The 2024 National Public Data Breach
No doubt, many are aware of the massive National Public Data (NPD) breach, which became nationwide news in September 2024. This article will explore the nature of the NPD breach, how it happened, and what comes next.
The Breach
In April, a cybercriminal known as USDoD began selling data stolen from the data broker NPD. Then, in July, a leak of 2.9 billion records exposed the names, addresses, phone numbers, and emails of over 272 million people, many of whom are deceased. NPD confirmed the breach on August 12, 2024, tracing it back to a security incident in December 2023. USDoD supported this assertion and later reported on a hacking forum that someone else was responsible for the July 2024 leak, alleging the database had been available on underground forums and had changed hands several times since December 2023.
USDoD’s previous targets include the FBI InfraGard portal, TransUnion, Airbus, and several others. This breach may make USDoD the most infamous of cybercriminals, but they are not the main villain in this story.
In the opaque world of data brokers, it is not clear what sources their data comes from or how they associate what they collect with actual people; NPD is no different. Most of the victims of NPD likely had no idea that the company held their data in the first place. However, given the jarring lack of oversight in the industry, NPD and other companies like them don’t need the victim’s permission to host and sell their data.
How It Happened
While no individual has come forward to claim responsibility for the breach, it turns out that it could have been almost anyone. An investigation by KrebsOnSecurity revealed that a sister website to NPD named RecordsCheck.net hosted an archive file titled “Members.zip,” which contained credentials for the website’s administrator stored in plaintext, as well as source code for the website. Since the login pages for NPD and RecordsCheck.net are nearly identical, many believe that the similarities between the websites (including default administrator passwords) allowed attackers into NPD systems. There is one more jaw-dropping detail – the Members.zip archive was hosted on a publicly accessible part of the RecordsCheck.net website and was available as late as August 19, 2024.
NPD has not confirmed that this was the ultimate source of unauthorized access. However, in August, the website’s founder, Salvatore Verini, stated that RecordsCheck.net is going to be shut down.
While everyone waits for a flurry of investigations by several law enforcement agencies to conclude, it is important to note that most of the burden of mitigation rests squarely on the shoulders of the victim. According to a website set up in response to the breach, NPD is no longer selling any personal information through their services – a small comfort given their data is now available to everyone. In an ironic statement from the site, NPD offers the following to those affected:
“We strongly advise you to take preventive measures to help prevent and detect any misuse of your information.”
Preventative Measures and Next Steps
In the long parade of major data breaches, everyone is reminded time and again that strong IT security begins with the basics. In this case, the Members.zip file with admin credentials could have been inconsequential had NPD and RecordsCheck.net performed basic hygiene with strong password requirements and avoided repetitive or reused default passwords. The details available about this breach indicate a catastrophic failure or absence of controls and situational awareness.
If anyone’s personal information has been exposed as a result of this or any other data breach, a good resource outlining actions to take can be found in this article offered by Experian, who unfortunately has also been a target of data thieves in the past.
For more information, be sure to visit our SOC & Technology Consulting, Cybersecurity, and Forensic Examination pages, and don’t hesitate to contact Dave Hammarberg regarding our services.
About the Author
Mike joined McKonly & Asbury in 2022 and is currently a Senior Consultant with the firm. He is a member of the firm’s Internal Audit Segment, servicing clients in government and commercial segments.