Virtualization Technology News and Information
Article
RSS
The NPD Breach: A Massive Data Leak with Serious Consequences, Expert Insight

The National Public Data (NPD) breach is one of the most significant and most damaging cybersecurity incidents in recent history. It exposed the personal data of nearly 3 billion people, including sensitive information such as Social Security numbers, addresses, and email addresses. The cybercriminal group "USDoD" has claimed responsibility for this attack, which they say was motivated by exposing the unethical practices of data brokers and private investigators. The breach has raised serious concerns about the security and privacy of our data and the accountability and transparency of the organizations that collect and use it.

Several experts from the cybersecurity industry have shared their insights and opinions on the NPD breach, highlighting the risks, challenges, and implications of this incident. Here are some of the key takeaways from their perspectives:

  • Clyde Williamson, Product Management, Innovations, Protegrity, argues that organizations must prioritize data protection and adopt strategies like encryption and tokenization to render data useless to attackers. He also criticizes the inadequacy of U.S. laws and regulations in handling citizens' personal data, especially for data brokers like NPD, which are not subject to the same standards as other sectors.
  • Kiran Chinnagangannagari, Chief Product & Technology Officer, Securin, emphasizes the need for organizations to evaluate and communicate their cybersecurity practices for themselves and their partners and third-party vendors. He also points out the profound risks posed by mass data aggregation and the minimal oversight over who gains access to this data.
  • Ayan Halder, Principal Product Manager, Traceable AI, stresses the importance of adopting a proactive and holistic approach to cybersecurity rather than a reactive and siloed one. He also suggests that organizations should leverage AI and machine learning to detect and prevent breaches and improve their visibility and understanding of their data flows and vulnerabilities.

Larissa A., a victim of the National Public Data breach, asked for slight anonymity in sharing her story but had this to say about finding her information within the compromised data, "In late 2023, my great aunt received an AI scam call where the threat actor cloned her son's voice and pretended like he had been involved in a car accident with a pregnant woman. On the way to the bank to take out money for a lawyer, her actual son called nonchalantly, asking about her day, which was the only thing that prevented her from being scammed out of thousands of dollars.

"While threat actors are clearly becoming more sophisticated in their attacks, organizations also need to be held more responsible for the data they are entrusted to secure. My data, my brother's data, and my parent's data were all leaked in the recent National Public Data breach according to Pentester.com," she went on to say, calling out concern about not only her own privacy but that of her family.

"It's one thing to worry about my own finances and credit being at risk, but it's another to have to worry about that for my family members, especially elderly family like my great aunt. This time, it was more than just phone numbers and addresses (which also shouldn't be overlooked when it comes to data protection). But having our social security information stolen can impact our ability to open bank accounts, get credit cards, rent an apartment, or file taxes. These are all things we should never have to worry about when trusting an organization with our data."

Full thoughts from the experts at Protegrity, Securin and Traceable AI follow.

Clyde Williamson, Product Management, Innovations, Protegrity

"Organizations rely on the exchange of data for their vitality. Consumers share their personal identifiable information (PII), like Social Security numbers and emails, with the expectation that businesses will protect this data and comply with privacy laws to prevent unauthorized access. In this case, National Public Data (NPD) scraped individuals' PII from public sources for use in background checks, leaving people unaware if their data was accessed and emphasizing growing concerns regarding customer trust in businesses and their ability to secure their data.

Notably, this breach wasn't announced for a week; it only came to light and led to a lawsuit earlier because the company didn't disclose it. Further, it's still unclear whether they intentionally avoided sharing details of this breach or just discovered it themselves. This highlights the inadequacy of U.S. laws in handling citizens' personal data, which are not equipped for the challenges of the 21st century. Data brokers like the NPD also aren't held to the same regulatory standards as institutions like the Payment Card Industry (PCI), where they're obligated to conduct annual audits and controls around credit card data. As things stand now, the US has no such obligations.

Most likely, a lot of the stolen data set is from one of our most vulnerable demographics: senior citizens and their families. A popular scam has a threat actor pretending to be a lawyer with bad news for the senior - their family member is in trouble and needs money. And why wouldn't a grandparent believe them if they had valid PII to validate their credibility? These scammers don't have to open credit in someone's name to ruin lives. They just need to know how to use the information stolen to empty a caring family member's bank account.

As breaches and attack surfaces continue to grow, relying on class action lawsuits for negligence cannot be the best option. Organizations must prioritize transparency and enhance their efforts to de-identify sensitive data to protect consumer information. They must move beyond traditional defense mechanisms and adopt regulator-recommended data protection strategies like encryption and tokenization. These methods render data useless to attackers, making it impossible to steal and use maliciously. By implementing these protections, businesses can diminish the value of stolen data and mitigate the long-term effects of ransomware attacks or fraudulent activities."

Kiran Chinnagangannagari,  Chief Product & Technology Officer, Securin

"In the wake of the staggering National Public Data breach, which compromised millions of records on U.S. citizens, the silence from the company until the breach included leaked social security numbers is nothing short of alarming. This breach underscores the profound risks posed by mass data aggregation and sheds a harsh light on the glaring gaps in corporate responsibility when managing and communicating such incidents. The fact that such enormous volumes of personal data are accessible to companies and private investigators, and now the deep and dark web, raises severe doubts about how well-protected our information truly is. This breach lays bare the minimal oversight over who gains access to this data-and what happens afterward.

This breach should also serve as a wake-up call, emphasizing the critical need for organizations to rigorous or stricter regulations and better enforcement. Companies must be held accountable, not just for evaluating the cybersecurity practices of their partners and third-party vendors. It's no longer enough to trust that data handlers have robust defenses-organizations must proactively ensure that every entity in their supply chain is equipped to prevent such catastrophic breaches. It's time for their cybersecurity practices but for those of every entity they do business with. The stakes are too high to allow this negligence to continue."

Ayan Halder, Principal Product Manager, Traceable AI

"When fraudsters have access to key personal details needed to bypass KYC on nearly all American consumers, the question is who to trust anymore? This is where intent-driven risk management shines. Intent-driven risk management looks at how users are behaving "after" getting onto the platform and what are they going after, negating a lot of the risks injected through brittle KYC measures."

Published Thursday, August 22, 2024 7:35 AM by David Marshall
Filed under:
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<August 2024>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567