Massive Data Breach – listen up!
National Public Data is not a household name, maybe, but it should be. They’re a ‘data aggregator’, used by banks, credit card companies…these are the folks who keep your data for other folks to access. One would think that sensitive data should be secure, no? Well… no.
In a statement that offered little details, the Coral Springs, Fla.-based company acknowledged what numerous others have reported in recent days about a “third-party bad actor” accessing data from NPDs databases sometime in April 2024. The company described the data which the threat actor accessed as including full names, email addresses, phone numbers, Social Security numbers, and mailing addresses belonging to an unknown number of people.
NPD is a data aggregator that claims businesses, private investigators, human resources departments, and staffing agencies use its data for background checks, to obtain criminal records and other uses.
“Unknown number”…try almost 3 BILLION lines of records. That’s not 3 billion records, thankfully, but still millions upon millions of records. Who do they think they are, VA?
News of the breach has been circulating since at least April when Dark Web Intelligence posted on X about “USDoD” a hacker with a reputation for previous data heists, having obtained a database from NPD containing some 200 gigabytes of personal information on residents in the US, UK, and Canada. The threat actor claimed the NPD database contained some 2.9 billon rows of records.
X-underground, a community focused on malware and cybercrime, reviewed the dataset and assessed the leaked data as being “real and accurate” and containing the first name, last name, SSN, current address, and addresses for individuals going back over 30 years.
Troy Hunt, who maintains the “Have I Been Pwned” site, reported finding 134 million unique email addresses and millions of rows of criminal records.
They say that this data was ‘scraped’ by NPD from many sources – I could believe that. I tested my name and birth year and it found multiple listings (even some addresses I had completely forgotten) but at least 25% of the Socials they showed were incorrect. pentester has a tester similar to the one I used. I would strongly suggest testing to see if your data was leaked. If so, it is suggesting freezing your credit at the various credit reporting entities is the best response.
Of course, the root problem is that we lazily allow the government and financial institutions to use an extremely INsecure number as the basis for all transaction – our Social Securiy Numbers. They were never intended to be a form of financial ID, and cases like this show the need for the Feds and banks to get off their collective derrieres and bloody well DO something to replace them.
“NPD should have done lots of things better but there is one thing that’s on us: it’s past time to get rid of SSN,” says Ambuj Kumar, CEO of Simbian. Replacing SSN with a digital ID similar to what’s used in cryptography and in a technology like Apple Wallet is relatively easy and straightforward he says.
“The impediments are purely psychological and inertia,” Kumar says. “Think of a digital ID as a government issued credit card number that is known only to the government and the individual,” he notes. “When applying for a mortgage, for example, a token is generated from the original number and this new number is shared with the bank. If there is a breach at the bank, the original number is still safe since the bank only saw the token.”DarkReading
Makes sense to me.
Methinks there needs to be a class action lawsuit to sue them for snatching our personal information including SSNs to financially ruin this company. It’s the least we can do.
Class action lawsuit = one well-compensated law firm, thousands and thousands of people getting $8.75 a piece along with “one year of free credit monitoring” 🙄
I found NPD tester to be inaccurate because you would have to test every zipcode you have lived in. Even though the results were accurate by zip, I do not remember all the zips I have lived in. Pentester is accurate. My shit has been exposed. Off to freeze my credit now dammit.
Ever since the OPM debacle, mine stays frozen and monitored.
We only know the disclosed breaches.
Yeah, my info was compromised while still in uniform, then again after a VA and OPM data breach (2015 IIRC).
Now this – associated with former addresses but not my current one.
I have credit monitoring and will likely lock down through the credit reporting agencies.
I am a Yeoman with 22 yrs if service in USN. For those that do not know what YN does, it is a lot of paperwork and desk duty.
For those of my era, remember back in the late 60’s, when we went from service numbers to SSN for ID?? I do. We even had to provide a written reason for why we needed their
SSN on every form they filled out. What a nightmeer (sic).
I will bet any amount of cash, that there are massive file drawers filled with special request chits, leave papers, service records, etc with past members SSN. Talk about a massive data breach!!
I walked into an old building that had been used for record storage back in 1972 and what did I find? 32 file cabinets full of paper. Us admin types are supposed to close out files every so often but what most do is purchase another file cabinet. Better – NO, but easier than doing what is right
I was a rear detachment 1SG in 2010. I retired from the Army in 2012. In 2018, I started working for the Army as an electronics mechanic. One of many services we offer is the installation and maintenance of security cameras. Soooo in 2014, my old unit vacated the building my office was in and relocated. Fast forward to 2019. The garrison safety office moves into my old building and we’re installing security cameras. As we’re running cable, I come across a thick file folder in the back room. It’s urinalysis records from 2010. How do I know this? Because the very first name in the “D” section was me. Right next to my SSN. Roughly 100 names and SSN’s, left laying out for years. I hand delivered the file to the BN CDR. I’d known her since she was a CPT, she blew a head gasket. Your information is not safe anywhere.
I have my US Navy dog tag with my service number on it. By the way BMCPO did they call YN’s YO YO’s during your time??, We had Scope Dopes, Skivvy Wavers, Deck Apes, Pecker Checkers, Snipes and 2 nukey pooks that washed out of Sub School and put them in A Gang (A Div) with us.
If you really want to have your mind blown over how much of your data is out there you have a free option. Go to the Lexisnexis web site and request your free data packet. You will be amazed at how much they have on you both currently and in the past including credit rating. I use a data deletion company to scrub my data but while they “request” lexisnexis remove my data they cannot force them to do so. You can opt out of lexisnexis but it takes a written demand from you to accomplish that. Even then, I would not count on it happening as they make money selling your data to everyone who asks.
The proposed answer:
Who wants to lay odds that in no time at all, unless one has submitted to this digital ID one will not be allowed to buy or sell anything?
Track your purchases? Generate a database of those engaged in deplorable activities? Cut you off from being able to buy life’s basic necessities?
Was thinking similar. Another “oops” to push us peons into a (KOFF!) “secure Gooberment digital ID” (KOFF!), all so Der Gooberment can track us better. (“VY DID YOU LEAF YOUR CELL PHONE AT HOME?”)
A barcode tattooed on the back of your neck would work.
Man pull-ease! Not only is Big Brother watching, Hell, everybody else is too. Private data? There ain’t no such thing anymore…and hadn’t been in a loooooong time. Mofos probably even got your penis size on file somewhere. Did a dive thru the linky and it showed my name and the last 2 digits of my SSAN at addresses I’d never been at. My full name, which is not exactly a common combination, like a Smith, Jones, Johnson is. For decades I’d bitch when the “required” paperwork for whatever included your SSAN. Did a whole lot of good…NOT! The inherwebz are forever. Your security?…not so much.
Cash still works but I’ve noticed more and more young people
can’t make change at the gas station.
The new generation kids can’t count. They can’t count to give change back. It’s all that new math, no wrong answers. Teaching all kids to be equally stupid. No one fails… I had to teach my employees how to do fractions so they could read a tape measure. Public schools are more concerned about feelings than teaching academics. Teaching socialism seems to be the standard. Easier to control the uneducated.
Thankyou Dave for posting this and look in your email for the Notification I sent you a few minutes ago about the breach I received from Lifelock/Norton yesterday and one of my passwords were exposed but lifelock gave me a partial password with 2 numbers and 3 letters which I didn’t recognize.
Jeff – I also received an email from Lifelock/Norton yesterday. Interesting and timely post David, almost like you know what is going on.
I enrolled in lifelock,Norton back in june of 2022 when MR. Security Me almost got taken in $1000,000.00 in bit coins and had to change my saving and checking accts. This was from a paypal delivery that I didn’t order and usually delete it from spam but I felt curious which killed the cat and almos myself. I call the number and a guy with an Indian accent gives me an Irish name which should have raised a red flag. I typed in the money amount to cancel and I couldn’t type it in and all od a sudden, the amount changed into the above amt. 3 months ago, I got a similar email and like a knucklehead called and it sounded like the same “Irish” guy and right away I said, are you the same F….kin A-Hole and hung up.
I don’t even call or click any of those bait scams.
But I HAVE almost been taken in by a couple of emails that looked too real to the real sites.
I answer unknown calls in Klingon. (Grin)
I didn’t think my name was that common, but I got probably 100 hits on the name, every address I have used since 1995, and multiple hits with varying SSNs at each address – and I stopped scrolling. There were LOTS.
I already had a freeze all my from credit bureau accounts from last go round with (insert here) Home Depot/AMEX/Bank of America, CitiBank/Target/VA/Cigna/Blue Cross/whatever …..you get the drill…over the last year or 3 or 5 or so….and I used to put a red flag on my account like every 4 or 6 months whatever was free a few years ago but now, yeah, I had to go through extra hoops and then at the Credit Union, UNLOCK my account to go through then REEfreeze it after I did a loan document SO I know it works. I just went in today 6 months after the fact to make sure it’s still there and it was.