AI Autopsy: National Public Data Breach

In April 2024, news started circulating on X, formerly Twitter, that data broker National Public Data (NPD) had been breached. According to the social media post, hacking group USDoD had put 2.9 billion customer records on sale on the dark web for $3.5m (£2.6m).

In June, USDoD threatened to leak NPD's entire database, and a month later, a Florida resident found out his information had been compromised and consequently filed a class action lawsuit.

Yet it took until August for NPD to admit to the breach after three class action lawsuits and numerous complaints. According to the lawsuits, the data included millions of names, email addresses, phone numbers, social security numbers and mailing addresses - some belonging to people who are now deceased.

137 million email addresses and 272 million social security numbers were leaked

In case you aren't familiar with it, NPD is a data broker that scrapes and sells information from public sources, including criminal records, addresses, and employment history, to be used for employee background checks.

That's a lot of sensitive data. While the actual number of breached records is thought to be much lower than the 2.9 billion stated initially, it is estimated that 137 million email addresses and 272 million social security numbers were leaked.

How did the breach happen? And what could NPD have done better? Here are five key takeaways from the recent incident.

1: Keeping passwords in plain text is a no-no

Experts agree that NPD's overall cybersecurity was lacking, but according to a later report on KrebsOnSecurity, an NPD sister site was even worse: Usernames and passwords were available via an accessible plaintext archive on an NPD-affiliated site called RecordsCheck.net.

"The data held by NPD was not protected by any meaningful encryption or multi-factor security" James McGoldrick

The data, which included logins belonging to NPD's founder, Salvatore Verini, allowed access to the same data available on NPD.

While the whole story is unknown, it appears that an unauthorised group accessed NPD's data between December 2023 and April 2024. Given that plaintext login credentials were publicly hosted on NPD's sister site, it is "perhaps not surprising" that this was possible, says James McGoldrick, digital forensics analysts manager at Systal.

"It is also apparent that the data held by NPD was not protected by any meaningful encryption or multi-factor security. The hacker was able to leverage those initial credentials or another security vulnerability to move freely and overcome additional layers of protection without being detected."

2: Criminals can use exposed data for ID theft and more

When data is stolen and exposed, it is often offered for sale or made available to criminals for free. Soon after the NPD breach, news indicated the dataset was publicly available on dark web forums and sharing platforms. "This massively lowers the bar for people seeking to exploit it for criminal gain," says McGoldrick.

For those affected, the potential impact will be felt for some time, says Jason Kent, hacker in residence at Cequence Security. "The data is now out there in the wild - and the best people can hope for is to limit the potential for identity fraud by freezing credit files and implementing multi-factor authentication (MFA) across online accounts."

The data loss is bad enough as a standalone event but also adds to vast amounts of information on the dark web. "With each breach, the ability of nefarious actors to piece together more complete profiles amplifies, further enabling their next attack," says Maurice Uenuma, VP and GM of Americas at Blancco.

3: Breaches kill customer trust

There's no doubt about it: breaches kill customer trust, not least when the data is as sensitive and wide-reaching as the information involved in the NPD leak.

The amount of personal information exposed is "sure to erode customer trust," says Peter Wood, chief technical officer at Spectrum Search. Consumers may now face potential identity theft, financial fraud, and "an enduring feeling of unease", he says.

4: React promptly, aptly and transparently

You should always respond quickly to a breach and be as transparent and honest as possible. NPD did not get on top of the data leak from the beginning, failing to inform and reassure affected parties, Kent points out. "The story leaked from the legal case published on Bloomberg Law, catching the organisation on the back foot and making it appear remiss in contacting those affected."

"The story leaked, catching the organisation on the back foot and making it appear remiss" Jason Kent

While NPD announced the breach on its website, the admission came many months after the first public reports of a compromised database. "We may never know when NPD became aware of this breach internally, but it would be hard to argue that they didn't have knowledge of the reports in April," says McGoldrick.

The NPD eventually notified those affected with assurances that the firm would "try to notify" victims if there were "further significant developments". This sounds "very non-committal," says Kent.

He points out that other organisations have stepped in to try and help - something you'd expect NPD to be doing itself. "Pentester, for example, set up a free database to allow people to determine if their data has been compromised."

NPD doesn't seem to have been prepared for a breach of this scale, either. It should have had an incident response plan that kicked in when the data leak occurred, including its communication strategy and an investigation to determine what happened, says Kent. "It's been able to identify all of the affected parties, which is to NPD's credit, but there's been very little detail on the incident itself."

5: Follow cybersecurity best practice

We say it a lot here at Assured Intelligence, but it's all too common to find firms aren't following cybersecurity best practices.

Luke Dash, CEO of ISMS.online, says that adopting best practice frameworks and standards such as ISO 27001 could be "highly beneficial" for companies looking to prevent a similar breach.

He advises firms to restrict access to web server directories and files to only those who need it. In addition, use the principle of 'least privilege', ensuring that only authorised personnel can upload, modify, or delete files on the web server.

Meanwhile, Dash says businesses should conduct regular manual and automated audits of all files and directories on the webserver to ensure that no sensitive documents are accidentally made publicly accessible.

Keeping up with patches for known vulnerabilities is "crucial", says Wood. At the same time, he advocates fostering a culture of cybersecurity awareness through regular training sessions to reduce the risk of human error.

Additionally, he says, firms must be prepared with an incident response plan that includes "clear communication strategies" and "swift actions for containment and recovery" in the event of a breach.

In summary

The NPD leak is one of the worst we've seen for a while, partly because of the sensitivity of the data exposed. It should go without saying, but in light of this incident, it's worth pointing out that if you deal with information like this, you must secure it properly.

In case of a breach, don't delay disclosure and communicate with affected individuals regularly. This will help limit the damage and avoid regulatory fines and lawsuits that can significantly impact your reputation.

Public link

Please use the above public link if you want to share this noodl on another website.