US: Social Security numbers stolen from data broker
Hackers have stolen personal data that was collected and stored by the US data broker National Public Data. The data includes the addresses and Social Security numbers of US citizens. The company has confirmed the breach.
National Public Data (NPD) is a company headquartered in Florida that conducts background checks. Its clients include employers seeking to investigate potential new hires.
Cliff Steinhauer at the National Cybersecurity Alliance told CBS news that companies like NPD are able to collect and sell data “because there’s no national privacy law in the US” to prohibit them from doing so.
Personal data
As NPD has now admitted in a post on its website, a “third-party bad actor” is believed to have stolen data held by the company in “April 2024 and summer 2024.” The company “cooperated with law enforcement and government investigators” and has since “implemented additional security measures.” NPD believes the stolen data to include names, mailing and email addresses, telephone numbers and Social Security numbers.
Social Security numbers are particularly sensitive pieces of information because they can be used as proof of identity – criminals can use stolen Social Security numbers to commit identity theft. The Social Security Administration warns that each year millions of US citizens are victims of identity theft. Criminals can also use Social Security numbers to find out more about potential victims.
So far it is unclear exactly how many people were affected by the data breach. In the post on its website announcing the breach, NPD gives no indication of the scale of the theft – but promises to “try to notify” those affected.
In a data breach notification submitted to the Maine attorney general’s office, the company claims that 1.3 million people were affected. According to media reports, the data of Canadian and British citizens was also included in the leak.
As the cybersecurity site Bleeping Computer reports, hackers first attempted to sell the stolen data in April. They claimed to be selling 2.9 billion records. As the site notes, multiple records may pertain to the same person – thus the number of individuals impacted is likely lower than 2.9 billion.
This month a class action lawsuit was filed against NPD for “its failure to properly secure and safeguard” the data.
Another SSN leak
US media are also reporting on a leak at the flight tracking company FlightAware, which according to its website “operates the world’s largest flight tracking and data platform.”
In a notice submitted to the California attorney general’s office, the company wrote that in July it discovered a “configuration error” that “may have inadvertently exposed” user data, including customers’ names and addresses. In some cases Social Security numbers may have been among the data left unprotected and accessible on the internet. The problem dates back to January 2021.
It is not known how many of FlightAware’s roughly 12 million registered users were affected. Also unclear is whether the data was accessed by unauthorized actors. (js)