National Public Data confirms the breach that exposed America’s social security numbers

A data dump containing 2.7 billion records of US residents’ personal information, including their Social Security numbers, was recently leaked online. The content of the data dump was linked to National Public Data, a company that erases information from non-public sources and sells it for background checks. Now, the company has confirmed that it “had a data security incident” where people’s names, emails, addresses, phone numbers, social security numbers and postal addresses were stolen.

National Public Data’s wording in its Security Incident report is clear and rebuttable, but it blames the security breach on a bad third-party actor. It said the bad actor was “attempting to hack data in late December 2023” and that “some possible data leaks” occurred in April 2024 and the summer of 2024, indicating that the hacker had successfully penetrated his system. In April, a threat actor known as USDoD tried to sell the records of 2.9 billion people living in the US, UK and Canada for $3.5 million. It claims to have stolen information from National Public Data. Since then, the records have been leaked online in bits and pieces and the latest is extensive and contains highly sensitive information.

The company said it is working with law enforcement to review records that may have been affected and will “attempt to notify” people “if there is any other material that applies” to them. It also said it has published a notice so that those who may be affected can take action. The company advises people to monitor their financial accounts for fraud, and encourages them to get free credit reports and put a fraud alert on their file.

National Public Data is already facing a proposed class action lawsuit filed in early August by a plaintiff who received a notification from their identity theft protection service that his personal information was posted on the dark web. They argued that the company failed to “safeguard and properly protect the personally identifiable information it collected and maintained as part of its normal business practices.”