admin An unsubstantiated viral claim that nearly every American’s social security number (SSN) was leaked in a massive data breach has spread rapidly this week, following the alleged hack of a background check company named National Public Data. While concerns about identity theft are understandable, experts suggest that the threat may not be as severe as it initially appears.
The compromised data was reportedly listed for sale on the dark web in April for US$3.5 million. The listing was posted by a threat actor known as “USDoD,” who claimed to possess the personal information of “the entire population” of the U.S., Canada, and the U.K.
The dataset allegedly contains 2.9 billion rows of information, including full names, home addresses, phone numbers, and SSNs. However, this does not necessarily mean it holds the data of 2.9 billion individuals. Additionally, Canadians do not have SSNs; their equivalent is the social insurance number. In the U.K., people have national insurance numbers.
Initially, news of the data breach was confined to outlets focusing on the dark web and cybersecurity. However, this changed when a Californian man filed a class-action lawsuit against National Public Data on 1 August, followed by a threat actor known as “Fenice” posting the entire stolen database online for free on 6 August.
On Tuesday, National Public Data acknowledged the breach, stating that “potential leaks of certain data” occurred in April 2024 and summer 2024. The company confirmed it is co-operating with law enforcement and government investigators. National Public Data, a data aggregator, compiles personal information for background checks and marketing services.
With the allegedly stolen data now publicly accessible, more cybersecurity experts have analysed it, raising doubts about its authenticity. While some information in the database appears accurate, a significant amount is duplicated, incomplete, or incorrect. Some experts question whether the data contains any new personal information, suggesting it may have been sourced from publicly available data or previous breaches.
James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, told Global News that he doesn’t believe any of the data is new. He noted that National Public Data primarily scrapes publicly available information from the internet rather than collecting data directly from individuals, which could result in outdated or inaccurate information.
When asked if people should be concerned about identity fraud due to the hack, Lee said: “The reality is, the risk level did not go up because of this. The risk level has been high to begin with.”
Cybersecurity expert Troy Hunt also examined the stolen data, finding inaccuracies and duplicated entries. In one case, a single individual had six rows of data attributed to them, all with the same name and SSN but different addresses. Hunt sampled 100 million rows and found that only 31 per cent had unique SSNs.
“So extrapolating that out, 2.9B would be more like 899M,” he wrote in a blog post. Hunt, a Microsoft regional director, is best known for operating the “Have I Been Pwned” website, which helps people check if their personal information has been compromised in data breaches.
Hunt also searched for his own information in the files and discovered inaccuracies. One of his email addresses appeared 28 times in the files, but they were linked to names and dates of birth that were not his.
While some of the data seems questionable, other outlets have reported that the leak does contain real information. Several individuals confirmed to BleepingComputer that their legitimate personal information, as well as that of family members, including deceased relatives, was included in the files. The malware education organisation vx-underground reported similar findings.
Magazine 
