National Public Data Confirms Massive Breach

Cyber incidents like this highlight the need for tougher action on companies that fail to adequately protect consumer data.

Data aggregator National Public Data (NPD) has finally confirmed a breach that has exposed personal identity records belonging to potentially hundreds of millions of consumers across the US, UK, and Canada.
In a
statement
that offered little details, the Coral Springs, Fla.-based company acknowledged what numerous others have reported in recent days about a third-party bad actor accessing data from NPDs databases sometime in April 2024. The company described the data which the threat actor accessed as including full names, email addresses, phone numbers, Social Security numbers, and mailing addresses belonging to an unknown number of people.
NPDs advisory contained the usual boilerplate language about the company taking steps to protect against a similar incident but left it entirely up to victims to take measures to protect themselves against ID theft and other fraud resulting from its security lapse. NPD is a data aggregator that claims businesses, private investigators, human resources departments, and staffing agencies use its data for background checks, to obtain criminal records and other uses.
News of the breach has been circulating since at least April when
Dark Web Intelligence
posted on X about USDoD a hacker with a reputation for previous data heists, having obtained a database from NPD containing some 200 gigabytes of personal information on residents in the US, UK, and Canada. The threat actor claimed the NPD database contained some 2.9 billon rows of records. Many have incorrectly reported that as the number of victims instead in characterizing the breach as one of the biggest ever of private data.
VX-underground, a community focused on malware and cybercrime,
reviewed the dataset
and assessed the leaked data as being real and accurate and containing the first name, last name, SSN, current address, and addresses for individuals going back over 30 years. It also allowed us to find their parents, and nearest siblings, VX-underground said. We were able to identify someones parents, deceased relatives, Uncles, Aunts, and Cousins.
In addition, the NPD database contains information on deceased individuals, some of whom had been deceased more than 20 years.
Troy Hunt, who maintains the Have I Been Pwned site,
reported finding 134 million unique
email addresses and millions of rows of criminal records. He assessed the massive dataset as containing a kludge of useful data (to criminals) as well as useless, incorrect, and redundant data that NPD appears to have built by scraping publicly available data from countless — and now untraceable — sources.
The massive breach has prompted the
usual concerns
about the need for organizations to implement stronger controls for protecting data that consumers entrust to them. An
Apple study last year
found data breaches compromised a staggering 2.5 billion consumer records in 2021 and 2022.
But it has also resurfaced a long-standing sentiment among many about the need for organizations, government entities, and others to stop using SSNs as the primary identifier for pretty much any and all transactions.
NPD should have done lots of things better but there is one thing thats on us: its past time to get rid of SSN, says Ambuj Kumar, CEO of Simbian. Replacing SSN with a digital ID similar to whats used in cryptography and in a technology like Apple Wallet is relatively easy and straightforward he says.
The impediments are purely psychological and inertia, Kumar says. Think of a digital ID as a government issued credit card number that is known only to the government and the individual, he notes. When applying for a mortgage, for example, a token is generated from the original number and this new number is shared with the bank. If there is a breach at the bank, the original number is still safe since the bank only saw the token.
The breach has also focused attention on the limits to what consumers can do to protect their data. Chris Deibler, vice president of security at DataGrail, says none of the usual recommendations — such as using password managers, adding multi-factor authentication, and paying attention to accounts resets — would have helped in the NPD breach. The real effort now has to come at the corporate and regulatory level and more effort should be focused on disincentivizing mass data aggregation.
Corporations dont respond to the same stimuli as individuals, so advocating for better education and letting the moral arc of the universe do its thing probably isnt going to cut it, Deibler notes. You need levers that actually change the conversation about data collection and handling risk at the board level. In that context, corporations respond to specific liabilities — reputational, civil, criminal, existential.
He argues that harmed parties in a data breach have specific, statutorily defined compensations available to them that go well beyond just one years worth of free credit monitoring. Similarly, executives at companies that knowingly put customer data at risk should share criminal liability for a breach. In the most egregious of circumstances, if you mess up hard on customer data, you should not be permitted to have the opportunity to do so again, either at the corporate or individual level.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
National Public Data Confirms Massive Breach