National Public Data, a leading background check company, was recently hit with a class action lawsuit alleging that the personal information of nearly three billion people was leaked online.
A cybercriminal group called ASDoD offered the database for sale online for $3.5 million, but there is no evidence that anyone has paid that amount yet.
If confirmed, this could be one of the largest data breaches ever – or is it? Troy Hunt, one of the world’s most renowned security experts and founder of the breach site Am I Pwned?, looked into the breach and discovered that much of the information surrounding the incident appeared to be incorrect.
Did ASDoD inflate the numbers?
First, Hunt points out, the original dark web posting of the database stated that it contained 2.9 billion rows of data, and that it included the entire population of the US, Canada and the UK. At last count, the UK’s total population was not 2.9 billion.
ASDoD also stated that the database contained Social Security Numbers (SSNs), which, Hunt points out, “are a very American construct, with Canada having SINs (Social Insurance Numbers) and the UK having, well, NI (National Insurance) numbers which are probably the closest.”
Secondly, the ASDoD post claimed that the database is 200GB compressed, which expands to 4TB uncompressed, but when Hunt and cybersecurity repository vx-underground checked, the total uncompressed file size was only 277.1GB. Furthermore, when checking the database for verifiable credentials and SSNs, Hunt found that the first six rows were for the same person, with only their first and last name alternated, and listed at different addresses in the same city.
Hunt took a larger sample of the data and found that of the 100 million rows, only 31% contained a unique SSN. This means that a significant portion of the data contains the legitimate personal information and SSNs of thousands of victims, but the scale may be slightly smaller than 2.9 billion people and instead consist of only 2.9 billion rows of duplicated data.
As for whether the data was legitimate, Hunt ran into trouble attributing the database to a single source because of how generic the data was. In Hunt’s words, “how many different places does it have your first and last name, address, social security number, etc?”
Curious, Hunt also looked to see if any of his own information was included in the breach. His email appeared in 28 different rows, but without his own name, address or correct date of birth, indicating that much of the data could be incorrect and mismatched between victims.
Hunt speculates that the leak was shared so widely on social media and in news outlets because the SSNs in the initial dump were legitimate to begin with, and that subsequent dumps of data were caught up in the hype surrounding “the largest data breach ever.” Hunt also suggests that because NPD is a data broker, it put a huge amount of publicly available data into its database before it was stolen.
Ultimately, there are some potentially legitimate SSNs in circulation, but the data in the breach shows that they may not be appearing with the correct names and addresses. However, there are 134 million email addresses in public circulation, which could be used for phishing or to target people who do not have adequate protection against identity theft.