In perhaps the biggest breach of federal data to date, the National Public Data group reported that they were compromised four months ago by a hacking group according to a class action lawsuit filed in Florida. The scope of the breach is such that most if not everyone in America would be affected in some way with damages in untold millions if not billions.
The breach was first uncovered when a class action lawsuit was filed in Fort Lauderdale. The lawsuit contends that in April of this year, National Public Data (NPD), based in Coral Springs, Florida was breached, and hackers had access to billions of records. NPD is a background service, handling data that would be used in basically everything. This data, most of it personally identifiable information such as driver’s licenses and perhaps the biggest information stolen, social security numbers. All told, over 2.9 billion records, some of which were of deceased people, were potentially stolen and put on the black market. (1)
To complicate these matters, NPD revealed two things that cause no ends of headaches. The first is that there were attempted hacks dating back to December 2023. Meaning they had four months of attempted breaches and hacks that went unheeded. This lack off oversight was one of the many failures that led to the breach suggesting at least in the NPD the lack of training in spotting and dealing with such breaches, inevitably leading to what happened in April.
Now the hack would have been harder, if one of their employees had not committed one of the biggest cardinal sins in technology, revealing your own credentials on a public facing website. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. This employee, who more than likely has now lost his job over this, left his credentials in a spot where anyone could access it, which was only uncovered after the lawsuit uncovered this during its discovery process.(2)
The perpetrators of the crime were revealed to be the hacker USDoD, a hacker known to Brazilian authorities since 2022, having been responsible for other hacks in the intervening years.(3) In approximately April 2024, a cybercriminal group called "USDod" reportedly breached NPD's systems and stole private information on Americans collected by the company. On April 8, 2024, USDoD claimed on the dark web that they had stolen the personal data of 2.9 billion people and offered to sell the database for a payment of $3.5 million.(4) It wasn’t until the lawsuit in Florida that the general public was even aware of the issue, by then the data had been in the dark web for four months.
In the light of this revelation, there are steps you can take. Lock down your credit history is one of the biggest steps. You can simply request one of the credit reporting bureaus, Experian, TransUnion and Equifax, to freeze your credit, which they have to do within a day. If hackers intend to open an account using the stolen data, locking down your credit history will prevent a credit check from someone you didn’t authorize to make one. In addition, your company should come up with a viable cyber security plan for when your data is compromised to limit the damage. The NPD breach shows that even US government records are not truly safe in this ever-changing cyber landscape.