National Public Data (NPD) was supposedly hacked at some unspecified date. At the time of writing this, there is little to no verifiable proof of this, despite all the recent articles appearing in the media. NPD is a background checking service used by businesses to obtain criminal records and run employee background checks, which the company says can all be done via XML integration.
What little is known starts on X.
On April 8, 2024, HackManac posted information about 2.9 billion records of US, Canada and UK citizens (a 4 terabytes database) exfiltrated from National Public Data being offered for sale by USDoD at $3.5 million.
“The threat actor USDoD claims to be selling a 4 TB database containing 2.9 billion rows apparently exfiltrated from National Public Data, a public records data provider specializing in background checks and fraud prevention.”
The media largely ignored this post. NPD did not respond.
On June 2, 2024, vx-underground posted “Last week we were informed USDoD intends on leaking the database. We requested a copy in advance to confirm the validity of the data.” It added, “We reviewed the massive file – 277.1GB uncompressed, and can confirm the data present in it is real and accurate.”
The media largely ignored this post. NPD did not respond.
On August 1, 2024, Christopher Hofmann (plaintiff) lodged a class action complaint against Jerico Pictures Inc d/b/a National Public Data (defendant) “for its failure to properly secure and safeguard the personally identifiable information that it collected and maintained… Plaintiff Hofmann received a notification from his identity theft protection service provider notifying him that his PII was compromised as a direct result of the “nationalpublicdata.com” breach…”
The media exploded. NPD did not respond. But here, at least and at last, was a direct and easily accessible accusation linking specific exfiltrated data to an NPD breach.
In fact, the class action document adds little or nothing to the story so far. Hofmann was informed that his PII was found by a third party on the dark web (what PII is not specified) and linked to the alleged NPD breach (but how this linkage was made is not specified).
The document uses the vx-underground X post as the primary evidence of a breach but includes numerous errors. The alleged criminal actor is named as USDoD, even though vx-underground subsequently (on the same day as its primary post), added: “Correction: USDoD was a broker and/or middleman for the initial posting. We were instructed to explicitly state that credit for the compromise is to be given to an individual operating under the moniker ‘SXUL’.”
Furthermore, the original claim of “2.9 billion records of US, Canada and UK citizens” has morphed into “billions of individuals” (the total population of the US, Canada, and the UK is less than 500 million individuals).
If this case was brought in this manner to European courts, it would – to put it mildly – go nowhere. But that’s not necessarily so in the US. A fundamental difference in US and European law is that Europe tends to require proof from the plaintiff (which does not exist in this document), while US courts can require evidence from the defendant to confirm or debunk the claim. And that may be the primary purpose of this class action.
Ilia Kolochenko, who combines technical knowledge as CEO of ImmuniWeb, with legal knowledge as a partner at Platt Law LLP, explains: “In the US, the court may compel disclosure of certain information. In the UK, you can ask, but the court will unlikely compel production of data. In the US, you may be compelled to produce certain data – and if you don’t, you will be in contempt of court. You could be fined and criminally prosecuted, and even get a default judgment against you. My guess is this is the starting point, where the plaintiff is also unsure about what happened, and he’s trying to see what can be obtained from the allegedly breached opponent in court.”
In that sense, it is quite possible that the purpose of the Hofmann action is not to immediately prove NPD culpability, but to sufficiently cause the court to demand proof of non-culpability from NPD. It could be a fishing exercise. Either way, as things stand at the point of writing, there is no proof that NPD had almost three billion PII records stolen.
It is also worth noting that NPD will be in serious difficulty if it turns out that the breach allegations are accurate. The US, the UK and Canada all have breach disclosure laws, and it doesn’t seem as if NPD has made any such disclosure. For example, SecurityWeek asked the UK’s data privacy regulator (the ICO) to comment. In the UK, organizations are required to notify the ICO within 72 hours of becoming aware of a (significant) personal data breach. An ICO spokesperson told SecurityWeek: “We have not received a breach report on this matter and are not currently investigating.”
At the time of writing, we are aware of three other lawsuits filed by other purported victims. All these lawsuits may eventually be consolidated into a single class action.
It is worth noting that the two actors mentioned in the reports are not widely known. Neither are included in the MITRE ATT&CK database of bad actor groups. SXUL has no entries in Malpedia, while USDoD has a single reference. That reference is interesting: a report by SOCRadar links the actor to numerous similar hack and leak operations (including NATO, Airbus, Metropolitan Club of the City of Washington, and LinkedIn).
On April 22, 2024, the SOCRadar report was updated with a new USDoD announcement: “I’m not a group, I’m not a gang, I’m an only one-man army. I started with this, and I will finish it. This is the end.”
This doesn’t mean that this is the last we will see of the actor first known as NetSec and latterly known as USDoD. However, it is clear that he has form in breach and leaks similar to the purported attack on NPD – and that if it occurred, it occurred prior to his retirement.
So, what do we know about the alleged hack of NPD. Frankly, at the time of writing, nothing. This could change at a moment’s notice if NPD discloses the breach. So far it has not. Nor did it acknowledge or respond to SecurityWeek’s request for comment. In the longer term, we could get irrefutable knowledge if the multiple lawsuits persuade the courts to demand information from NPD.
Supporting the allegation is knowledge that such an attack is directly in the wheelhouse of the actor USDoD – which may explain why much of the media and the Hofmann complaint all ascribed the alleged breach to him rather than the named actor SXUL (of whom nothing seems to be known).
Furthermore, samples of the supposed leak have been examined by reputable sources such as Bleeping Computer: “While BleepingComputer can’t confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members’ legitimate information, including those who are deceased.”
Bleeping also noted that a separate actor known as Fenice announced the full leak (277GB, with the download URL) was available on August 6, 2024. Christopher Hofmann lodged his class action claim on August 1, 2024.
But there is still no proof. And if we go back to the original source (HackManac), we have the following comment: “Given the massive amount of data, the likelihood that this claim is inflated, and that the data are scraped from public sources is high.”
This is ambiguous. The possibility of inflation is clear, but is the scraping reference aimed at NPD or SXUL/USDoD? Is it, in fact, suggesting that the NPD data could be partly or wholly compiled from outside of NPD by scraping and combining other sources, including data dumps that have already been leaked?
Caution because of the size of the exfiltration is not limited to HackManac. Wearing his technical hat, Kolochenko comments, “I have difficulty imagining that it is technically possible to steal 3 billion records. That’s a massive database. And such databases will usually include scans, PDFs, links, copies of judgments and so on rather than simple line records. It’s not something that can be done in 24 hours – and this was done without NPD noticing. On top of that, there have been no known personal victims until the leak was announced;” which is at the very least almost five months after the breach.
Kolochenko is also surprised at the data being dumped. From his own experience (for example, in obtaining a license to practice law in the US), the data provided by NPD would likely include legal details down to parking tickets, civil family disputes, credit histories, and health conditions such as PTSD or AIDS. “It’s not just about criminal convictions – it’s everything,” he said. And yet there is nothing of this nature in the data being leaked.
So, what do we have? NPD may have been breached, but there is no actual proof of this. There has been a massive data dump, but we have not been given proof that the data comes from NPD (it does not include any of the really sensitive data you could expect from NPD). The Hofmann lawsuit uses an X tweet to tie personal data to NPD, and at the same time makes several factual misconstructions from that tweet. NPD has, at least so far, made no comment on, nor as far as we know, made any disclosure of, a breach.
And yet, the accusation has been made. We possibly won’t know the truth until or unless the courts require NPD to make a formal on-the-record statement. At that point, my current suggestion to treat this breach news with caution could suddenly turn to egg on my face.
Related: 200k Impacted by East Valley Institute of Technology Data Breach
Related: Personal, Health Information Stolen From Pharma Giant Cencora
Related: 57,000 Patients Impacted by Michigan Medicine Data Breach
