National Public Data (NPD) has confirmed suffering a data breach following reports of 2.9 billion personal information records being compromised, but the company says the incident only affects 1.3 million people in the US.
Last week the firm published information on the leak. The information is vague, and there is some difficulty in accessing the URL. Nevertheless, it confirms:
“There appears to have been a data security incident that may have involved some of your personal information… The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
Further details can be found on a breach notification published by the Maine Attorney General. The breach occurred on December 30, 2023. It was discovered by NPD on the same date. The total number of persons affected is 1.3 million, of which 2760 are residents of Maine.
According to NPD, “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
The April and summer dates coincide with HackManac announcing the availability of a 4 TB database containing 2.9 billion rows apparently exfiltrated from National Public Data, for sale at $3.5 million; with Fenice later providing links to the data. The implication by these two on X (formerly Twitter) is the leak was far greater than that announced by NPD. (The HackManac/Fenice announcements are discussed here.)
There remain inconsistencies between the ‘underworld’ stories and the NPD announcement. For example, NPD makes no mention (so far, at least) of any affected UK or Canadian victims. Nevertheless, we now have confirmation that there was a breach, and that US PII was stolen.
Such inconsistencies were noticed by Troy Hunt, who undertook his own investigation into the data being dumped. He concluded, “We’re left with 134M email addresses in public circulation and no clear origin or accountability. I sat on the fence about what to do with this data for days, not sure whether I should load it [that is, add the addresses to his database of stolen email addresses] … Eventually, I decided it deserved a place in HIBP as an unverified breach.”
Finally, and returning to the NPD disclosure of just 1.3 million victims, it is worth noting that initial disclosed volumes tend to increase over time. For example, the initial April 2024 disclosure on the FBCS data breach announced that 1.9 million people had been impacted, but rose to 3.2 million by May 2024. It currently stands at 4.25 million on the Maine AGO site.
The full story behind the NPD breach, whether about the breach itself or the inflation or deflation of details, currently remains major but murky.
Related: 100,000 Impacted by Jewish Home Lifecare Data Breach
Related: 200k Impacted by East Valley Institute of Technology Data Breach