The National Public Data (NPD) breach is emerging as 2024’s defining cybersecurity incident, but what sets this breach apart?
After weeks of speculation and a federal class action lawsuit, consumer data broker NPD confirmed their version of the data breach in a brief statement. They outlined their remediation efforts, provided a vague promise of doing better in the future, and put the onus of the breach on consumers by suggesting they contact one of the major credit agencies for further action, without offering to cover the cost.
What Makes the NPD Data Breach Unique?
Aside from the staggering 2.9 billion record count, the NPD data breach puts a spotlight on the controversial world of data brokers. Data brokers buy, aggregate, disclose and sell personal data with little oversight or regulation.
Firms like NPD essentially “scrub” public and non-public sources to compile personal information, so affected consumers have no idea about the breach nor consent for their data to be collected. Even if you have done your best to stay offline, this breach proves your data is still out there somewhere.
The lack of consent for data collection is one of the focal points of the federal lawsuit, coupled with accusations that NPD knowingly did not secure their data. These are the reasons why this data breach is garnering so much attention beyond the reported 2.9 billion record count.
How Bad is the NPD Data Breach?
Bad. But how bad depends on who you ask.
Initial reports, including the cybercriminal group USDoD’s $3.5 million 4TB data trove posting on the dark web, indicate nearly 2.9 billion personal information records were compromised. This number is also represented in the class action lawsuit. To put this into perspective, the entire global population is 8.2 billion, so if this number is accurate, nearly 35% of the world may be affected.
At this point, NPD claims that the incident affected 1.3 million people in the United States but does not mention any international victims. Historically, initially disclosed numbers tend to increase over time as more details are confirmed or may be purposely staggered to mitigate reputational damage.
Regardless of what the final number becomes, this is already considered one of the worst breaches in history.
What Data Was Exposed in the NPD Breach?
The NPD data breach included full names, email addresses, phone numbers, Social Security numbers and mailing addresses—the full gamut of PII that threat actors rely on for identity theft, fraud and other malicious activities. What makes the NPD breach even worse are the allegations that the data also includes family member information, both living and deceased, going back 30 years.
While this may sound like something out of a science fiction movie, the emergence of AI and deepfake social engineering attacks has some security experts concerned about the inclusion of family member data. There is a very real possibility of threat actors using this data to impersonate loved ones for financial gain.
Sound far-fetched? Just ask the finance worker who sent $25 million to hackers after they used deepfake technology to impersonate his CFO.
What Should NPD Breach Victims Do?
NPD has stated they will be notifying individuals impacted by the breach, but at the time of this article, no official outreach is underway.
Aside from the go-to data breach checklist of checking financial statements, monitoring credit and freezing credit, you can visit Norton’s data broker resource center to learn more about how your data is collected and used by these brokers.
The NPD breach and legal battle will undoubtedly be one of the largest cybersecurity stories of the year, if not ever, given the scale and controversial nature of the entire incident. How this will impact data brokers in general will be another interesting fallout.
While a recent bipartisan bill took aim at data brokers, it only restricted the sale of American data to foreign adversaries but did not address the collection methods or domestic distribution.
A quick search of “data broker privacy” shows a long history of privacy and security concerns associated with the wild west of unregulated data collection for profit—which may finally be coming to an end at the expense of exposing personal data of over 3 billion people.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
To learn more, visit our dedicated Cybersecurity page.