Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Nearly 3bn compromised in hack on US background-checking firm

A lawsuit has revealed the details of a massive data breach impacting 2.9 billion individuals.

user icon David Hollingworth
Mon, 12 Aug 2024
Nearly 3bn compromised in hack on US background-checking firm
expand image

Back in April, an infamous and sadly industrious threat actor by the name of USDoD offered the personal data of nearly 3 billion people for sale.

At the time, the alleged data breach of background-checking firm National Public Data didn’t grab much attention, but it’s in the headlines now following the filing of a lawsuit against the firm for failing to protect the data the company had in its possession.

The issue with the data was that it was scraped from other websites and “non-public sources” without the knowledge of the people whose data was being collected. The lead plaintiff in the lawsuit, a California man, was only made aware his data had been compromised when he was contacted by his identity-theft protection agency on 24 July, months after the data had been offered for sale on a popular clear web hacking forum.

============
============

While the initial post is no longer live – the forum in question had been seized by the FBI in the interim – the details of USDoD’s claims are still recorded by threat-tracking service Falcon Feeds.

“Hello… I’m proud to say that I got access to the biggest database ever,” USDoD said in a 7 April post.

“This is the entire population of the USA.”

The data for sale, according to USDoD, was collected between 2019 and 2024, and while we do now know the full extent of the breach, at the time, the threat actor only said that the data consisted of “300+ million rows”.

“I’m selling the whole database,” USDoD said. “We will use official middleman from forum.”

The asking price for the dataset was US$3.5 million. The data was later confirmed to include full names, addresses and three or more decades of historical address data, Social Security numbers, and the details of parents, siblings, and other relatives.

The lawsuit alleges that National Public Data not only failed in its duty of care for the data but also failed to notify the persons impacted by the breach.

Anurag Lal, CEO of secure communications platform NetSfere, said that while modern data handling can be a net positive, breaches such as this one show that more work needs to be done.

“There have been so many great innovations that have made wireless communication easy-to-use in all aspects of life – whether that’s handling banking and financial matters, managing healthcare needs virtually, working in a digital environment or leisurely communicating with friends and family,” Lal told Cyber Daily.

“However, as the world becomes more digitised and mobile, hackers and cyber criminals grow in sophistication, putting people at risk of losing their private, sensitive information everyday.”

Lal added that it’s a reminder to protect and secure your personal data.

“In 2024, it’s not a matter of ‘if’ a cyber attack will impact you; it’s a matter of ‘when,’ so it is best to be proactive and take the necessary steps to secure your personal information first,” he said.

USDoD has a history of high-profile data breaches. In September of 2023, USDoD claimed to have hacked Airbus, while in May 2024, the threat actor offered a US criminal database containing 70 million sets of records. The threat actor was first observed in December 2022.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.