Alleged Data Breach of 2.9 Billion Records Sparks Media Hysteria and Legal Action Against National Public Data
Recent rumors of a massive data breach involving National Public Data (NPD), a prominent background-checking service, have set the media ablaze and sparked multiple lawsuits. Despite the widespread attention, the truth behind the alleged breach remains shrouded in uncertainty, with little concrete evidence to substantiate the claims.
Table of Contents
A Tweet That Ignited a Firestorm
The first whispers of a potential breach surfaced on April 8, 2024, when a user named HackManac posted on X (formerly Twitter) about a staggering 2.9 billion records allegedly exfiltrated from NPD's databases. According to the post, the data, which includes records from citizens of the United States, Canada, and the United Kingdom, was being offered for sale by a threat actor known as USDoD for $3.5 million. Despite the severity of the claim, the post was largely ignored by mainstream media, and NPD did not issue a response.
This initial post was followed by another on June 2, 2024, from vx-underground, a well-known cybersecurity community. They claimed to have reviewed a sample of the data and confirmed its authenticity. Yet again, the media and NPD remained silent.
The Legal Fallout as Class Action Lawsuits Begin
The situation took a dramatic turn on August 1, 2024, when Christopher Hofmann filed a class action lawsuit against NPD. Hofmann alleged that his personally identifiable information (PII) had been compromised in the breach, citing a notification from his identity theft protection service. This lawsuit, along with three others filed by purported victims, has yet to provide concrete proof linking the exfiltrated data directly to NPD.
The Hofmann lawsuit, which uses the vx-underground post as its primary piece of evidence, is riddled with inconsistencies. For instance, it initially attributes the breach to USDoD, but later corrections indicated that a different threat actor, known as SXUL, may have been responsible. Furthermore, the lawsuit inflates the number of records from 2.9 billion to "billions of individuals," a figure far exceeding the combined population of the US, Canada, and the UK.
A Possible Fishing Expedition?
Experts suggest that the lawsuit may be less about proving NPD's culpability and more about compelling the company to provide evidence of its innocence. In the US, courts can require defendants to disclose information that might prove or disprove the claims against them. This strategy, often referred to as a "fishing expedition," might be the primary goal of Hofmann's legal team.
Ilia Kolochenko, CEO of ImmuniWeb and a legal expert, noted that such tactics are more common in the US than in Europe, where the burden of proof typically lies with the plaintiff. If the court compels NPD to disclose information about the alleged breach, it could lead to significant consequences for the company.
The Bigger Picture and What We Know So Far
Despite the legal action and media frenzy, there is still no definitive proof that NPD was breached. The data being circulated may have originated from other sources or been compiled from public records, rather than being exfiltrated from NPD. Even reputable sources like Bleeping Computer, which reviewed samples of the leaked data, could not confirm that the information came from NPD.
Moreover, the alleged breach raises questions about the sheer volume of data reportedly stolen. Experts have expressed skepticism about the feasibility of exfiltrating 2.9 billion records without detection, especially given the sensitive nature of the information NPD handles.
The Uncertain Future: Awaiting the Truth
As of now, NPD has not commented on the alleged breach, nor has it made any official disclosures to regulatory bodies in the US, UK, or Canada. The truth behind the breach may only come to light if the courts demand a formal response from NPD.
In the meantime, the allegations have triggered widespread concern and speculation. Whether these claims will be substantiated or proven false remains to be seen, but the situation serves as a reminder of the potential risks associated with data breaches in today's digital age.
As we wait for more information, it's crucial to approach the situation with caution. While the possibility of a breach at NPD cannot be ruled out, the lack of concrete evidence means that the truth may be more complex than the headlines suggest.