In a massive data breach that one expert has called “astounding,” hackers gained access to information held by National Public Data (NPD), a data aggregator that provides background checks.
The breach has exposed the personal information of over 2.9 billion people living in the US. But it’s not just the number of people impacted – the breadth and sensitivity of the data is even more worrying. Documents from a lawsuit revealed that the hackers stole unencrypted data, including social security numbers, home addresses, phone numbers, and dates of birth. They then released much of this sensitive information on the dark web.
Basically, if you have ever lived in the US, this breach likely turbo-charges your risks of being targeted by fraudsters. Here’s everything we know at the moment.
NPD is a Florida-based company that compiles publicly available information to perform background checks. It maintains a large database of personal information, including social security numbers, physical addresses, and employment history.
Records Check is a sister property of NPD offering similar background search services. While the NPD breach stemmed from an incident dating back to December 2023, it appears the related website recordscheck.net was storing plaintext passwords (that is, unencrypted and easily readable passwords) through a back-end database in a file that was available from its homepage.
As reported in The National Desk, Steve Grobman, McAfee’s Chief Technology Officer, stated that the sheer quantity of the stolen data is “astounding.” It represents nearly nine times the population of the US.
The breach is especially concerning because the stolen information includes details about people’s relationships and employment history. Cybercriminals can use this data to impersonate victims’ loved ones or former colleagues in scams. For example, they could call someone pretending to be a relative in need of money, or send an email from a fake former co-worker asking for a job reference.
We explored similar risks in our recent webinar on data breaches and how cyber-fraudsters can use seemingly mundane information – like email addresses or surnames – to piece together a data “mosaic” that makes it easier to target victims. Those risks are even bigger when the information is as sensitive as plaintext passwords, home addresses, or social security numbers.
The data breach at NPD, combined with the password exposure at RecordsCheck.net, has created a perfect storm for identity theft and other malicious activities. Experts have urged Americans to consider freezing their credit files with major reporting bureaus to protect themselves. They’ve also encouraged everyone to monitor their credit reports, financial accounts, and online presence for any suspicious activity.
And, of course, there’s no better time to buff up your security hygiene – such as using multi-factor authentication and creating unique passwords for each account.
Within organisations, it’s important to remember that scams and fraud attempts are likely to target employees in finance, procurement and accounts payable (AP). Considering the breadth of this breach and the sensitivity of the data, a strong preventive step would be pressure-testing your current payment security controls. Consider new control procedures or technology solutions that protect employees and processes that are more likely to be targeted.
Learn how US school districts were tricked into losing millions through email scams and what you can do to defend against them.
Fraud can occur at any time, but there are specific periods when businesses in the United States are particularly vulnerable to fraudulent …
Oil giant Halliburton confirms a data breach after a cyberattack. Learn what happened, the potential impact, and how to protect your business.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
