In a year already marked by massive cybersecurity incidents, another major data breach has come to light, affecting millions of Americans. National Public Data (NPD), a background check company owned by Jerico Pictures Inc., recently disclosed that it fell victim to two separate cyberattacks in 2024, with the first occurring in April.
According to NPD's statement, the stolen data includes highly sensitive personal information like names, Social Security numbers, phone numbers, email addresses, and mailing addresses. While the company has not specified the exact number of individuals affected, a lawsuit filed in the US District Court for the Southern District of Florida suggests the impact could be staggering, potentially reaching millions of affected individuals.
In response to media inquiries, NPD, led by CEO Salvatore Verini, has removed detailed information about its databases from its website and has not provided public comment.
Malware research group vx-underground said that they could “...confirm the data present in it is real and accurate...We searched up several individuals who consented to having their information looked up...It also allowed us to find their parents, and nearest siblings. We were able to identify someones [sic] parents, deceased relatives, Uncles, Aunts, and Cousins,”. However, independent investigations by TechCrunch revealed a combination of correct and inconsistent information that is publicly available.
The cybercriminal group known as USDoD allegedly put the stolen data up for sale on the dark web for $3.5 million, highlighting the immediate risks posed by this breach. The self proclaimed hackvist group has been around in the underworld since at least 2020. They once bragged about pulling off a hack-and-leak operation on a major professional networking platform, only to have industry experts call out their bluff.
USDoD's modus operandi typically involves social engineering tactics to steal sensitive data, a method that's proven pretty effective in both their hacktivist escapades and for-profit schemes. In the past couple of years, they've grown more ambitious, focusing on high-profile targeted intrusion campaigns like the now infamous Crowdstrike incident.
Historical Context
If this story feels like déjà vu, you're not wrong. Both the frequency and scale of cyberattacks are increasing. We're barely halfway through 2024, and we've already seen AT&T and Ticketmaster get hit by large scale cyber attacks. According to the Identity Theft Resource Center, more than 1,500 data breaches occurred in the first half of 2024 alone, impacting approximately 1 billion people.
The scale of the NPD breach draws comparisons to other significant data breaches in recent history, such as the 2017 Equifax breach that exposed the personal information of 147 million Americans, and the Yahoo breach disclosed in 2016 that affected 3 billion user accounts.
Implications and Response
NPD stated that they are cooperating with law enforcement and have implemented additional security measures to prevent future incidents. However, the company's delayed public response – nearly two weeks after some individuals were notified through third-party identity theft protection services – has raised questions about corporate responsibility in the face of such breaches.
Finding Out If You Were In The Breach
Pentester.com offers a service to look your information up in the NPD data breach. You can check to see if you’re in it. Please make sure to read Pentester’s terms of service.
https://npd.pentester.com/
Additionally, if you’re concerned about any of your email accounts or passwords you can check haveibeenpwned to see if your accounts have been leaked.
Keep your eyes peeled for phishy emails and texts. Don’t click links from unknown senders even if there’s a supposed emergency or it’s a hacker claiming they have your password.
Many have also advocated freezing credit cards so that cybercriminals can’t apply for loans under your newly leaked SSN data. The NPD breach is just another reminder that you can never trust any of your information in the hands of Big Tech and Big Data.
Sources
https://www.cnet.com/personal-finance/identity-theft/social-security-numbers-and-personal-data-of-billions-breached-in-national-public-data-cyber-attack-heres-what-you-need-to-know/
https://techcrunch.com/2024/06/11/the-mystery-of-an-alleged-data-brokers-data-breach/
https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
https://www.scmagazine.com/brief/crowdstrike-ioc-list-exposed-by-usdod-threat-actor
https://tbot.substack.com/p/did-the-at-and-t-hack-uncover-a-surveillance
https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident
https://www.idtheftcenter.org/wp-content/uploads/2024/01/ITRC_2023-Annual-Data-Breach-Report.pdf
https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
https://www.darkreading.com/cyberattacks-data-breaches/deconstructing-the-2016-yahoo-security-breach
This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit
tbot.substack.com/subscribe
