This past week the media and cybersecurity analysts have been in a frenzy regarding the latest hack. This class action arises out of the data breach that, upon information and belief, occurred in or around April of 2024 involving Defendant National Public Data (NPD).
A massive data breach has compromised a wealth of sensitive information spanning several decades, including current and past addresses, names, Social Security numbers, and, in some instances, details about relatives. While 2.9 billion records were compromised, this does not necessarily equate to 2.9 billion unique individuals, as multiple records may exist for a single person due to address changes over time.
The authenticity of the breach has been partially verified, with some individuals confirming the accuracy of their personal information, including details about deceased relatives. However, there are reports of outdated and incorrect data, suggesting the information may have been extracted from an older backup.
Cybercriminal Group USDoD
According to TechCrunch, the cybercriminal group USDoD played a central role in the National Public Data breach, claiming to have accessed the data in April 2024. Known for their previous attempts to sell stolen databases, USDoD listed the massive 277GB database containing 2.9 billion records for sale on the dark web for $3.5 million.
The exact timeline and method of the breach remain unclear, with some reports suggesting that the initial compromise may have occurred as early as December 2023. Adding complexity to the origin of the leaked information, a hacker named Fenice later leaked 2.7 billion records on the "Breached" hacking forum, attributing the data to another actor called "SXUL" rather than USDoD.
National Public Data data leaked on a hacking forum Source: BleepingComputer
In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of people in the US, UK, and Canada that was stolen from National Public Data. At the time, the threat actor attempted to sell the data for $3.5 million and claimed it contained records for every person in the three countries. USDoD is a known threat actor who was previously linked to an attempted sale of InfraGard's user database in December 2023 for $50,000.
Since then, various threat actors have released partial copies of the data, with each leak sharing a different number of records and, in some cases, different data. On August 6th, a threat actor known as "Fenice" leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum. However, Fenice says the data breach was conducted by another threat actor named "SXUL," rather than USDoD.
Legal and Company Response
Multiple class-action lawsuits have been filed against Jerico Pictures Inc., operating as National Public Data, accusing the company of negligence and failure to adequately secure personal data. In response to the breach, NPD has acknowledged the incident on its website, stating they are cooperating with law enforcement and governmental investigators. "We are taking this breach very seriously and are working closely with authorities to ensure such incidents do not occur in the future," an NPD spokesperson said. The company claims to have implemented additional security measures to prevent future breaches and protect their systems. However, NPD has yet to directly inform affected individuals about their compromised data, with many learning of their involvement through third-party identity theft protection services.
Preventive Measures for Individuals
In the wake of this massive breach, experts are advising individuals to take several precautionary steps to protect their personal information. These steps include changing passwords for potentially affected accounts, closely monitoring financial statements and credit reports for unauthorised activity, and considering a credit freeze with major bureaus like Equifax, Experian, and TransUnion.
Dr Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network has commented on the new agreement.
“The CLOUD Act certainly accelerates and simplifies complex investigations in cyberspace, being an efficient and effective alternative to now-outdated MLATs and other traditional instruments used in cross-border criminal investigations.
The executive agreement between the US and the UK enacted under the Act will, however, unlikely have a revolutionary effect," he says.
Law enforcement agencies from the two countries have already established tenable and rapid communication mechanisms when seeking digital evidence from each other in transborder criminal investigations. Likewise, while Australia has also joined the club, other countries are reluctant to participate because of, among other things, privacy concerns.
CNC Editors Commentary
The National Public Data breach reveals a disturbing reality: our personal information is increasingly vulnerable to sophisticated cybercriminals who treat it as valuable currency on the dark web. The involvement of multiple actors, like USDoD and Fenice, not only underscores the complexity of this breach but also highlights the chaotic and dangerous landscape of cybercrime today.
National Public Data’s insufficient response to this crisis raises serious concerns about its ability to protect sensitive data. This breach serves as a stark reminder of the urgent need for stronger cybersecurity measures and more transparent handling of such incidents.