How Much of the National Public Data Breach Consists of New Information?

by | Aug 23, 2024

The breach of National Public Data was a major mainstream news item last week, with headlines indicating that possibly every Social Security number in the US had been exposed to the dark web. But with time and further review, it seems the data breach may have been more limited than first reported.

2.9 billion records are included in the data breach, but deep dives by Troy Hunt (of HaveIBeenPwned) and others indicate that a great deal of this is duplicate information. It is also unclear exactly how many previously unexposed Social Security numbers are included in the collection, though it appears at minimum that anyone that has used a data opt-out service to remove their information from data broker stores has not been exposed.

National Public Data yet to confirm breach

Though the news of masses of stolen Social Security numbers is recent, the data breach first appeared in April when it was offered on dark web forums for private sale (for about $3.5 million USD). The more recent news broke due to its appearance as a freely available download, an extremely troubling development for something that initially appeared to be an index of nearly every Social Security number in the country.

But National Public has yet to confirm the data breach, only saying thus far that it is investigating the issue. People have been receiving notifications of their Social Security numbers being exposed on the dark web, indicating that at least some amount of it is legitimate and new. But it’s hard to say exactly how much at this point.

The Troy Hunt analysis finds that legitimate new information was likely stolen in April or before, to include some amount of Social Security numbers (possibly substantial) and other legitimate personal information, but that at some point since the file was “sweetened” with a lot of information from other sources and a fair amount of repeated or garbage data.

Data breach damage extent remains unclear, but consumers should watch their credit

As many as 899 million of the records do appear to have Social Security numbers attached, but it is not clear if they are all legitimate. With the population of the US at only about 350 million, the explanation for the huge number appears to be that records of the deceased (dating back as far as 20 years) have been included. This is part of an area of service that National Public Data provides, allowing customers to track down relatives including those that may have passed away.

The other records contain an assortment of information. About 134 million contain what appear to be legitimate email addresses, but paired with an assortment of contact information that is not necessarily correct or legitimate. Hunt searched for his own information and noted multiple records that were based on a legitimate and older email address, but that had a variety of incorrect pieces of personal information attached including some wildly inaccurate dates of birth.

Still, there are enough Social Security numbers appearing that the breach should prompt consumers to check up on their credit and potentially implement measures such as a temporary freeze. There is not yet any word from National Public as to an offer of free credit monitoring in connection with the breach.

Recent Posts

How can we help?

9 + 4 =

× How can I help you?