The data breach at National Public Data, a Florida-based public records data broker, has led to a series of investigations, legal actions, and regulatory scrutiny. Lawmakers, law enforcement agencies, and consumer advocates are all dealing with the implications of this breach.
The National Public Data breach first came to light through a proposed class-action lawsuit filed in early August 2023. According to the lawsuit, the breach exposed the personally identifiable information (PII) of 292 million individuals, including the Social Security numbers (SSNs) of 272 million people. The figure represents 60% of all SSNs ever issued by the Internal Revenue Service, making it the largest volume of SSN exposure on the dark web to date.
Investigators from Constella, an AI-powered identity risk intelligence provider, have analyzed the data and found that while it contains numerous errors, even a 51% usability rate would still translate to added risk for 138 million people.
The National Public Data breach is particularly concerning because of the nature of the company's business. As a public records data broker, National Public Data specializes in background checks and fraud prevention, collecting and aggregating massive amounts of personal data from a variety of sources, including public databases, court records, and state and national repositories. The data is then sold to a wide range of customers, including private investigators, consumer public records sites, human resources departments, and staffing agencies.
The sheer volume of sensitive information held by National Public Data, and the potential for it to be misused by malicious actors, has raised alarms. The proposed class-action lawsuits allege that the compromised PII has already been used in identity theft and fraud, with the potential for a wide range of criminal activities, such as opening new financial accounts, taking out loans, obtaining government benefits, and even providing false information to law enforcement.
In response to the breach, U.S. lawmakers have taken action. Representative James Comer, chairman of the House Committee on Oversight and Accountability, and Representative Nancy Mace, chair of the committee's Subcommittee on Cybersecurity, Information Technology, and Government Innovation, have launched an investigation into the matter. In a letter to National Public Data's president, Salvatore Verini, the lawmakers expressed their concern over the scale of the breach and the company's alleged lack of transparency in informing affected individuals.
As the details of the breach continue to unfold, it is clear that this is not an isolated incident, but rather a symptom of a larger systemic problem. Data brokers have operated in the shadows for far too long, amassing vast amounts of personal information with little oversight or accountability. The National Public Data breach serves as a wake-up call, and a call to action for policymakers, consumer advocates, and the public at large to demand reforms that prioritize consumer privacy and data security.
A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.