Security leaders discuss the National Public Data breach

National Public Data, a background checking organization, experienced a breach potentially affecting 2.9 billion individuals. The breach exposed personally identifiable information (PII) such as names, phone numbers, mailing addresses, email addresses and Social Security numbers. 

“Organizations rely on the exchange of data for their vitality,” says Clyde Williamson, Product Management, Innovations at Protegrity. “Consumers share their personal identifiable information (PII) like Social Security numbers and emails with the expectation that businesses will protect this data and comply with privacy laws to prevent unauthorized access. In this case, National Public Data (NPD) scraped individuals’ PII from public sources for use in background checks, leaving people unaware if their data was accessed and emphasizing growing concerns regarding customer trust in businesses and their ability to secure their data.” 

National Public Data states they experienced an attempted hacking in December of 2023. The organizations believes this attempt may be related to subsequent data leaks in April 2024 and in later months of 2024. 

Regarding National Public Data’s announcement of the breach, Williamson remarks, “Notably, this breach wasn’t announced for a week; it only came to light and led to a lawsuit earlier because the company didn’t disclose it. Further, it’s still unclear whether they intentionally avoided sharing details of this breach or just discovered it themselves. This highlights the inadequacy of United States laws in handling citizens’ personal data, which are not equipped for the challenges of the 21st century. Data brokers like the NPD also aren’t held to the same regulatory standards as institutions like the Payment Card Industry (PCI), where they’re obligated to conduct annual audits and controls around credit card data. As things stand now, the U.S. has no such obligations.”

Protecting Social Security numbers 

National Public Data states it is cooperating with law enforcement on the matter. The organization advises individuals take preventative measures to protect their data, such as monitoring financial statements and credit reports.

With potentially 2.9 billion individuals impacted, everyone is encouraged to take preventative measures. Still, it is possible that certain demographics may be at higher risk. 

Williamson states, “Most likely, a lot of the stolen data set is from one of our most vulnerable demographics: senior citizens and their families. A popular scam has a threat actor pretending to be a lawyer with bad news for the senior — their family member is in trouble and needs money. And why wouldn’t a grandparent believe them if they had valid PII to validate their credibility? These scammers don’t have to open credit in someone’s name to ruin lives. They just need to know how to use the information stolen to empty a caring family member’s bank account.”

Not only should individuals take steps to secure their data; organizations must also act. Williamson comments, “As breaches and attack surfaces continue to grow, relying on class action lawsuits for negligence cannot be the best option. Organizations must prioritize transparency and enhance their efforts to de-identify sensitive data to protect consumer information. They need to move beyond traditional defense mechanisms and adopt regulator-recommended data protection strategies like encryption and tokenization. These methods render data useless to attackers, making it impossible to steal and use maliciously. By implementing these protections, businesses can diminish the value of stolen data and mitigate the long-term effects of ransomware attacks or fraudulent activities.” 

Security leaders weigh in 

Kiran Chinnagangannagari, Chief Product & Technology Officer, Securin 

“In the wake of the staggering National Public Data breach, which compromised millions of records on U.S. citizens, the silence from the company until the breach included leaked social security numbers is nothing short of alarming. This breach not only underscores the profound risks posed by mass data aggregation but also shines a harsh light on the glaring gaps in corporate responsibility when it comes to managing and communicating such incidents. The fact that such enormous volumes of personal data are accessible to companies, private investigators, and now the deep and dark web raises serious doubts about how well-protected our information truly is. This breach lays bare the minimal oversight over who gains access to this data —
and what happens to it afterward. 

“This breach should also serve as a wake-up call, emphasizing the critical need for organizations to rigorously evaluate the cybersecurity practices of their partners and third-party vendors. It’s no longer enough to trust that data handlers have robust defenses in place — organizations must proactively ensure that every entity in their supply chain is equipped to prevent such catastrophic breaches. It’s time for stricter regulations and better enforcement. Companies must be held accountable, not just for their own cybersecurity practices but for those of every entity they do business with. The stakes are too high to allow this kind of negligence to continue.” 

Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“Unfortunately, data brokers like National Public Data collect and sell personal data for use in background checks, criminal record research and more, putting people’s personal data at risk. Sadly, we will continue to see cyberattacks like this to be on the rise.

“Stronger regulations are needed to protect consumers’ data from being stored by data brokers against their will. Also, all data in data brokers’ databases should be required to be encrypted. All of the data, not just certain information. Data brokers should also be required to provide information about when and where the data in their databases was obtained from.

“While the barn door is already open in the case of the NPD data being exposed, there is something people can do to remove their data from brokers’ databases. Users can contact each data broker and manually request to have their data removed. Data brokers are required to remove information from their files when requested to. Unfortunately, this is a time-consuming request.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech: 

“Background check companies like National Public Data collect as much identifiable information as possible about everyone they can, then sell it to whomever will pay for it. It collects much of the data without the knowledge or consent of data subjects, most of whom have no idea what National Public Data is or does. I hope the forthcoming class-action lawsuit will set a precedent that forces NPD and other background check companies to inform data subjects when their info is added to a database, limit web scraping, and allow data subjects to see, modify, and delete data. NPD should be required to show data subjects where their info was sourced from so that they can take proactive steps to secure their privacy at the source. Furthermore, the compromised data should have been encrypted. The fact that it wasn’t shows just how little NPD cares about, well, pretty much everyone.”

Eric Avigdor, Chief Product Officer at Votiro: 

“The recent NPD breach highlights several critical issues regarding data security in both public and commercial organizations. In this case credentials to the company’s website and backend were posted in a file hosted on a publicly available website. There are multiple cybersecurity flaws here including poor credential management and weak security processes. The incident apparently started late in 2023 and continued with 2 additional data exfiltration events in April and June 2024. This seems like the cybersecurity architecture is fundamentally missing visibility, detection and tracking of data-related incidents. The company took a very long time to even realize they had been breached. 

“This breach highlights the importance of protecting data as it moves within an organization. Even if bad actors obtain credentials and view data, the scale of a breach becomes much larger when there are no controls on data as it moves through an organization and a significant amount of data can be exfiltrated quickly. Putting controls of where data is allowed to go and who can access it, should have prevented such a breach.  

“Ultimately, it is up to CISO’s and IT teams to modernize the technologies they deploy to prevent the loss of private Data. Hackers have realized legacy approaches to protecting private data are no longer effective and a significant amount of the IT budget is lost in traditional antiquated paradigms. Now is the time for IT professionals to stop hitting the snooze button on modernizing data security.”