Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
What just happened? A colossal data breach has surfaced, revealing nearly 2.7 billion personal information records purportedly encompassing every individual in Canada, the United Kingdom, and the United States. This breach stands out due to the vast amount of data exposed, potentially marking it as one of the largest in history.
We may be facing one of the largest data-breach incidents in history, yet there is still much we don't know, including the actual number of individuals impacted. As we grapple with the implications, this situation is as good a time as any to take a hard look at data collection practices, particularly the unauthorized scraping of information from non-public sources. Ultimately, though, this event underscores how difficult it can be for people to protect their personal information in an increasingly digital world.
The compromised data includes sensitive information such as names, addresses, and Social Security numbers, reportedly sourced from a company that collects and sells data for legitimate purposes.
The data is believed to have been stolen from National Public Data (NPD), a background check company operating under Jerico Pictures Inc. NPD gathers information from public records to sell for background checks and related services. However, a lawsuit has been filed, alleging that NPD also scraped data from non-public sources without obtaining consent from individuals.
The lawsuit also alleges that NPD violated fiduciary responsibilities and gained unjust benefits, among other offenses. So far, NPD has not officially confirmed the breach or detailed how it happened.
Initially, a hacker known as USDoD claimed responsibility for the data theft, attempting to sell the information for $3.5 million. USDoD has been previously linked to other breaches, including an attempt to sell InfraGard's user database for $50,000 in December 2023.
The situation took a new turn on August 6, when a user named Fenice posted what is believed to be the most complete version of the stolen data for free on a hacking forum, attributing the breach to another hacker, SXUL.
In response to the breach, a class action lawsuit was filed in Florida against NPD. It references VX-Underground, a cybersecurity educational website, which reported that USDoD listed the database for sale, claiming it contained 2.9 billion records. VX-Underground verified the data as real and accurate after receiving an advanced copy of the database – a massive 277.1GB file.
Despite these claims of verification, the breach involves a database allegedly containing information on more than 2.9 billion people, raising questions due to discrepancies in population data. The US population is well below 1 billion, and the global population is around 8.07 billion, leading to uncertainty about the actual number of individuals affected by the breach.
Verification efforts have also faced challenges. So for it remains unknown whether the leak contains data for every US citizen. While some individuals confirmed their details were included, issues such as incorrect Social Security numbers and outdated address data suggest the information might originate from an old backup.
Additionally, many individuals have multiple records, one for each address they have lived at, complicating the assessment of the breach's true impact.
In light of the breach, individuals are advised to monitor their credit reports for fraudulent activity and remain vigilant against phishing attempts via email and SMS. The leak includes email addresses and phone numbers, heightening the risk of targeted attacks.