Since April, a hacker known for selling stolen data has announced a significant data breach involving billions of records from a prominent U.S. data broker, which could affect more than 300 million individuals. This breach has potential implications for privacy and security, as it is one of the largest claims of its kind reported this year.
The hacker claims the data, now circulating on cybercrime forums, includes sensitive information such as full names, home addresses, and Social Security numbers of U.S. citizens. However, verifying the legitimacy of the data has proven difficult, a common issue in the data broker industry that often lacks rigorous quality control.
The alleged data broker at the center of this breach is National Public Data, which markets itself as a major provider of public records online. The company's website lists various databases available for purchase, including a “People Finder” database where clients can search through extensive records using identifiers like Social Security numbers, names, or phone numbers. "We offer access to over 250 million individuals’ data," reads their promotional material, implying significant reach and risk.
"We offer access to over 250 million individuals’ data,"
By the Numbers
Considering the implications of the breach, malware research collective vx-underground undertook their own investigation. According to their findings, “We reviewed the entire database and can confirm the data present in it is real and accurate,” they posted on X (formerly Twitter). By searching for individuals who consented to the lookup, they uncovered detailed information including names, address history extending over three decades, and Social Security numbers, adding layers of concern around privacy.
Furthermore, vx-underground noted their analysis went even further, revealing familial connections: "It also allowed us to find their parents, and nearest siblings. We were able to identify someone's parents, deceased relatives, uncles, aunts, and cousins." Such revelations indicate not only the depth of the breach but the potential for misuse of the data.
By the Numbers
TechCrunch also engaged in due diligence to assess the authenticity of the stolen records. A review of a smaller sample of five million records revealed numerous names and addresses consistent with public records, albeit with some inconsistencies—like email addresses linked to individuals that did not align logically with their other data. Among these records were claims of personal data from notable figures, including a former U.S. president.
Race Results
In an effort to further verify the hacker's claims, TechCrunch provided the hacker, identified as USDoD, with the names of eight individuals who had consented to the validation process. Unfortunately, the hacker failed to respond with any verified data. Additionally, outreach efforts to approximately one hundred people whose contact information appeared in the data yielded limited results, with only one individual acknowledging partial accuracy of the information.
Attempts to contact National Public Data for comments have been unsuccessful, as the company and its CEO Salvatore Verini have not responded. This lack of communication raises additional questions about accountability and transparency within the industry.
As this situation unfolds, the potential repercussions of such breaches cannot be ignored. With personal information of millions possibly compromised, this incident serves as a stark reminder of the vulnerabilities inherent in the data broker ecosystem. As individuals become increasingly aware of how their information can be aggregated and sold, the necessity for robust data protection measures is more pressing than ever.