What You Need To Know About the National Public Data Breach 2024

    Ben Bowman
    By: Ben Bowman
    August 14, 2024

    Well, it’s happened again. Another large organization that held onto a huge volume of sensitive information has apparently failed to protect it. To add to the frustration, this organization really should have known and done better because it was breached earlier, just last spring, and already has a massive class action lawsuit pending. 

    So right off the bat, here are a few things our cybersecurity team recommends for individuals after this significant breach: 

    • Add multi-factor authentication to all online accounts linked to your credit card or bank information
    • Review your credit card and bank statements regularly
    • If you haven’t already, freeze your credit and consider investing in identity theft protection and 24/7 credit monitoring
    • Don’t respond to any unsolicited requests for information

    To be clear, at the time of publication, National Public Data hasn’t yet confirmed or commented on this newest attack. But all signs point to it having happened, including a hacker claiming the credit. So now, let’s dive into a few more details. 

    What Is National Public Data? 

    National Public Data is a vendor that provides background-checking services and other information-gathering services for all sorts of other businesses. According to their website, they supply data to “private investigators, consumer public record sites, human resources, staffing agencies and more.”

    Why Is This Data Breach Especially Bad?

    National Public Data provides their services by scraping personally identifiable information (PII) on individuals from non-public sources. And they do this part of their job very well. So even if you never worked with National Public Data and have never even heard of the company, they could have collected your data. In fact, as it turns out, they have gathered the Social Security numbers, current and past addresses, full names, and known relatives of almost 3 billion people

    And here’s a real head-scratcher for any cybersecurity professional: National Public Data apparently stored this vast amount of data in plain, non-encrypted text … 

    and persisted in doing so even after the first data breach that was confirmed this past spring. 

    And if that doesn’t make you mad, just wait. 

    What Could That Leaked Data Be Used for? 

    If only credit card information were leaked, it would be bad. But you can always cancel a credit card and apply for a different one. But your Social Security number stays with you for life, so the fact that this information was leaked — along with other sticky data like past addresses and known relatives — is a much bigger problem for those affected. 

    To put that into context, here’s just a short list of what criminals can do with this data: 

    • Apply for a credit card
    • Take out a loan
    • File a tax return
    • Get government benefits
    • Receive medical care
    • Get insurance
    • Open a utility account
    • Withdraw money from an account

    Additional Takeaways for Businesses 

    Most of the costs associated with a severe cyberattack happen long after the attack has taken place. Unfortunately, attacks like these have been skyrocketing since those pandemic. So your organization hasn’t been doing all of these, it’s time to start: 

    • Encrypt sensitive data
    • Add multi-factor authentication to all online accounts
    • Consider applying for cyber insurance.
    • Assess your vendor relationships on an ongoing basis, and pay close attention to any news of a vendor-related data breach
    • Implement dark web monitoring to get notified in the event that your domain or an employee user account has been stolen or compromised
    • Assess state and federal regulations regarding notifying customers of a breach of their confidential information
    • Review your incident response plan regularly, and make sure it aligns with evolving regulations 

    Yes, almost all attacks are preventable, but no organization is 100% safe. So as individuals will also have to work harder to monitor their accounts, here are some tips on what organizations should watch for. 

    What Are Signs That an Organization Has Been Breached?

    Most organizations are painfully slow to recognize that their data has been breached. On average, it takes roughly 207 days for organizations to identify one, and another 70 to contain it. That’s way, way too long. 

    If your organization collects and stores sensitive data, here’s what employees should watch for: 

    • Unusual account activity (locked accounts, multiple failed login attempts, etc)
    • Abnormal network traffic
    • Noticeably slowed devices or internet speeds
    • Frequent crashes
    • Unexplainable file changes
    • A significant increase in spam and popups
    • A mouse pointer that moves seemingly on its own
    • Your antivirus software or firewall has been disabled

    Lists like these are one of many reasons why an organization’s staff can actually be its most important security asset. Unfortunately, that’s not the culture at a lot of organizations. A recent survey of tech professionals recently admitted that they don’t report 41% of known cyber incidents to management. 

    What To Do if You Notice a Data Breach

    If your organization has been breached, here are the steps you need to take, sooner rather than later: 

    1. Contain the breach by isolating any devices and systems that were breached
    2. Identify the cause of the breach, and make sure those vulnerabilities are addressed
    3. Before taking further action, contact your insurer immediately if you have a cyber insurance policy. If their guidance is not followed, you may not qualify for a payout under your claim. 
    4. Find out what data was leaked and assess the possible damage
    5. Notify law enforcement
    6. Notify any customers and business partners that might be affected
    7. Use what was learned to prevent another attack 

    If your organization has been breached, and you encrypted your sensitive data, good for you! You’ve made sure your data, even if it’s stolen, at least it won’t be usable. If National Public Records had taken that single step, we wouldn’t be in this mess. 

    Getting Help for Small to Midsize Business Cybersecurity

    As tired as you probably are about hearing about cybercrimes like these, cybersecurity pros are equally tired of being seen as nags and scolds. But the truth about this breach (which is also true for the vast majority of cybersecurity incidents) is that basic cybersecurity hygiene would have been enough to prevent this. 

    And while it’s unbelievably frustrating that cybercriminals are making off with trillions of dollars, it’s all the more frustrating that a lot of almost 3 billion people will now spend an entire lifetime having to be ever-vigilant because just 1 for-profit business — a business they’ve likely never known, nor given permission to access their data — has been shockingly irresponsible. Again. 

    So while we don’t mean to sound like nags or scolds, if your business collects data, please make sure you’re already following the basics. Please? We really want to help make that easy, so below is a free online checklist we’ve created that’s based on the National Institute of Standards and Technology’s Cybersecurity Framework

    Get Our Cybersecurity Checklist  Download Now
    Topics: Security