National public data: Contradictions on people affected after major US data leak

At the beginning of August, an affected person initiated a class action against "National Public Data". The data broker has now confirmed an IT security incident. While the lawsuit mentions 2.9 billion data records, National Public Data has told officials that 1.3 million were affected; security expert Troy Hunt from the Have-I-been-Pwned project comes up with even different figures.

In December, cyber criminals managed to break into National Public Data's systems. The first data leaks became known in April 2024, when the threat actor "USDoD" offered the stolen data for sale for 3.5 million US dollars. This data is said to contain names, email addresses, telephone numbers, social security numbers and postal addresses, among other things.

Doubts about the official figures

Troy Hunt, a renowned security expert and operator of the website HaveIBeenPwned, examined the database and discovered 134 million unique email addresses. This means that more than 1.3 million people are likely affected – the number that National Public Data reported to the Maine Attorney General. Hunt also found that the database includes criminal records that the company does not mention in its disclosures.

As previously claimed by the criminals, those affected are from the USA, Canada and the UK. According to National Public Data, they have since been informed of the incident. Additional security measures have also been taken to prevent future incidents. The investigation is ongoing and the number of people affected could rise.

(mack)