Top background check company National Public Data was recently hit by a class action lawsuit which claimed the personal data of almost three billion people was leaked online.
A cyber criminal group known as ASDoD listed the database for sale online at $3.5 million, but there is no evidence that anyone has yet paid the sum.
If confirmed, this could be one of the biggest data breaches on record – or could it? Troy Hunt, one of the most renowned security experts around, and the founder of breach site HaveIBeenPwned, looked into the breach and found much of the information surrounding the incident didn’t appear to add up.
Did ASDoD bump up the numbers?
Firstly, Hunt points out, the initial post of the database on the dark web stated that it contained 2.9 billion rows of data, and that it was the entire population of the USA, Canada, and the UK – which, at last count, doesn’t have a combined population of 2.9 billion.
ASDoD also stated the database contained social security numbers (SSN), which, Hunt points out “are a rather American construct with Canada having SINs (Social Insurance Number) and the UK having, well, NI (National Insurance) numbers are probably the closest equivalent.”
Secondly, the ASDoD post claimed the database is 200GB compressed, which expands out to 4TB uncompressed, but when verified by Hunt and cybersecurity repository vx-underground, the total file size only totaled 277.1GB uncompressed. What’s more, when checking to see if the database contained verifiable data and SSNs, Hunt found that the first six rows were the same person, just with the first name and last name alternated, and listed at different addresses in the same city.
Taking a larger sample of the data, Hunt found out of the 100 million row sample, just 31% contained a unique SSN. Now this does mean that a significant amount of the data does contain the legitimate personal information and SSNs of thousands of victims, but the scale may be slightly less than 2.9 billion people and is instead, just 2.9 billion rows of duplicated data.
Now as for whether the data was legitimate, Hunt ran into difficulties attributing the database to a single source because of how generic the data was. In Hunt’s words, “how many different places have your first and last name, address, SSN, etc?”
Curious, Hunt also searched to see if any of his own information had been included in the breach. His email showed up in 28 different rows, but without his own name, address, or correct date of birth, indicating that much of the data could be inaccurate and mismatched between victims.
Hunt speculates that the breach was so widely shared across social media and news outlets because of the initial legitimacy of SSNs in the first dump, with follow up dumps of data being sucked into the hype of ‘the biggest data breach ever.’ Hunt also suggests that as NPD is a data brokerage, they could have syphoned a huge amount of publicly available data into the database before it was stolen.
Ultimately there are a number of possibly legitimate SSNs floating around, but the data contained within the breach shows that they may not be displayed with the correct names and addresses. However, there are 134 million email addresses in public circulation, which could be used for phishing or to target those without adequate identity theft protection.