Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

National Public Data Says Breach Impacts 1.3 Million People

National Public Data (NPD) has confirmed suffering a data breach, but the company says the incident only affects 1.3 million people in the US.

NPD data breach

National Public Data (NPD) has confirmed suffering a data breach following reports of 2.9 billion personal information records being compromised, but the company says the incident only affects 1.3 million people in the US.

Last week the firm published information on the leak. The information is vague, and there is some difficulty in accessing the URL. Nevertheless, it confirms:

“There appears to have been a data security incident that may have involved some of your personal information… The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

Further details can be found on a breach notification published by the Maine Attorney General. The breach occurred on December 30, 2023. It was discovered by NPD on the same date. The total number of persons affected is 1.3 million, of which 2760 are residents of Maine.

According to NPD, “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

The April and summer dates coincide with HackManac announcing the availability of a 4 TB database containing 2.9 billion rows apparently exfiltrated from National Public Data, for sale at $3.5 million; with Fenice later providing links to the data. The implication by these two on X (formerly Twitter) is the leak was far greater than that announced by NPD. (The HackManac/Fenice announcements are discussed here.)

There remain inconsistencies between the ‘underworld’ stories and the NPD announcement. For example, NPD makes no mention (so far, at least) of any affected UK or Canadian victims. Nevertheless, we now have confirmation that there was a breach, and that US PII was stolen. 

Such inconsistencies were noticed by Troy Hunt, who undertook his own investigation into the data being dumped. He concluded, “We’re left with 134M email addresses in public circulation and no clear origin or accountability. I sat on the fence about what to do with this data for days, not sure whether I should load it [that is, add the addresses to his database of stolen email addresses] … Eventually, I decided it deserved a place in HIBP as an unverified breach.” 

Advertisement. Scroll to continue reading.

Finally, and returning to the NPD disclosure of just 1.3 million victims, it is worth noting that initial disclosed volumes tend to increase over time. For example, the initial April 2024 disclosure on the FBCS data breach announced that 1.9 million people had been impacted, but rose to 3.2 million by May 2024. It currently stands at 4.25 million on the Maine AGO site.

The full story behind the NPD breach, whether about the breach itself or the inflation or deflation of details, currently remains major but murky.

Related: 100,000 Impacted by Jewish Home Lifecare Data Breach

Related: 200k Impacted by East Valley Institute of Technology Data Breach

Related: 4.3 Million Impacted by HealthEquity Data Breach

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.