An alleged hack at data broker National Public Data (NPD) made headlines this week for potentially exposing billions of social security numbers. Real leak or hysteria?
Read more: Data breach: The game with 3 billion social security numbersA class-action lawsuit has sparked a viral but unsubstantiated claim that the Social Security numbers of all U.S. citizens were leaked in a data breach this year. The lawsuit was filed against a data broker called National Public Data (NPD), which is part of a shady collection of companies that quietly collect, buy, trade and sell people’s personal information, usually without their knowledge. The information is often sold to marketers or used to conduct background checks.
The lawsuit accuses the company of acquiring the defendants’ personal data without their knowledge and permission – a common practice of data brokers – and failing to protect it from hackers.
Experts examine the leaked data
The data in question surfaced on hacker forums in April and contains millions of lines of data, some of which are said to be real names and social security numbers. It is still unclear how much of the data is genuine and whether it was really all obtained by hacking a company and not by reading publicly available sources.
Security expert Troy Hunt explains the background to this incident in his blog. Hunt writes that it is usually easy to explain a data breach: A service that people provide their information to has been tapped into by someone through an act of unauthorized access, and a delineated collection of data has been published that can be traced back to that source.
However, in the case of NPD, it is a data broker that most people have never heard of and where a hacker has published various partial data sets that cannot be clearly attributed to the source. And they are already the subject of a class action lawsuit.
Confusing jumble of data
Troy Hunt describes in his blog the confusing mess of data collection, some of which appears to be inaccurate and much of which is missing. The data did contain Hunt’s email address, but it was linked to the wrong name, and two birthdays were assigned that were far removed from his actual birthday. Such inaccuracies about individuals make it difficult to exploit accurate information and use it for nefarious purposes.
If Hunt were to make a guess, there would be two likely explanations for this incident:
- This incident has gotten a lot of press due to the previous confirmed thefts of Social Security numbers (SSNs), and the subsequent partial dumps are riding on the hysteria of the security breach.
- NPD skimmed a bunch of publicly circulating data to enrich their offering, and it was intercepted along with the originally released SSN data.
However, both are pure speculation, and the only ones who know the truth are the anonymous threat actors passing on the data and the data broker NPD, so we can’t expect any reliable clarification any time soon.
Instead, we are left with 134 million email addresses in public circulation whose origin and responsibility are unclear. Using the“Have I Been Pwned” database, you can check whether your own identity has been compromised in various security breaches. The email addresses of the action described here are also in the database. Troy Hunt is Microsoft Regional Director & MVP Australia and operator of “Have I Been Pwned”.