The company whose data breach potentially exposed every American’s Social Security number to identity thieves finally has acknowledged the data theft — and said hackers obtained even more sensitive information than previously reported.
National Public Data, a Florida-based company that collects personal information for background checks, posted a “Security Incident” notice on its site to report “potential leaks of certain data in April 2024 and summer 2024.” The company said the breach appeared to involve a third party “that was trying to hack into data in late December 2023.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data. Posting in a forum popular among hackers, the group offered to sell the data — which included records from the United States, Canada and the United Kingdom — for $3.5 million, a cybersecurity expert said in a post on X.
Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.