. That said, they are entrusting organizations to act with great care and safety with this data, and companies need to earn that trust. As a modest proposal, all organizations with access to PII should adhere to essential identity trust principles that include: 

• Rigorous Fraud Prevention: It prevents bad actors from creating fake accounts or impersonating legitimate users, thus safeguarding both the company and its customers.
• Adherence to Compliance Frameworks: Compliance frameworks exist to protect stakeholders against misuse (whether it’s intentional or unintentional) of data, equipment, and resources. Many industries have strict regulations around Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. Proper and effective adherence to identity verification controls ensures compliance and helps avoid hefty fines.
• Trust Building: When users know their identity is verified, they feel more confident sharing their information and engaging with the company.

If implemented effectively, identity verification can significantly mitigate the risk of data breaches. It provides:

• Stronger Access Control: Verifying identities at the point of entry helps companies ensure only authorized individuals gain access to sensitive systems and data. This minimizes the risk of insider threats and unauthorized access.
• Deterrence for Cybercriminals: When companies have strong identity verification processes, cybercriminals are less likely to target them, knowing it will be harder to breach their defenses.
• Early Detection of Suspicious Activity: Continuous identity verification and monitoring can help companies detect unusual behavior and potential threats early on, enabling them to take proactive measures to prevent breaches.

Caution on NPD Breach Search Websites

Following last month's leak, numerous websites claiming to offer searches for affected individuals within the NPD breach have sprung up. However, using these services necessitates providing personal information, potentially putting you at further risk.

Given the numerous past data breaches exposing similar information, it has been advised by multiple experts that individuals consider taking proactive steps to protect themselves through efforts such as:

• Freezing consumer credit reports: Contact the major credit bureaus (Equifax, Experian, and TransUnion) to prevent new credit accounts from being opened in your name.
• Accessing free weekly credit reports: Take advantage of your right to free weekly credit reports to monitor any suspicious activity.

Learning from the NPD Breach: A Call for Enterprise Security and Identity Verification Best Practices

The NPD breach is yet another reminder of the critical importance of robust security and identity verification practices for enterprises. The massive exposure of personal data underscores the severe consequences of inadequate safeguards and the potential for far-reaching harm to individuals and businesses alike.

To prevent similar breaches, enterprises must proactively adopt and prioritize information security and identity verification best practices, including:

• Rigorous Data Security: Implement stringent security measures to protect sensitive data at rest and in transit. This includes encryption, access controls, and regular security audits.
• Effective Identity Verification Measures: Utilize passwordless and multi-factor authentication and advanced identity verification solutions to ensure only authorized individuals can access critical systems and data.
• Regular Employee Training: Educate employees on security best practices, including recognizing and avoiding phishing scams and other social engineering tactics.
• Incident Response Plan: Develop a comprehensive incident response plan to enable swift and effective action in the event of a breach.
• Third-Party Risk Management: Conduct thorough due diligence on third-party vendors and partners to ensure they maintain adequate security standards.
• Data Minimization: Collect and retain only the minimum necessary personal data and dispose of it securely when no longer needed.
• Continuous Monitoring: Employ continuous monitoring and threat intelligence to detect and respond to potential threats in real-time.

With these types of best practices, enterprises can significantly reduce the risk of data breaches and safeguard the sensitive information entrusted to them. It's a proactive approach to building a secure and resilient digital ecosystem, demonstrating a commitment to protecting both individuals and businesses from the consequences of breaches like this.