Hackers leak huge trove of personal data from data aggregation firm
Hackers have leaked over 2.7 billion personal records containing sensitive information such as full names, social security numbers, physical addresses, and aliases for people in the United States.
The stolen records were obtained from National Public Data, a company that collects personal details from public records and sells access to the aggregated information for purposes like running background checks and finding criminal records.
National Public Data is believed to gather data by scraping information from various public sources to build comprehensive user profiles of individuals in the US.
In April this year, a hacker who goes by the name USDoD had claimed to be selling a database of 2.9 billion records containing personal information of people from the US, UK, and Canada. The hacker had tried selling the data, obtained from National Public Data, for $3.5 million.
USDoD is a known threat actor who was previously linked to attempting to sell user data from InfraGard, a nonprofit organization facilitating public-private collaboration for critical infrastructure security.
Leaked data of 2.7 Billion now publicly available
While National Public Data did not respond back then to queries about the data theft, parts of the stolen information have now been publicly leaked by multiple hackers over time.
The most complete leak happened on August 6th, when a hacker named ‘Fenice’ dumped the entire trove of personal records comprising over 2.7 billion entries on the Breached hacking forum.
Fenice acknowledges that the data was originally acquired not by them but by another hacker called ‘SXUL’. The leaked files, totaling 277GB in size, contain names, addresses, social security numbers of individuals without any encryption.
Some records also included other identifiable information like alias names, previous addresses, and phone numbers. However, the latest leak by Fenice did not include email addresses or phone numbers.
Accuracy and implications of the massive data breach
While the actual scope of individuals impacted remains unverified, many experts believe the data likely includes records for a majority of US residents, including some deceased.
Some affected individuals have also reported seeing SSNs mapped to names of people they do not know, indicating possible inaccuracies. The addresses also seem outdated in many cases.
The availability of such a vast trove containing core identification data has serious privacy and security risks. It leaves hundreds of millions highly vulnerable to identity theft and financial fraud.
Cybercriminals could easily use the leaked information for phishing scams, accessing accounts, taking loans, filing fake tax returns, and more.
Victims have filed class action lawsuits against the parent company of National Public Data, alleging negligence in protecting such sensitive information.
It is advised that all US citizens remain vigilant against potential ransomware attacks and other cyber threats in light of this massive data breach. Constant monitoring of credit reports and accounts is also recommended.
Overall, this incident demonstrates the urgent need for reforming how personal data is collected and handled and shows that even non-encrypted public records can be weaponized at a large scale to harm citizens when exploited by malicious actors. Comprehensive data protection regulations are the need of the hour.