National Public Data tells officials 'only' 1.3M people affected by intrusion

The data broker at the center of what may become one of the more significant breaches of the year is telling officials that just 1.3 million people were affected.

In any normal scenario, the news of a leak affecting 1.3 million people would be staggering, but this one is an oddity since many investigators previously put the number far, far higher in recent weeks.

Florida-based National Public Data (NPD) confirmed the number of affected individuals on Friday via a filing with Maine's attorney general. Said filings require organizations to list the total number of affected individuals and separately the number affected in Maine alone.

The US state of Maine just so happens to have close to 1.4 million people living in it.

The digital break-in, NPD said, took place in December 2023 but it acknowledged that leaks of this data started in April this year, continuing throughout the summer.

Those leaks came at the hands of a criminal who uses the moniker USDoD; the info was originally swiped by someone going by the handle SXUL. USDoD was passed the info and began selling the stolen database, which allegedly comprised of 2.9 billion lines of data, supposedly concerning US, Canadian, and British citizens, for $3.5 million in April.

Troy Hunt, venerable infosec expert and maintainer of HaveIBeenPwned, looked into the database and found 134 million unique email addresses. So, unless every one of the 1.3 million affected people had 100 email addresses, which is pretty unlikely, there is a chance that more people are affected than what NPD told Maine's AG.

The situation doesn't come without precedent either. It's not uncommon for organizations disclosing data breaches with US state officials to update those filings down the line as investigations into potentially compromised data continue.

It happened with Financial Business and Consumer Solutions (FBCS) in June, when it updated its notification to reflect the much larger scope. After previously disclosing that 2 million people were affected, it later upped this to 3.2 million.

"There appears to have been a data security incident that may have involved some of your personal information," letters from NPD to affected individuals read. "The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light. 

"The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).

"We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you. We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."

The same wording was used in a breach disclosure webpage that NPD stood up last week, which has reignited interest in the incident. The page didn't, however, state the number of affected individuals like the filing with Maine's AG.

In addition to the 134 million unique email addresses, Hunt also discovered that criminal record data appeared to be included. 70 million of them, in fact – something NPD didn't include in its disclosure letters.

Atlas Data Privacy, a business that offers clients a service that removes their data from data brokerages like NPD, also found 272 million unique social security numbers littered among the vast trove of data.

It was discovered that these services do indeed work, since no one who registered for them had their data mixed up in the leak, and that a decent portion of the data concerns people who are no longer alive. Millions of records belonging to people who would be older than 120 years featured, for example, with the average age of affected individuals standing at 80. ®

PS: Infosec watcher Brian Krebs has some more info about a background-checking website, recordscheck.net, linked to NPD and its founder, and how the site had a .zip archive on it containing "the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages." The dot-net site is supposed to be shutting down.