NPD Data Breach Victims Speak Out: ‘AI Scammers Attacked Us’

Why Trust Techopedia
KEY TAKEAWAYS

  • A major data breach involving National Public Data exposed the personal information of 3 billion people, now being sold on the dark web.
  • One scammer used AI to clone a voice, almost tricking a woman into withdrawing money, but her real son's call saved her.
  • The U.S. Congress is investigating the breach, which could be one of the largest ever, affecting individuals globally.
  • Victims are filing lawsuits, and experts emphasize the need for stronger regulations to protect personal information from such breaches.
  • The breach highlights the risks posed by data brokers, who often collect and store vast amounts of sensitive information without sufficient oversight.

“In late 2023, my great aunt received an AI scam call where the threat actor cloned her son’s voice and pretended like he had been involved in a car accident with a pregnant woman.

“On the way to the bank to take out money for a lawyer, her actual son called nonchalantly asking about her day, which was the only thing that prevented her from being scammed out of thousands of dollars.”

These are the words of Larissa, who jumped on a call with Techopedia to verify the truth of her claims. Larissa prefers to not have both her first and last names listed, as she is concerned about how easy it would be for threat actors to find her leaked information.

Larissa’s great aunt is just one of the untold number of people whose details were leaked by an attack carried out by the threat actor known as USDoD against Jerico Pictures, Inc., which owns National Public Data, a data broker company that runs employee background checks, among other things.

Nearly three billion records, including Social Security numbers and other details of citizens worldwide, including the U.S., Canada, and the UK, are believed to have been stolen in a breach with huge ramifications.

Congressional Committee on Oversight and Accountability Launches Investigation

On August 22, the Committee on Oversight and Accountability of the U.S. Congress announced it was investigating the cyberattack against National Public Data.

The NPD data breach saw stolen data, including Social Security numbers, phone numbers, email addresses, and mailing addresses of what is claimed to be three billion people. The data was also found on sale on the dark web for $3.5 million. The Congressional Committee warned that the breach could be the largest attack in terms of impacted individuals.

Itay Glick, VP of Products at OPSWAT, a critical infrastructure cybersecurity solutions company, told Techopedia:

“This incident is more than just a reminder of how vulnerable our digital world is — it’s a wake-up call for every organization out there.”

The Committee said that by some accounts, the scope of the attack might include individuals in Canada and the United Kingdom. Unfortunately, the responsibility to mitigate the damage often falls on the victims in these instances. “For those affected, the fallout is personal and immediate,” Glick said.

Entire Families Affected as Jerico Pictures Hit with Wave of Lawsuits

Victims of the breach have already filed a class action suit against Jerico Pictures. Jericho Pictures is a film and television studio based in Los Angeles and South Florida. Somehow, this movie-TV studio transitioned into the more obscure world of the data broker industry, a transition which looks to have ended up costing countless people more than they bargained for.

Larissa, in her early 20s, told Techopedia that threat actors are clearly becoming more sophisticated in their attacks, but organizations also need to be held more responsible for the data they are entrusted to secure.

“My data, my brother’s data, and my parent’s data were all leaked in the recent National Public Data breach”

As Larissa said, having your social security information stolen can impact your ability to open bank accounts, get credit cards, rent an apartment, or file taxes. “These are all things we should never have to worry about when trusting an organization with our data,” Larissa said.

“It’s one thing to worry about my own finances and credit being at risk, but it’s another to have to worry about that for my family members, especially elderly family like my great aunt,” Larissa said.

The Irony of Breaches and Credit Monitoring Authentification

Clyde Williamson, Senior Product Security Architect at Protegrity, a data security software provider told Techopedia he too was impacted by the breach.

 

Williams said that the irony is that the protection systems in place today for credit monitoring, like Experian or TransUnion, still rely on Personal Identification Information (PII). This information just happens to be the exact data that was leaked and sold on the dark web in the NPD breach and multiple others.

Williamson said those impacted by breach are susceptible to identify theft, unauthorized access to accounts, password resets, data exfiltration, targeted scams and frauds, phishing attacks, and financial exploitation

“The exposure of SSNs and other PII can have devastating effects, making it crucial for individuals to be vigilant and take steps to protect their personal information, such as freezing their credit and using credit monitoring services.”

The Road to Rome Leads to Data Brokers

Data brokers have seen their fair share of negative publicity in the past years as end users become more data privacy-aware. The tech industry has shifted to end unethical activities such as poorly designed data consent agreements, tracking users across the web, and auto-installing shady cookies.

While data brokers have always operated in the background, user privacy trends have seemed to push the industry even farther away from the spotlight and the public eye. The public has little information on data brokers, how they operate, and what they do with personal data. Additionally, data brokers have not been immune to attacks.

For example, the now infamous data broker LexisNexis was hit by breaches in 2005 and 2009. People Data Labs was also involved in a breach that exposed personal data from 1.2 billion people. And these are just some of the cases of a longer list. Other data brokers that have been targeted by cybercriminals or hacktivists include Epsilon, Equifax, Experian, and Acxiom, to mention some.

Naturally, what attracts cybercriminals about data brokers is the treasure trove of data they scrape, store, manage, and move around.

The Buck Stop Here: Do Governments Give Data Brokers a Pass?

Who is responsible for the NPD breach? Is it the hacker? The company? Or is the lack of government regulations?

USDoD, the threat actor behind the NPD data, recently unmasked himself during an exclusive interview with HackerRead. In the interview, he identified himself as Luan G, a 33-year-old man from the state of Minas Gerais in Brazil.

Luan G. told the press that he was not a threat and would go himself to talk to the local police in Brazil — a move many describe as a “from-cybercriminal-to-reformed-hacktivist” defense strategy.

But should the investigation end there? What other factors contributed to the breach and exposure of data from billions of people? Williamson from Protegrity thinks that broader solutions are required and need to come from the government´s side.

“Data brokers like National Public Data (NPD) in the United States have minimal legal responsibilities, especially compared to industries like the Payment Card Industry (PCI), which includes annual audits and various other controls.”

“PII in the United States remains vulnerable and at significant risk because we lack unified data privacy regulations that can be enforced at the level necessary to prevent these massive breaches.”

Williamson added that current U.S. laws, or lack thereof, are not enough for our 21st

century data needs. “There is an expectation that they (data brokers) will adhere to the proper data privacy laws that prevent data theft, but as we’ve established, there is no accountability written in the law,” Williams said.

 

Even more concerning is the fact that individuals did not willingly give the data to NPD. The company has allegedly scraped individual’s PII from public sources used for background checks. This means that millions still might not know they are part of one of the largest breaches of personal data.

The Bottom Line

The NPD breach has no upside. Data exposure-related cyberattacks are expected to continue unfolding, many of which may never be reported.

As the hacker behind the breach comes forward, the U.S. Congress wants to investigate the issue. The data broker industry’s responsibility to protect personal data is undeniable. This case once again demonstrates how data brokers operate in the shadows while individuals’ privacy is severely impacted.

Related Terms

Related Article