By Parker Soughers
About four months ago, the major data broker National Public Data experienced a cyber attack from a hacking group known as USDoD. During this attack, USDoD claimed to have stolen the private information of over 2.9 billion people. The stolen information include people’s names, addresses, phone numbers and social security numbers.
National Public Data is a platform that offers employers and investigators to perform personal background checks. NPD are data brokers that buy and sell people’s data, which is sometimes used for background checks. Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, reveals: “Because there’s no national privacy law in the U.S. — there is no law against them collecting this data against our consent.”
The details about the data breach came to light when USDoD offered to sell the private information for 3.5 millions dollars. However, two weeks ago a member of the hacking group, known as Felice, posted screenshots of the private information database to the hacking forum BleepingComputer. This data, once private, now was leaked to the entire internet–for free.
“Everyone with a Social Security number was impacted,” says Steinhauer in a conversation with CBS MoneyWatch. The leaked database can lead to a rise in identity theft, phishing, and fraud. “The biggest thing is to freeze your credit report, so it can’t be used to open new accounts in your name and commit other fraud in your name,” explains Steinhauer.
In response to the database leak, NPD published the following statement on their website, concerned the breach implicated a “Third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.” The company revealed that they were investigating the issue and “will try to notify you if there are further significant developments applicable to you.”
Aside from investigating the breach, NPD has deleted many of its records of private information, but also has retained data to comply with certain legal requirements. “It’s a reminder of the importance of protecting yourself, because clearly companies and the government aren’t doing it for us,” Stienhauer explains.
A class action lawsuit has been filed against Jericho Pictures‒NPD’s official company name. Plaintiffs allege that the company did not protect their own private data, further claiming that the company never had the permission or consent from users to collect and save the personal information. The lawsuit also alleges “…Upon information and belief, the vast majority of Class Members were unaware that their sensitive [personal information] had been compromised.”
The lawsuit opens the door for a larger debate about the legality and ethicality of data brokers and the downsides to these large companies collecting data. Data brokers have recently been on the rise, becoming targets for more cyber attacks. Director of Onapsis’s security research reveals the implications of USDoD’s attack.
“This incident is part of a larger, ongoing trend we’ve seen over the past several years. The proliferation of sensitive data online has created a lucrative target for cybercriminals. As this continues to grow, there can be an anticipated rise in data breaches as attackers refine their tactics and exploit emerging vulnerabilities and security gaps. By staying informed and adaptable, organizations can better protect themselves against these attacks and mitigate these threats swiftly.”
beniciapaw.com 