Cyber Incident Victim: National Public Data
Date:
Dec 2023
Location:
United States of America
Summary
A Florida-based consumer data broker experienced a significant breach where attackers initially compromised its systems, leading to the theft and subsequent leak of billions of records containing sensitive personal information including Social Security numbers, names, addresses, phone numbers, and email addresses. The stolen data, comprising 272 million unique SSNs and 137 million email addresses primarily associated with older individuals, was later sold and publicly released by cybercriminals on underground forums. The company acknowledged the incident involved a third-party actor, cooperated with law enforcement, and implemented additional security measures. A class-action lawsuit was filed following the breach, which exposed records spanning decades and highlighted risks of identity theft and fraud for affected individuals across multiple countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
The National Public Data breach originated in December 2023 when hackers infiltrated systems of the Florida-based consumer data broker. Initial unauthorized access occurred through a third-party threat actor identified by the alias SXUL, who exfiltrated approximately 4 terabytes of sensitive records. The stolen data subsequently circulated among cybercriminals, with hacker USDoD listing it for sale on BreachForums in April 2024 at a $3.5 million asking price. This dataset contained 2.9 billion rows of records spanning three decades, including names, addresses, phone numbers, Social Security Numbers (SSNs), email addresses, criminal histories, and familial connections for individuals primarily in the United States, with some records from Canada and the UK. Analysis by HaveIBeenPwned.com confirmed 137 million unique email addresses within the leak, while Atlas Data Privacy Corp. identified 272 million unique SSNs. The compromised records predominantly involved individuals born before 2002, with an average age of 70 and approximately two million records pertaining to people who would be over 120 years old today. In July 2024, another threat actor named Fenice publicly leaked 2.7 billion records from this dataset on BreachForums without restriction.
National Public Data acknowledged the incident publicly on August 12, 2024, confirming that attackers potentially accessed name, email, phone number, SSN, and address information. The company stated it had cooperated with law enforcement investigations and implemented undisclosed additional security measures following the breach detection. Forensic analysis revealed no email addresses appeared in files containing SSN records, limiting direct correlation between those data points. Impacted individuals faced heightened risks of identity theft and phishing attacks due to the exposure of static identifiers like SSNs. A class-action lawsuit was filed against the company, though it erroneously cited 3 billion affected people rather than records. Researchers verified the data's accuracy through sampling, confirming valid addresses and phone numbers in 26% of records examined. The breach exposed systemic vulnerabilities in data broker operations, as National Public Data's parent company Jerico Pictures Inc. maintained connections to multiple consumer data ventures including RecordsCheck.net and PublicRecordsUnlimited.com, which aggregated information from government sources like voting registries, criminal records, and professional licenses without robust security protocols. No evidence emerged regarding how attackers initially compromised the company's systems.