The chronic nightmare of national public data leakage

Data breaches seem to be an endless scourge with no easy answers, but the recent breach of background check service National Public Data shows that How dangerous and difficult to solve They have become. After four months of ambiguity, the situation is beginning to become clearer, with national public data finally admit On Monday, a large amount of stolen data was publicly leaked on the internet.

In April, a hacker known for selling stolen information, the US Department of Defense (USDoD), began offering a trove of data for sale on cybercrime forums for $3.5 million, including 2.9 billion records affecting “the entire population of the United States, Canada, and the United Kingdom.” A few weeks later, samples of the data began to emerge as other actors and legitimate researchers worked to understand the source of the data and verify the information. By early June, At least some of the data is legitimate and contain information such as name, email, and physical address in various combinations.

The data isn’t always accurate, but appears to cover two broad categories of information: one that includes more than 100 million legitimate email addresses along with other information, and another that includes Social Security numbers but no email addresses.

“It appears that a data security incident occurred that may have involved some of your personal information,” the state public data wrote on Monday. “The incident is believed to involve a third-party bad actor who attempted to hack into data in late December 2023 and may have exfiltrated certain data in April 2024 and the summer of 2024… The information allegedly compromised included names, email addresses, phone numbers, Social Security numbers, and mailing addresses.”

The company said it has been cooperating with “law enforcement and government investigators.” NPD Facing potential class action lawsuit Fill the gap.

“We’ve become numb to the never-ending stream of personal data breaches, but I would say this is a serious risk,” said Jeremiah Fowler, a security researcher who has been monitoring the nation’s public data situation. “It may not happen immediately, and it may take years for many criminals to successfully figure out how to use this information, but the bottom line is, a storm is coming.”

When information is stolen from a single source, e.g. Target customer data stolendetermining the source of information is relatively simple. But when information is stolen from a data broker and the company doesn’t disclose the fact, determining whether the information is legitimate and where it came from becomes much more complicated. Often, the people whose data was compromised in a breach—the real victims—don’t even know that a national public data company holds their information in the first place.

Security researcher Troy Hunt said in a blog post on Wednesday about the contents and origins of the national public database. wrote“The only parties who know the truth are the anonymous threat actors and data aggregators who disseminated the data… We are left with 134 million email addresses in public circulation with no clear provenance or accountability.”