U.S. lawmakers, the U.S. Department of Justice (DOJ), and at least two state attorney generals are investigating the cyberattack on Florida-based National Public Data that exposed the personally identifiable information (PII) of millions of Americans, and possibly British and Canadians, too, some reports have suggested.
Last week, Julio Casal, the chief intelligence officer for Constella, a provider of AI powered identity risk intelligence services, said that based on his company’s analysis, 292 million individuals’ data was exposed, including the Social Security Numbers (SSNs) for 272 million. Casal said “this represents 60 percent of all historical SSNs issued by the Internal Revenue Service, marking the largest volume of SSN exposure on the dark web to date.”
However, Casal said, “the data comes from a poor collection operation from a mix of sources and includes many errors.” Nevertheless, he added, “even if only 51 percent of the SSNs exposed hold a minimal quality to be used in identity attacks, this translates to added risk to an unprecedented 138 million people.”
U.S. Representative James Comer, chairman of the House Committee on Oversight and Accountability, and Rep. Nancy Mace, chair of the committee’s Subcommittee on Cybersecurity, Information Technology, and Government Innovation, jointly announced that they are “investigating this matter” and intend to get to the bottom of what, exactly, happened, and how many individuals’ PII was stolen and put up for sale on the Dark Web for $3.5 million.
Meanwhile, the attorneys general of California and Missouri have launched probes, as has DOJ, more class action lawsuits have been filed, and the National Consumer Law Center (NCLC) is urging the Consumer Financial Protection Bureau (CFPB) to complete a proposed rule to regulate data brokers, a notion that’s gaining traction on Capitol Hill.
The breach was only made public when it was revealed in a proposed class action lawsuit against National Public Data that was filed August 1 in the U.S. District Court for the Southern District of Florida. Since then, there have been seven more proposed class action lawsuits filed in the U.S. District Court for the Southern District of Florida, all alleging that National Public Data “failed to properly secure and safeguard the PII that it collected and maintained as part of [its] regular business practices.”
National Public Data is a public records data broker that specializes in background checks and fraud prevention, using bulk data on people that it obtains from public record databases, court records, state and national databases and other data repositories. Its customers include private investigators, consumer public records sites, human resources, and staffing agencies” who pay to “obtain criminal records” and “[conduct] background checks” through the company’s XML-API Gateway.
In an August 22 letter to the company’s president, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini, Comer and Mace requested a briefing from Verini about the breach. “The Committee on Oversight and Accountability is investigating recent news reports about a possible cyberattack executed against National Public Data by a cybercriminal group identified as USDoD,” the lawmakers wrote, adding, “it is reported that the personal information of nearly 3 billion people were compromised, with the stolen data including information such as Social Security numbers, phone numbers, email addresses, and mailing addresses.”
“If true,” the two lawmakers said, then “this data breach likely represents one of the largest cyberattacks ever in terms of impacted individuals.”
Comer and Mace also expressed their displeasure that National Public Data “failed to inform victims about these potential data breaches in a timely manner.” They said the company’s “lack of transparency about the cyberattack is staggering in light of the alleged compromised information and potential harm to so many victims. It isn’t even clear whether the attack has impacted close to 3 billion records or individuals, as news reports have described it both ways.”
The two lawmakers said they expect Verini to tell them when the breach occurred, how it occurred, a description of the data that was stolen, and what actions National Public Data is taking to respond to the breach.
The company eventually confirmed via its website on August 12 that “there appears to have been a data security incident that may have involved … personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
The company said it “conducted an investigation and [that] subsequent information has come to light … The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify” those effected “if there are further significant developments applicable to [them]. We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”
However, in announcing an investigation by his office, Missouri Attorney General Anfrew Bailey said he was only made aware of the breach following public reporting about it. He said “companies have a duty under the Missouri Merchandising Practices Act to safeguard Missourians’ personally identifiable information, and Missourians deserve to know whether their information is at risk. No stone will be left unturned in this investigation.” He added: “I am going to use every tool at my disposal to protect Missourians’ personal information.”
Bailey’s office previously undertook successful actions against Experian, T-Mobile, and cloud provider Blackbaud for failing to protect consumers’ private information.
California Attorney General Robert Andres Bonta also has indicated that his office may take action. Under California law, a business is required to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. The law also requires that a “breach notice” be sent to affected California residents and to the California Attorney General. National Public Data has been listed on the attorney general’s website as a company from which a breach notice is required. The attorney general’s office posted the “sample breach notice” it says should have been used and sent to all affected parties. It’s not known though whether the company sent the notice.
A total of eight proposed class action lawsuits so far have been filed against National Public Data – the latest on August 21 – in U.S. District Court for the Southern District of Florida, and more are expected. If additional suits are filed in different jurisdictions, it’s possible that a motion will be filed with the U.S. Judicial Panel on Multidistrict Litigation to consolidate all the data breach lawsuits against the company. The role of the panel is to determine whether civil actions pending in different federal districts involve one or more common questions of fact such that the actions should be transferred to one federal district for coordinated or consolidated pretrial proceedings, and to select the judge or judges and court assigned to conduct such proceedings.
“The massive data breach at National Public Data demonstrates why the Consumer Financial Protection Bureau (CFPB) must proceed quickly with regulating data brokers under the Fair Credit Reporting Act (FCRA),” said Chi Chi Wu, senior attorney at the National Consumer Law Center (NCLC). “Data brokers hold massive amounts of personal information for millions of Americans, which can be weaponized against us when stolen.”
If National Public Data “is regularly selling background check data to employers, it should already be complying with the FCRA and the Safeguards Rule,” said Ariel Nelson, a NCLC staff attorney. “The CFPB’s proposal to regulate data brokers will put an end to companies that hedge and dodge coverage under the FCRA. It will ensure a level playing field for background check companies that do follow the law and also promote the security, privacy, and accuracy of our personal information.”
In March 2023, the CFPB announced it had “launched an inquiry into companies that track and collect information on people’s personal lives,” and issued a Request for Information. The panel sought comments from the public to help it and policymakers “to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”
“Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data,” CFPB Director Rohit Chopra said at the time, adding that the panel’s “inquiry will inform whether rules under the Fair Credit Reporting Act reflect these market realities.”
The comment period ended June 13, 2023. More than 7,000 comments were submitted. CFPB hasn’t yet proposed a regulation, but the furor over the National Public Data breach could spur action, observers said. In February, Chopra said “the CFPB will propose rules to limit certain activities of data brokers, including those that sell personal data to those overseas.” He said in a statement that CFPB has been encouraged “to consider taking steps to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.” He noted that CFPB has authority under the Fair Credit Reporting Act to do, since it “covers entities that assemble and sell consumer data.”
Data brokers in the U.S. buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight and “little financial incentive to protect consumer data,” says the Electronic Privacy Information Center.
The proposed class action lawsuits allege that compromised PII held by National Public Data has been used “in identity theft and fraud and can in the future [be used to] commit a variety of crimes including opening new financial accounts in class members’ names, taking out loans in class members’ names, using class members’ information to obtain government benefits, filing fraudulent tax returns … obtaining driver’s licenses in class members’ names but with another person’s photograph, and giving false information to police during an arrest.”
The suits allege that every class member has “been exposed to a heightened and imminent risk of fraud and identity theft,” and “must now and in the future closely monitor their financial accounts to guard against identity theft.”
Security researcher Brian Krebs, writing in his blog, Krebs on Security, said a reader alerted him that a sister property of National Public Data – the background search service recordscheck.net – “was hosting an archive that included the usernames and password for the site’s administrator.” Krebs said “a review of that archive, which was available from the Records Check website until August 19, shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.”
“The exposed archive, which was named ‘members.zip,’ indicates Records Check users were all initially assigned the same six-character password and instructed to change it, but many did not,” Krebs wrote, adding that according to Constella Intelligence, “the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to National Public Data’s founder.”
Krebs said Verini told him in an email that “the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations ‘in the next week or so.’”
“Regarding the zip, it has been removed, but was an old version of the site with non-working code and passwords,” Verini told Krebs. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”
According to Krebs, the leaked recordscheck.net source code indicated that the website was created by a web development firm in Lahore, Pakistan called creationnext.com. The homepage for the company features a positive testimonial from Verini.
Source: Biometric Update
Anthony Kimery is the former Editor-in-Chief and co-founder of Homeland Security Today. He managed the magazine, daily online news operations and wrote the award-winning “Kimery Report,” which covered a broad spectrum of HS-related issues, from public health preparedness to intelligence collection. He has 30-plus years of broad institutional knowledge and expertise in homeland/national security matters and issues as an editor, analyst, and consultant. He also serves as Advisory Board Member of Mississippi College’s Center for Counterterrorism Studies.
Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE
Subscribe to Activist Post for truth, peace, and freedom news. Follow us on Telegram, HIVE, Minds, MeWe, Twitter – X and Gab.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.