National Public Data Shuts Down Months After Massive Breach – Source: securityboulevard.com

National Public Data, the data broker that filed for bankruptcy protection after a breach of its systems exposed 2.9 billion records containing the sensitive and personal data of up to 170 million people, has shut down, leaving behind a two-sentence notice on its website along with a brief recap of the attack and steps those affected by it can take.

“It is with sincere regret that we inform you that National Public Data, after two decades serving the data industry, has closed,” the Coral Springs, Florida-based company wrote on the website.

As noted by PCMag, a sister company, recordscheck.net, also closed its doors, leaving behind a similar message on its website. Meanwhile, the companies’ parent, Jerico Pictures, of Pompano Beach, Florida, is still facing myriad class-action lawsuits and demand for civil penalties from several states in connection with data breach.

Jerico filed for Chapter 11 bankruptcy protection in early October in federal court in Florida, claiming it had less than $50,000 in assets, but a judge dismissed the bankruptcy filing at the end of the month.

Data Security, Data Brokers

The breach of National Public Data’s systems was another case study of hackers’ aggressive and ongoing efforts to steal data and either hold it for ransom or put it up for sale on the dark web. At the same time, it put another spotlight on the issue of data brokers, where they get the data, and what they do with it.

According to the now-closed company, a hacker with the handle USDoD – also known as EquationCorp – was trying to hack into its systems as early as December 2023 and successfully breached them early this year, before April. That month, USDoD announced on a dark web forum called “Breached” a database of data stolen from National Public Data and offered to sell it for $3.5 million.

That data, which includes names, current and previous addresses, Social Security numbers, aliases, and information about relatives, also was leaked online, giving bad actors wide access to it.

National Public Data, like many data brokers, got its data by scraping publicly available data from a range of sources in federal, state, and local government records, including marriage certificates, voting registries, motor vehicle records, bankruptcy filings, and court records, and then selling the data to companies for such uses as background checks and mobile application development.

Suspect Arrested in Brazil

In October, Brazilian federal law enforcement agents arrested USDoD, who not only was linked to the National Public Data breach but also to others, including an intrusion into InfraGard, an FBI portal for sharing threat intelligence, and the U.S. Environmental Protection Agency. In addition, USDoD also is alleged to have gotten into the systems of airplane manufacturer AirBus and credit reporting company TransUnion.

In July, USDoD claimed to have leaked the threat actor list of CrowdStrike, though the cybersecurity firm said at the time the information already was available to thousands of customers and partners. Later CrowdStrike and several other companies and publications said USDoD was a 33-year-old man from Brazil.

He was arrested as part of a police initiative called Operation Data Breach and is suspected of hacking into the systems of the Brazilian national police and other government institutions in 2022, according to a police statement. He had said before his arrest that while he got a hold of the stolen National Public Data information, it was another cybercriminal that stole the data from the company.

A Lightly Regulated Industry

The National Public Data breach also put attention on data brokers, a lightly regulated industry that some reports say could grow from $319 billion in 2021 to more than $545 billion in 2031. There are about 4,000 data brokers around the world. The controversial companies collect and aggregate massive amounts of personal information of people around the world and sell or license it.

Duke University researchers have been looking into the information that data brokers are making available. One study detailed how easy and inexpensive it is to buy data about current and retired military personnel and their families. Another found that data brokers were selling sensitive information about people’s mental health conditions.

Some state legislators, including in California, has pushed bills that would rein in what information data brokers can hold and sell. In addition, the Consumer Financial Protection Bureau (CFPB) this week proposed a rule that would limit the sale of personally identifiable information, like Social Security and phone numbers, by certain companies and ensure that financial data like income can only be shared for legitimate purposes, such as approving a mortgage, and not to companies looking to benefit from people in financial distress.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” CFPB Director Rohit Chopra said in a statement.

Under the proposed rule, data brokers would be have to comply with the same regulations that credit bureaus and background check companies do, and would have to get the consent of people before selling their data.