Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

National Public Data starts notifying victims after billions impacted by data breach

The US background-checking firm has filed its notification with US authorities and is contacting 1.3 billion individuals.

user icon David Hollingworth
Mon, 19 Aug 2024
National Public Data starts notifying customers after billions impacted by data breach
expand image

Weeks after US background-checking outfit National Public Data made headlines after becoming the focus of a lawsuit following a data breach that allegedly led to almost 3 billion people having their data sold online, the company has finally begun notifying the victims of the cyber incident.

The notification letter was filed with the Office of the Maine Attorney General – which the state requires by law if any of its citizens are affected by a data breach – on 17 August, and the filing notes that letters began being sent out on 12 August.

According to the filing, however, only 1.3 billion victims are being notified in this particular instance, with 2,760 of them being Maine residents.

============
============

“There appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the letter said.

According to National Public Data, the information impacted “appears” to be names and email addresses, phone numbers, social security numbers, and mailing addresses.

The notification appears to suggest that National Public Data is having issues ascertaining the full extent of those impacted.

“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the letter said.

“We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

The rest of the letter offers advice to those impacted, such as setting up credit monitoring and fraud alerts.

The data was offered for sale on a popular hacking forum by a threat actor with form when it comes to large data breaches. Forum user USDoD offered the dataset for the eye-watering price of US$3.5 million. The data was later confirmed to include full names, addresses and three or more decades of historical address data, Social Security numbers, and the details of parents, siblings, and other relatives.

USDoD has a history of high-profile data breaches. In September of 2023, USDoD claimed to have hacked Airbus, while in May 2024, the threat actor offered a US criminal database containing 70 million sets of records. The threat actor was first observed in December 2022.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.