Giant background check provider confirms millions of SSNs leaked in security incident

One of the largest companies that conducts background checks confirmed that it is the source of a data leak that sparked nationwide outrage due to the millions of Social Security numbers leaked.

In a statement Friday, National Public Data said the company detected suspicious activity on its network in late December and that a hacker subsequently shared certain amounts of data in April and over the summer.

“The incident appears to have involved a malicious third party attempting to hack data in late December 2023. Data breaches may have occurred in April 2024 and summer 2024. We conducted an investigation and subsequently brought information to light,” the Florida-based company said.

“The information allegedly stolen included name, email address, phone number, social security number, and mailing address(es).”

National Public Data said it had “worked with law enforcement and government investigators and conducted a review of potentially affected records.”

The company plans to notify those affected when there are further updates. It's unclear how someone would know they were affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.

Cybersecurity experts have known about the leaks since April, but since then the company has declined repeated requests for comment from Recorded Future News. The company remained tight-lipped until this week, when concerns about the vast amount of exposed Social Security numbers (SSNs) went viral on social media.

Companies and private investigators pay National Public Data to obtain criminal records, background checks and more – and the company enables them to search billions of records instantly.

On April 7, a well-known hacker going by the name USDoD posted a database on the criminal marketplace Breached that allegedly contained 2.9 billion records of U.S. citizens. The cybercriminal – best known for sharing data he stole from European aerospace giant Airbus – claimed the data came from another hacker known as “SXUL” and offered the information for $3.5 million.

US Department of Defense allegedly misuses national public database and sells 2.9 billion records pic.twitter.com/Tt8UNppPSu

— Dark Web Intelligence (@DailyDarkWeb) 8 April 2024

It's unclear whether anyone paid for the information, but the hacker began leaking parts of the database in June, and others offered it for sale throughout the summer.

Several cybersecurity experts, including privacy expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.

The data includes a person's first and last name, three decades of address history and Social Security number. Some experts said they could also find a person's parents, siblings and next of kin. The database includes living and deceased people.

Some have noted that individuals who use data opt-out services were not included in the database.

While some news outlets and social media platforms incorrectly reported that the information from the data leak covered 2.9 billion people, Hunt estimated that the database included about 899 million unique SSNs.

The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.

National Public Data is already facing lawsuits over the data breach. A lawsuit was filed two weeks ago in the U.S. District Court for the Southern District of Florida after a California resident received a notice from his identity theft protection provider about the data breach in July.

Chris Deibler, vice president of DataGrail, said the breach shows that we are “reaching the limits of what individuals can reasonably do to protect themselves in this environment.”

“The balance of power is currently not in favor of the individual. [The European Union’s] The GDPR and the various state and federal regulations coming online are good steps, but the prevention and consequence models in place today clearly do not prevent mass data aggregation,” he said.

Akhil Mittal of Synopsys Software Integrity Group added that while the number of records will make headlines, the long-term impact on people could last for years. Millions of people will continue to struggle with identity theft, fraud and more for years to come as a result of the data breach, he said.

Mittal echoed Deibler's comments, arguing that a broader discussion on data privacy and security needs to be initiated.

“It’s time for stronger regulations and better enforcement to ensure that companies are truly protecting our information,” Mittal said.

Learn more.