Data collector National Public Data (NPD) has finally confirmed a breach that exposed the personal identifying information of potentially hundreds of millions of consumers in the US, UK and Canada.

In a proposition While providing few details, the Coral Springs, Florida-based company acknowledged what numerous others have reported in recent days about a “third party threat actor” gaining access to data from NPD databases sometime in April 2024. The company described the data the threat actor gained access to as full names, email addresses, phone numbers, Social Security numbers and mailing addresses of an unknown number of people.

Real and accurate data

NPD’s advisory contained the usual boilerplate language about the company taking steps to protect itself from a similar incident, but left it entirely up to victims to take steps to protect themselves from identity theft and other fraud stemming from the security flaw. NPD is a data aggregator that alleges that companies, private investigators, human resources departments and staffing agencies use the data for background checks, to obtain criminal records and for other purposes.

News of the breach has been circulating since April, when Dark Web Intelligence posted on X about “USDoD,” a hacker with a reputation for previous data breaches, who had obtained an NPD database containing approximately 200 gigabytes of personal information on residents of the US, UK, and Canada. The threat actor claimed that the NPD database contained approximately 2.9 billion rows of records. Many have mistakenly reported that as the number of victims, rather than characterizing the breach as one of the largest ever of private data.

VX-underground, a community focused on malware and cybercrime, the dataset assessed and deemed the leaked data as “real and accurate” and included the first name, last name, social security number, current address, and addresses of individuals going back more than 30 years. “It also allowed us to find their parents and immediate siblings,” VX-underground said. “We were able to identify someone’s parents, deceased relatives, uncles, aunts, and cousins.”

In addition, the NPD database contains information on deceased persons, some of whom have been deceased for more than 20 years.

Troy Hunt, who runs the site “Have I Been Pwned,” reported that there were 134 million unique email addresses and millions of rows of criminal records. He judged the massive dataset to be a kludge of useful data (for criminals) and useless, incorrect and redundant data that NPD appears to have built by scraping publicly available data from numerous — and now untraceable — sources.

Need to stop using BSNs for ID verification

The massive breach has resulted in the common concerns about the need for organizations to implement stronger controls to protect the data that consumers entrust to them. A Apple research last year found that as many as 2.5 billion consumer records were compromised in data breaches in 2021 and 2022.

But it has also brought to the surface a long-standing sentiment among many: organizations, government agencies and others should stop using BSNs as the primary identifier for virtually all transactions.

“NPD should have done a lot of things better, but there’s one thing we can be blamed for: it’s high time to get rid of SSN,” said Ambuj Kumar, CEO of Simbian. Replacing SSN with a digital ID similar to what’s used in cryptography and in technology like Apple Wallet is relatively simple and straightforward, he said.

“The barriers are purely psychological and slow,” Kumar says. “Think of a digital ID as a government-issued credit card number that is known only to the government and the individual,” he notes. “When you apply for a mortgage, for example, a token is generated from the original number and this new number is shared with the bank. If the bank is breached, the original number is still safe because only the bank has seen the token.”

A limit to what consumers can do?

The breach has also highlighted the limits of what consumers can do to protect their data. Chris Deibler, vice president of security at DataGrail, says none of the usual recommendations — such as using password managers, adding multi-factor authentication and paying attention to account resets — would have helped in the NPD breach. The real effort now needs to come at the corporate and regulatory level, and more efforts should be made to discourage mass data aggregation.

“Companies don’t respond to the same stimuli as individuals, so advocating for better education and letting the moral arc of the universe do its work probably isn’t enough,” Deibler notes. “You need levers that actually change the conversation about data collection and risk management at the board level. In that context, companies are responding to specific liabilities — reputational, civil, criminal, existential.”

He argues that injured parties in a data breach have specific, legally defined compensations available to them that go far beyond just one year of free credit monitoring. Likewise, executives at companies who knowingly compromise customer data should be criminally liable for a data breach. “In the most egregious circumstances, if you mess with customer data badly, you shouldn’t be allowed to do it again, either at the corporate or individual level.”