Background Check Company Breach Puts 2.9 Billion Records at Risk
Background checks often require a lot of personal information to develop an accurate picture of a subject’s history and trustworthiness. However, that had some serious consequences earlier this year when malicious cyber actors targeted a background check firm and allegedly stole millions of people’s data, including Social Security numbers.
In April 2023, a cybersecurity company posted on X (formerly Twitter) that about 2.9 billion records of personal data were for sale on the Dark Web. The data was purportedly stolen from National Public Data, a company that performs background checks. The company is being sued for allegedly failing to properly secure and safeguard the personally identifiable information (PII) it collected and maintained. (Hofmann v Jerico Pictures, Inc., d/b/a National Public Data, U.S. District Court, S.D. Fla., Case No. 0:24-cv-61383)
The lawsuit alleged that the information stolen includes individuals’ full names; current and past addresses (spanning at least the last three decades); Social Security numbers; information about parents, siblings, and other relatives; and other PII. The suit also alleged that National Public Data scraped the PII of billions of individuals from non-public sources, so data breach victims may not realize their information was in the company’s system and are now at risk, according to Bloomberg Law.
The named plaintiff, Christopher Hofmann, says he received notification from his identity-theft protection service provider on 24 July that his data was exposed in a breach and leaked online. He accused National Public Data of negligence, unjust enrichment, and breaches of fiduciary duty and third-party beneficiary contract.
According to the suit and separate cybersecurity companies’ analysis of the breach, a cybercriminal group going by the name USDoD posted a database entitled “National Public Data” on a Dark Web forum on 8 April. The attackers claimed to have the personal data of 2.9 billion people, putting the database up for sale for $3.5 million. Before they could sell the information, another threat actor—Fenice—scooped the data and released it on the Dark Web, ZDNet reported.
“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than prior breaches, said Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group in an interview. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”
National Public Data appears to have resisted acknowledging the data theft for months. Last week, the company posting a “security incident” notice to its site to report “potential leaks of certain data in April 2024 and summer 2024.”
“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the company’s statement said. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”
The company has not formally notified people about the alleged breach, but it has been telling people who contacted it by email that “we are aware of certain third-party claims about consumer data and are investigating these issues,” the Los Angeles Times reported.
The leaked data, which also appears to include individuals’ email addresses, can be used for identity theft and fraud, as well as more targeted phishing attacks. But the Social Security numbers could be the goldmine for criminal actors—even though your name, address, phone number, and account passwords can change, your Social Security number doesn’t. For U.S. citizens, that nine-digit number is the key to apply for loans, credit cards, or investments.
The steps to take in response may feel quite familiar, since billions of records are compromised each year.
Experts suggest that individuals search for their own PII using tools such as Pentester, which can tell you if your Social Security number was leaked in the breach. If it was, check credit reports from all three major credit bureaus (Experian, Equifax, and TransUnion) regularly for any unauthorized activity, and report suspicious transactions to credit bureaus. Consider freezing your credit to prevent new accounts from being opened in your name.
Layering a third-party identity theft protection and credit monitoring service can also boost awareness around potential fraud attempts, The New York Times advised. Individuals should also set up two-factor authentication whenever possible and enable account alerts for unusual financial activity.