A viral but unsubstantiated claim that nearly every American had their social security number (SSN) leaked in a massive data breach spread like wildfire this week, stemming from the alleged hack of a background check company called National Public Data. While people should understandably be concerned about identity theft, the scope of the danger may not be as bad as it seems, experts say.
The leaked information was originally put up for sale for US$3.5 million on the dark web in April. It was posted by a threat actor called “USDoD,” who claimed to have the personal information of “the entire population of” the U.S., Canada and the U.K.
The trove allegedly has 2.9 billion rows of data including full names, home addresses, phone numbers and SSNs — though this doesn’t necessarily mean it contains the information of 2.9 billion people. Moreover, Canadians don’t have SSNs; our equivalent would be social insurance numbers. People in the U.K. have national insurance numbers.
At the time, news of the data breach was only picked up by outlets reporting on the dark web and cybersecurity. That all changed when a man from California filed a class-action lawsuit against National Public Data on Aug. 1 and a threat actor known as “Fenice” posted the entire stolen database online for free on Aug. 6.
On Tuesday, National Public Data acknowledged the breach and said “potential leaks of certain data” occurred in April 2024 and summer 2024. The company says it is co-operating with law enforcement and government investigators. National Public Data is a data aggregator that compiles personal information for background checks and marketing services.
With the alleged stolen data now freely available, more and more cybersecurity experts have analyzed it and are raising questions about its legitimacy. While some of the information in the trove appears to be correct, there also appears to be a lot of duplicated, incomplete and incorrect data. Some experts wonder if the data includes any new personal information at all, suggesting that it could have been compiled from publicly available sources or previous data breaches.
James E. Lee, the chief operating officer of the Identity Theft Resource Center, told Global News he doesn’t believe any of the data is new because National Public Data itself scrapes publicly available information from the internet and doesn’t collect data directly from people. Because of this, a lot of the information may be old or inaccurate, he added.
When asked if people should be concerned about identity fraud because of the hack, Lee said: “The reality is, the risk level did not go up because of this. The risk level has been high to begin with.”
Breaking news from Canada and around the world
sent to your email, as it happens.
Get breaking National news
For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
Cybersecurity expert Troy Hunt got his hands on the alleged stolen data and he found it contained inaccurate information and duplicated data. In one instance, a single person had six rows of data dedicated to them (same name, same SSN but different addresses). Hunt took a sample of 100 million rows and found that only 31 per cent of the rows had unique SSNs.
“(S)o extrapolating that out, 2.9B would be more like 899M,” he wrote in a blog post. Hunt is a Microsoft regional director but is best known for operating the “Have I Been Pwned” website, which allows people to check if their personal information has been compromised in data breaches.
Hunt looked himself up in the files and found that his personal information was inaccurate. He found one of his email addresses 28 times in the files, but they appeared beside names and dates of birth that weren’t his.
While some of the data may be dubious, other outlets have reported that the leak contains real information. Multiple people confirmed to BleepingComputer that their legitimate personal information and the information of family members, some of whom are deceased, was contained in the files. Malware education organization vx-underground reported the same.
Even though some of the information appears to be correct, the fact that the trove also contains inaccurate information will make it harder for threat actors and scammers to use it for nefarious purposes.
Lee says we should use news of the National Public Data hack as a “teaching moment.”
“We know that information that’s highly sensitive has been breached before and is readily available,” he said. “Now let’s talk about what you really should be doing to protect yourself.”
Lee urges everyone concerned about their personal data or identity theft to freeze their credit. The two main credit bureaus for Canadians are Equifax and TransUnion, according to the Financial Consumer Agency of Canada. The agency recommends that Canadians check their credit reports at least once a year to look for identity theft.
Lee also encourages Canadians not to use the same password for every online account, as a recycled password could be the “keys to your kingdom” if leaked. Password managers exist on most browsers and can suggest strong passwords for users and then store them in an encrypted form.
Experts who previously talked to Global News say people should be on the lookout for scammers whenever major data breaches happen.
“They will send out spam messages offering people free credit monitoring — ‘Sign up here, click the link,’” cybersecurity expert Brett Callow said in June. “They may tell people they’re entitled to compensation… ‘Click here to enter your banking information for an auto deposit.’
“(People) should be on the lookout for those type of things. Any text or email they receive. Don’t click the links. Go to the actual website of the organization instead.”
David Bradbury, the chief security officer of Okta, a major company specializing in secure sign-ons and online authentication, warned Canadians to be “hyper-vigilant in this world we’re in.”
“As we see this proliferation of personal data that is emerging on the internet, it does make us all bigger targets for phishing attacks,” Bradbury says.
Hackers and scammers can “quickly and easily access lists of information about you, and can create compelling and interesting emails that are tailored towards you as a specific individual,” he notes. And with the advent of artificial intelligence tools, the ability of malicious actors to create “very well-worded and very relevant” communications only increases.
These scammers may use your leaked personal data, such as your home address or phone number, to build trust and appear legitimate, “and by building that trust, they can attempt to convince you to perform actions that you wouldn’t usually perform,” Bradbury says.
“We need to be conscious that we live in a world where hackers are able to access our information freely through, sadly, the number of data breaches that have occurred,” he notes. “This is a new world we’re operating in where our personal information is no longer secret and protected. And in that world, we need to be very conscious that people may try to contact us, and try to perform harmful actions.”
Discussion about this post