A Florida firm has all but confirmed that millions of people's sensitive personal info was stolen from it by cybercriminals and publicly leaked.

That information, totaling billions of records, includes the names, Social Security numbers, physical and email addresses, and phone numbers of folks in the United States, UK, and Canada. It's the sort of records data brokers regularly buy and sell.

And it is now available via the dark web for anyone to download and use for fraud.

Back in April, crooks using the online handle USDoD wrote on a cyber-crime forum that they were selling for $3.5 million what was alleged to be 2.9 billion records, across multiple files in a 277GB archive, on US, Canadian, and British citizens, including their aforementioned names and phone and Social Security numbers where relevant, as well as their address histories going back 30 years and details of their parents and relatives.

That silo of personal info was stolen from an outfit called National Public Data, or NPD, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. According to USDoD, the stolen data was collected by NPD between 2019 and 2024. The firm likely sourced that info at least from public records at the local, state, and federal level.

A cyber-thief using the handle SXUL pilfered the information and passed it to USDoD to sell, which sparked a lawsuit against NPD at the start of this month.

Some of the stolen information had been leaking out via the dark web in bits and pieces, though last week, someone using the handle Fenice dumped what's claimed to be 2.7 billion records from that collection onto the internet for anyone to download for free if they know where to look. Note that it is a database with billions of rows, not billions of individuals; there are a lot of inaccuracies in the data, as well as a lot of dead people, and duplication.

After weeks of silence, and countless people starting to get alerts from privacy and anti-fraud services that their personal info has been leaked, NPD has, in cagey language, confirmed it was compromised and that its data was stolen and shared. According to the biz, it was ransacked in December, and the leaks started in April, leading up to now. According to USDoD, the data was passed around the cyber-crime underworld before ending up on sale and now in public.

"There appears to have been a data security incident that may have involved some of your personal information," NPD said in a statement this week.

"The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024," the background check firm added. "We conducted an investigation and subsequent information has come to light."

It continued:

NPD said it is working with law enforcement and government officials in light of this theft, and promised to secure its IT better: "We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems." It also recommended people put fraud alerts on their credit files so that any misuse of their data can be detected and stopped.

Troy Hunt, of HaveIBeenPwned.com fame, has a sobering analysis of the leaked data here, in which he points out that the file containing the Social Security numbers (SSNs) does not include people's email addresses, so if you get an alert that your email address has appeared in the disclosed NPD collection, don't assume your SSN is in there.

Also he spotted that the archive includes criminal records, and noted that USDoD in May leaked via the dark web 70 million such records.

There are 134 million unique email addresses in the latest NPD leak, Hunt said. And according to stats from Atlas Data Privacy, 272 million unique SSNs are in the stolen collection, most of them with a name and address, and about a quarter of the time a phone number. The average age is, interestingly, 70.

Also it was speculated earlier that the database basically covers people living in the United States, some of whom will be, say, British and Canadian, which is why those citizens have ended up in the archive.

Folks also should be wary of crooks using this info in phishing attempts. Also, remember this leak when you next see organizations (eg, this one) use your name, address, and SSNs for identification purposes, or if you're ever asked to build a system using that info as input.

Finally, as we earlier reported, people who use a data opt-out service to keep their info out of databases like NPD's found that their details were not among the leaked records, so on that basis, those services do work. ®

https://www.theregister.com//2024/08/16/national_public_data_theft/