The National
Public Data (NPD) breach is one of the most significant and most damaging
cybersecurity incidents in recent history. It exposed the personal data of nearly 3 billion
people, including sensitive information such as Social Security numbers,
addresses, and email addresses. The cybercriminal group "USDoD" has
claimed responsibility for this attack, which they say was motivated by
exposing the unethical practices of data brokers and private investigators. The
breach has raised serious concerns about the security and privacy of our data
and the accountability and transparency of the organizations that collect and
use it.
Several experts
from the cybersecurity industry have shared their insights and opinions on the
NPD breach, highlighting the risks, challenges, and implications of this
incident. Here are some of the key takeaways from their perspectives:
- Clyde Williamson,
Product Management, Innovations, Protegrity,
argues that organizations must prioritize data protection and adopt strategies
like encryption and tokenization to render data useless to attackers. He also
criticizes the inadequacy of U.S. laws and regulations in handling citizens'
personal data, especially for data brokers like NPD, which are not subject to
the same standards as other sectors.
- Kiran
Chinnagangannagari, Chief Product & Technology Officer, Securin, emphasizes the need for organizations to evaluate and communicate their
cybersecurity practices for themselves and their partners and third-party
vendors. He also points out the profound risks posed by mass data aggregation
and the minimal oversight over who gains access to this data.
- Ayan Halder, Principal Product Manager, Traceable AI, stresses the
importance of adopting a proactive and holistic approach to cybersecurity
rather than a reactive and siloed one. He also suggests that organizations
should leverage AI and machine learning to detect and prevent breaches and
improve their visibility and understanding of their data flows and
vulnerabilities.
Larissa A., a
victim of the National Public Data
breach, asked for slight anonymity in sharing her story but had this to say
about finding her information within the compromised data, "In late 2023,
my great aunt received an AI scam call where the threat actor cloned her son's
voice and pretended like he had been involved in a car accident with a pregnant
woman. On the way to the bank to take out money for a lawyer, her actual son
called nonchalantly, asking about her day, which was the only thing that prevented
her from being scammed out of thousands of dollars.
"While threat
actors are clearly becoming more sophisticated in their attacks, organizations
also need to be held more responsible for the data they are entrusted to
secure. My data, my brother's data, and my parent's data were all leaked in the
recent National Public Data breach according to Pentester.com," she went on to
say, calling out concern about not only her own privacy but that of her family.
"It's one thing
to worry about my own finances and credit being at risk, but it's another to
have to worry about that for my family members, especially elderly family like
my great aunt. This time, it was more than just phone numbers and addresses
(which also shouldn't be overlooked when it comes to data protection). But
having our social security information stolen can impact our ability to open
bank accounts, get credit cards, rent an apartment, or file taxes. These are
all things we should never have to worry about when trusting an organization
with our data."
Full thoughts
from the experts at Protegrity, Securin and Traceable AI follow.
Clyde Williamson, Product Management, Innovations, Protegrity
"Organizations
rely on the exchange of data for their vitality. Consumers share their personal
identifiable information (PII), like Social Security numbers and emails, with
the expectation that businesses will protect this data and comply with privacy
laws to prevent unauthorized access. In this case, National Public Data (NPD)
scraped individuals' PII from public sources for use in background checks,
leaving people unaware if their data was accessed and emphasizing growing
concerns regarding customer trust in businesses and their ability to secure
their data.
Notably, this
breach wasn't announced for a week; it only came to light and led to a lawsuit
earlier because the company didn't disclose it. Further, it's still unclear
whether they intentionally avoided sharing details of this breach or just
discovered it themselves. This highlights the inadequacy of U.S. laws in
handling citizens' personal data, which are not equipped for the challenges of
the 21st century. Data brokers like the NPD also aren't held to the same
regulatory standards as institutions like the Payment Card Industry (PCI),
where they're obligated to conduct annual audits and controls around credit
card data. As things stand now, the US has no such obligations.
Most likely, a
lot of the stolen data set is from one of our most vulnerable demographics:
senior citizens and their families. A popular scam has a threat actor
pretending to be a lawyer with bad news for the senior - their family member is
in trouble and needs money. And why wouldn't a grandparent believe them if they
had valid PII to validate their credibility? These scammers don't have to open
credit in someone's name to ruin lives. They just need to know how to use the
information stolen to empty a caring family member's bank account.
As breaches and
attack surfaces continue to grow, relying on class action lawsuits for
negligence cannot be the best option. Organizations must prioritize
transparency and enhance their efforts to de-identify sensitive data to protect
consumer information. They must move beyond traditional defense mechanisms and
adopt regulator-recommended data protection strategies like encryption and
tokenization. These methods render data useless to attackers, making it
impossible to steal and use maliciously. By implementing these protections,
businesses can diminish the value of stolen data and mitigate the long-term
effects of ransomware attacks or fraudulent activities."
Kiran Chinnagangannagari, Chief Product & Technology Officer, Securin
"In the wake of the staggering
National Public Data breach, which compromised millions of records on U.S.
citizens, the silence from the company until the breach included leaked social
security numbers is nothing short of alarming. This breach underscores the
profound risks posed by mass data aggregation and sheds a harsh light on the
glaring gaps in corporate responsibility when managing and communicating such
incidents. The fact that such enormous volumes of personal data are accessible
to companies and private investigators, and now the deep and dark web, raises
severe doubts about how well-protected our information truly is. This breach
lays bare the minimal oversight over who gains access to this data-and what
happens afterward.
This breach should also serve as a wake-up call, emphasizing the critical need
for organizations to rigorous or stricter regulations and better enforcement.
Companies must be held accountable, not just for evaluating the cybersecurity
practices of their partners and third-party vendors. It's no longer enough to
trust that data handlers have robust defenses-organizations must proactively
ensure that every entity in their supply chain is equipped to prevent such
catastrophic breaches. It's time for their cybersecurity practices but for
those of every entity they do business with. The stakes are too high to allow
this negligence to continue."
Ayan Halder,
Principal Product Manager, Traceable AI
"When fraudsters
have access to key personal details needed to bypass KYC on nearly all American
consumers, the question is who to trust anymore? This is where intent-driven
risk management shines. Intent-driven risk management looks at how users are
behaving "after" getting onto the platform and what are they going
after, negating a lot of the risks injected through brittle KYC measures."