2.7 Billion records leaked: Why we all should be worried about the US NPD Data Breach

US National Public Data (NPD) is a private company that provides background checks for US companies. Initial reports suggest in April 2024, 2.7 Billion Records were exposed on the Dark Web, this data covers a huge amount of Personal Identifiable Information (PII) - both individuals and companies in consumer facing situations should be on high alert for fraudsters creating new accounts or making changes to existing accounts. Where possible implement 2 Factor Authentication (2FA) now, to be alerted on your emails, banking and retail services. Companies should mandate 2FA monitoring urgently to protect themselves and the public!

What Happened?

The NPD breach, which potentially involves nearly 3 billion records, has caused a media frenzy. Details are still sketchy, and the breach hasn't been officially confirmed, but the implications are massive. The data allegedly compromised includes highly sensitive information, with records belonging to citizens of the UK, USA, and Canada. Disturbingly, some of these records pertain to individuals who have been deceased for over two decades. This kind of data exposure puts countless people at risk of identity theft, fraud, and other cybercrimes, while companies face potential legal and financial fallout.

Troy Hunt, a well-known cybersecurity expert, delved deeper into the breach, providing valuable insights on his blog. He pointed out that such breaches often stem from poor security practices and inadequate protective measures. Hunt emphasized the importance of not just reacting to these incidents but proactively securing systems to prevent them in the first place.

What was found??

The NPD was hit by a data breach in or around April 2024. [i] A complaint filed in the U.S. District Court alleges for UK, US and Canadian Citizens:

• The company had sensitive info breached, such as full names; current and past addresses spanning at least the last three decades; Social Security numbers; info about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and other personal info.
• The company “scraped” this info from non-public sources. This info was collected without the consent of the person who filed the complaint and the billions of others who might qualify to join in the class action complaint.
• The company “assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

Why Should All Companies Should Be Worried?

This incident isn't just a cautionary tale—it's a critical reminder of the risks your organization faces every day. For C-Level executives as well as IT and IT security, the financial and reputational impacts of a data breach can be devastating. Recovery costs can soar into the millions, not to mention the potential legal fees, regulatory fines, and the loss of customer trust. The NPD breach, if confirmed, could result in unprecedented financial fallout, illustrating why protecting sensitive data must be a top priority.

The Role of Two-Factor Authentication (2FA) in Preventing Such Breaches

In light of these events, it’s clear that traditional security measures are no longer enough. One of the simplest yet most effective defenses against cyberattacks is Two-Factor Authentication (2FA). Studies show that 2FA can prevent 99% of hacks by adding an extra layer of security that goes beyond just passwords. But it’s not enough to implement 2FA—you must also ensure it’s being used consistently across your organization.

Inside the NPD Breach: What We Can Learn

Troy Hunt’s analysis of the alleged NPD breach highlights several key points:

• Data Exposure Scale: The size of this breach is almost unimaginable. The sheer volume of records means that nearly every individual or business could be affected. (4 Terabytes)
• Security Gaps: Hunt suggests that such a breach likely resulted from a lack of basic security measures, such as poor password management or insufficient encryption. This serves as a stark reminder that even the largest organizations can have significant vulnerabilities - there is a duty of care on the executives, to monitor security.
• The Aftermath: The legal and financial consequences of this breach could be enormous, leading to lawsuits and regulatory scrutiny. Businesses must take proactive steps to secure their data to avoid a similar fate.

Monitoring 2FA: Ensuring Company-Wide Protection

While 2FA is a powerful tool, it’s only effective if it’s used properly. That’s where 2FA monitoring comes in. By tracking which accounts have 2FA enabled, executives can ensure that all critical systems are protected. This monitoring helps to quickly identify any gaps in security and address them before they can be exploited.

?Three Key Steps to Protect Your Company

1. Mandate 2FA Across All Systems: Ensure that 2FA is required for all critical accounts, particularly those involving sensitive financial and customer data.
2. Regularly Monitor 2FA Usage: Use tools to monitor 2FA adoption across your organization. This helps ensure that 2FA is consistently applied and allows you to take immediate action if any accounts are found to be unprotected.
3. Educate Your Team: Make sure your employees understand the importance of 2FA and how it protects them and the company. Regular training sessions can reinforce the importance of security measures like 2FA.

The Big Picture: Why 2FA and Monitoring Matter

The alleged NPD breach is a stark reminder of the importance of robust security practices. Even large organizations with extensive resources can fall victim to cyberattacks if they do not take proactive steps to secure their systems. By implementing and monitoring 2FA, companies can protect themselves against the majority of cyber threats, reducing the risk of becoming the next headline.

?Key Takeaways

• Massive breaches like the NPD incident remind us that no company is immune to cyber threats.
• 2FA can stop 99% of cyberattacks, making it a critical security measure for all businesses.
• Monitoring 2FA usage ensures that your entire organization is protected, reducing the risk of data breaches.
• Proactive security measures are essential to avoid the devastating financial and reputational impacts of a data breach.

For more information on how to monitor 2FA and protect your organization, visit our website and download a trial of FrontierZero’s 2FA audit tool today.

More information is available here

National Public Data Company

Security Week