4TB of Consumer Data Stolen in National Public Data Hack

A community of cybercriminals, Breachforums, announced in July 2024 that over 4 TB of data had been compromised. That data is being reported as originating from the Florida-based nationalpublicdata.com, which specializes in the collection of consumer information and background check processing. The first announcement was made regarding the breach back in April 2024 by a cybercriminal named “USDoD,” who was selling the data for $3.5 million. Leaked data contained in the billions of rows spanned information from names, addresses, and phone numbers to Social Security Numbers.

An analysis by HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground confirmed that the leaked data was indeed the same as what was first offered for sale by USDoD. The records in that data contained a mixture of consumer and business records, some including tens of millions of Americans’ personal information, both living and deceased. The database leak also included 70 million rows from a U.S. criminal records database. Some news outlets reported that the breach involved 2.9 billion people, which is false; this is the number of data rows rather than the number of people. Nationalpublicdata.com publicly declared a data breach in August 2024. At the time, they said that a third-party hacker likely gained access to their data at the end of December 2023.

Company representatives said the breach potentially exposed names, email addresses, phone numbers, SSNs, and mailing addresses. Assuring the public, they also said they have cooperated with law enforcement and deployed more security measures to prevent such incidents in the future. The number of SSNs compromised, however, is not mentioned in the release. Further analysis reveals that the breach included 272 million unique SSNs and names and addresses. What’s interesting is that a significant percentage of the breached records were related to older patients, with an average age of 70, and millions of records linked to people who would be over 120 years old today.

This somehow suggests that part of the data could belong to deceased individuals, which is a small silver lining in an otherwise severe breach. It underlines the vulnerabilities immanent to the industry of data brokerage, in which big companies collect and sell masses of personal information with minimal oversight or security measures. Previous similar breaches over the past years involved PeopleConnect and People Data Labs, which highlighted the widespread risks and long-term consequences of such data spills. In many cases, the data that gets compromised ends up with scammers for purposes of identity theft and other forms of fraud, usually at a cost transferred to consumers.