A data breach leaked millions of people’s PII information including social security numbers online.

An estimated 2.7 billion personal records were stolen from National Public Data (NPD), a Florida-based data broker company that collects and sells personal data for background checks. The database reportedly contained names, phone numbers, physical addresses and SSNs of people from the U.S., UK and Canada.

Partial copies of the data have been leaked in online marketplaces by various threat groups. As of Aug 6, a complete version is out on Breached, a hacking forum, reports Bleeping Computer.

Roughly 1.3 million Americans have been impacted, although claims, that potentially, SSNs of everyone living in the U.S. were taken, have gone viral. A class-action lawsuit has been filed against NPD.

USDoD Claims Responsibility for the Data Breach

The cybercriminal group named USDoD has claimed responsibility for the breach. Investigation is still underway, but there are speculations that there could be more to this than meets the eye. Brian Krebs, tech journalist, reported just days after the breach that a sister property of NPD had an archive of plaintext credentials of users and the site administrator on full display on their website. The .zip file has since been taken down, but it raises the question – how secure is our private data?

The incident has gathered widespread attention and alarm, but worryingly, it is not an isolated case. A string of data breaches has transpired over the past couple of years. According to the Identity Theft Resource Center, data breaches have ticked up dramatically. A survey conducted by ITRC shows 1571 reported cases of data compromise in H1 of 2024. That’s a 14% rise from the previous year. The number of individuals impacted by these breaches is estimated to be around 1.07 billion.

A similar case to NPD made headlines back in February. The U.S. debt collection agency, Financial Business and Consumer Solutions (FBSC) suffered a massive data breach. Full names, physical addresses, SSNs, DL numbers and other critical data of millions of people were leaked. According to FBSC’s latest supplemental notice, the number of impacted people is upwards of 4 million.

In April, AT&T reported a colossal data breach involving customer data. Once again, full datasets containing social security numbers and passcodes of users were stolen by bad actors and spilled online. This time too, the approximate number of people affected was in the millions.

“A social security number by itself is worthless,” says Tom Hollingsworth, former network engineer, and lead of the Tech Field Day event series while reporting the news on last week’s Gestalt IT Rundown. “It is just a sequence of 9-digit numbers.”

But strung together with names, email addresses and other vital credentials, it is critical information for identity theft.

“If those three things appear in different places and a broker like NPD puts them together, that’s problematic,” he says.

The organization must safeguard the data from exploitation and unauthorized access. However, poor cyber hygiene is a common problem across companies. 40% of organizations store sensitive data like passwords in Word doc. in readable formats, according to a Vanson Bourne survey.

“If a company is storing their passwords in plain text anywhere, they don’t have the infrastructure to immediately go in and force a password change,” Hollingsworth states.

The recent incident is a testament to organizations’ flagrant disregard for data safety. Distressingly, it is not just small brokers that are guilty of storing data insecurely. Big companies like Facebook have come under fire for poor data protection practices.

Anytime information is stored in clear text, it is fully readable to any authorized and unauthorized accesses. For employees, it makes data easily searchable and the overhead on those searches is a lot cheaper to maintain for the companies.

But the upshot is, it’s an easy win for fraudsters and hackers. Scraper bots that come into websites for illegal data harvesting can download any unprotected information without the admin’s knowledge.

“A lot of people don’t understand cyber hygiene that adept security researchers do. It’s not just that I don’t want my data in certain places. It’s that companies like NPD can aggregate that publicly accessible data and store it somewhere and protect them by putting all the passwords in a zip file.”

Embarrassing failures like this leave organizations wide open to attacks. And with colossal cases like this coming to light, it is clear that while confidence in security tooling has grown in leaps and bounds, they can only protect so much.

Awareness has still not reached many organizations. It is not uncommon for employees to abuse the system by storing passwords in vulnerable places, or worse, writing them down on sticky notes and leaving them anywhere.

Hollingsworth urges companies to do better. “If you’re going to collect data, you need to treat it like level 4 CDC quarantine virus. There should be no way for people to get into that data without so many protections that it’s almost untenable because then the only people who will be getting into it are the ones who deserve to see it.”