MIAMI, FLA – The L.A. Times is reporting, approximately four months after a notorious hacking group claimed to have stolen a vast amount of sensitive personal information from a major data broker, a member of the group has reportedly released most of this data for free on an online marketplace for stolen personal information.
The breach, which includes Social Security numbers and other sensitive data, poses significant risks for identity theft, fraud, and other crimes, according to Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group. “If this is indeed the complete dossier on all of us, it is far more concerning than previous breaches,” Murray said in an interview. “And if people weren’t taking precautions before, which they should have been, this should be a five-alarm wake-up call.”
A class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., indicates that the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion individuals from National Public Data, a company that provides personal information for background checks to employers, private investigators, and staffing agencies. The group initially attempted to sell the data, which included records from the United States, Canada, and the United Kingdom, for $3.5 million on a hacker forum, according to a cybersecurity expert’s post on X.
Last week, a purported member of USDoD, known only as Felice, claimed on the same hacking forum that they were offering “the full NPD database,” as shown in a screenshot obtained by BleepingComputer. The data reportedly includes about 2.7 billion records containing individuals’ full names, addresses, dates of birth, Social Security numbers, and phone numbers, along with alternate names and birth dates.
National Public Data has not responded to requests for comment and has not formally notified affected individuals about the breach. However, in an email response to inquiries, the company stated that it was “aware of certain third-party claims about consumer data and are investigating these issues.” The email also mentioned that the company had “purged the entire database” of all entries, effectively opting everyone out, although some records may still be retained to comply with legal obligations.
Cybersecurity outlets that have reviewed portions of the data offered by Felice suggest that the information appears to be genuine. If the data is authentic, it could significantly increase the risk of identity theft, as it contains many of the details banks, insurance companies, and service providers use to create accounts and reset passwords.
Murray emphasized the severity of the situation, noting that with the leaked data, bad actors could engage in a wide range of fraudulent activities, including taking over existing accounts or creating fake accounts. While the leak does not include email addresses, driver’s licenses, or passport photos, criminals could potentially use information from previous breaches to fill in the gaps.
For those concerned about their information being compromised, experts recommend placing a freeze on credit files with the three major credit bureaus—Experian, Equifax, and TransUnion—to prevent criminals from opening new accounts in their names. Additional steps include using strong, unique passwords for each service, enabling two-factor authentication, and being cautious of unsolicited communications asking for personal information.
As Murray pointed out, “These bad guys, this is what they do for a living. They might send out tens of thousands of queries and get only one response, but that response could net them $10,000 from an unwitting victim. That’s what motivates them.”
This summary is based on a report from the Los Angeles Times .
