Examining the National Public Data Breach and Risks for Data Brokers

Due to a recent breach, consumers are being warned that their Social Security numbers, along with other types of personal information, could be changing hands around on the dark web. National Public Data (NPD), a company that collects data used to perform background checks, is one of the latest businesses to suffer a massive breach. An estimated 2.9 billion rows of records were breached, according to the threat actor behind the incident, with data leaked online.  

NPD is just one of many data brokers that stores billions of records. What obligations do these companies have to protect sensitive information, and could breaches such as this invite more scrutiny?   

The NPD Breach 

NPD recently confirmed in a brief statement the breach stems from a threat actor’s activity back in December 2023. The company notes “… potential leaks of certain data in April 2024 and summer 2024.” In addition to Social Security numbers, the data in question also includes names, email addresses, phone numbers, and mailing addresses, according to the statement.  

A threat actor known as USDoD began selling the data online in April, while another hacker allegedly leaked data online in July, according to KrebsOnSecurity.  

NPD’s statement contains the standard warnings for consumers to monitor their financial accounts and credit reports.  

Related:Sensitive Data of Millions Stolen in MSpy Breach

Exactly how the NPD breach happened remains unclear. Threat actors are always on the lookout for opportunity, and any entity is a potential victim.  

“The human element is generally the weak point in security,” Douglas McKee, executive director of threat research at cybersecurity company SonicWall, points out. The human element plays a role in 68% of breaches, according to Verizon’s 2024 Data Breach Investigations Report.   

The Risks Data Brokers Face 

Estimates of how many data brokers operate around the world vary, but the number is likely in the thousands. “There is a huge amount of money to be made right now on collecting all this data,” Robert Hughes, CISO at identity solutions company RSA, tells InformationWeek.  

These companies collect and monetize a vast amount of data on individuals, making brokers attractive targets for threat actors. “Their risk profile is pretty high because they're holding information that is highly valuable,” says McKee.  

Naturally, that risk spills over into the lives of individuals when that data is breached. Identity theft and more convincing phishing scams are potential consequences when Social Security numbers and other personal information lands in the hands of bad actors.  

Related:OpenAI's 2023 Breach Raises Questions About AI Industry Transparency

Data brokers have their work cut out for them when it comes to protecting the massive amounts of valuable, sensitive data they hold. That data does not sit static in some impenetrable stronghold. It migrates as businesses make use of it, and as it moves the risk of compromise increases.  

“Data gets moved to lower environments, which typically have provisioned more access by more users and more services, where maybe vulnerabilities are not being patched as proactively as they might be in … higher environments,” Bruno Kurtic, cofounder, president, and CEO of data security company Bedrock Security, explains.  

Any enterprise that stores sensitive data, data broker or otherwise, needs data governance to understand how to protect it.  

“It starts with knowing where your data is, then it goes to knowing what of that data is sensitive, and then it goes into what is being accessed, how it's being accessed,” says Kurtic.  

Those questions get harder and harder to answer when so much data is involved, a lot of it unstructured and sprawling across different environments. Kurtic argues that entities need to leverage more sophisticated technology. 

“We need to bring [in] AI to protect us against data leakage and to determine sensitivity of the data,” he says.  

Related:What Security Leaders Need to Know About the ‘Mother of All Breaches’

While AI may be one way to combat data leakage, breaches are still going to happen. Any entity can be the victim of a breach, even with the best laid cybersecurity plans. When that happens to a data broker, or any other enterprise, communication is important.  

“There's … a responsibility to be transparent to the end users and provide them the information they need so that they can protect themselves as soon as possible,” says McKee.  

Regulatory Scrutiny 

Any entity safeguarding personal data has regulatory considerations. Europe has the General Data Protection Regulation (GDPR), but the United States does not yet have a federal data privacy law. Instead, there is a patchwork of state laws with varying rules and degrees of stringency. What does this mean for data brokers operating in the US? 

Large public companies tend to attract more attention from regulators. For example, the Federal Trade Commission (FTC) fined Meta (parent of Facebook) $5 billion in 2019 for violations of its users’ privacy.  

But data brokers do not necessarily need to be large or public to have a ton of data. Relatively small companies might not have the resources, or motivation, to implement cybersecurity best practices. And they may not get as much attention from regulators.  

“When you look at smaller players in the market, [they] might have weaker security controls,” says Hughes. “The risk may be worth it for small data brokers.”  

Some state regulations, like those in California, take that into consideration. The California Consumer Privacy Act (CCPA) applies to any business that buys, sells, or shares the personal information of more than 100,000 people living in the state. The state also requires data brokers to register with the California Privacy Protection Agency.  
Could large breaches, like the one of NPD, invite more regulatory scrutiny?  

Data privacy is getting more attention. The American Privacy Rights Act (APRA) is being considered at the federal level, and the legislation does define data brokers as covered entities.  

“Focusing on them specifically is probably a wise choice because they need to operate with a higher urgency to protect our data,” says Kurtic.