NPD - NBD? What to learn from a major, and majorly confusing, data breach
Did the NPD breach impact billions or millions, and what lessons can we take from the case?
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Australia’s Privacy Act amendments bill arrives
- Elon Musk’s AI now may be in violation of Australia’s privacy laws
- The Fog ransomware group is now after richer victims
- Avis reported a data breach impacting 300,000 customers
But first:
The National Public Data blockbuster hack last month generated a lot of angst amid a torrent of headlines reporting 2.9 billion records had been stolen from the data aggregator. But questions still remain about the real scope of the breach and what we can learn from it. And meanwhile, privacy law offers more inducements to ensure you minimize, manage, and protect your data.
If you only read one thing:
The questions raised by the NPD breach
A lot was made of the major data breach at data broker National Public Data last month, with headlines claiming up to 2.9 billion records were compromised by the attack by a user named USDoD. Subsequent reports downgraded this to 2.7 billion records.
Seemingly everyone in the United States, Canada, and the United Kingdom were caught up in the incident — a combined population of around 450 million.
As class action lawsuits piled up, there were further developments, including a second hacker posting a more complete version of the same database, and another NPD data broker inadvertently publishing the passwords to its own back-end database.
It was scary, dramatic, and confusing.
In an effort to get at the truth behind the hack, analysts such as Have I Been Pwned’s Troy Hunt, as well as the cybercrime-focused Twitter account vx-underground, investigated, each concluding the leak contains information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.”
In an analysis of the breach, Hunt said the leak appeared to be a diverse collection of consumer and business records, including names, addresses, phone numbers and Social Security Numbers of millions of Americans (both living and deceased), along with 70 million rows from a database of U.S. criminal records. He found 137 million unique email addresses in the leaked data, but noted there were no email addresses in the files containing SSN records. It was a mess.
So, how many people have been impacted by the breach? According to NPD, 1.3 million people in the United States, though as that report notes, these figures tend to increase over time. While 1.3 million sounds like a drop in the bucket compared with the original headline figures, this is still a significant number of people who now need to deal with the impact of having their information stolen.
Given the target is a data broker whose role is to aggregate information from many data sources, this is a unique set of circumstances. The initial reports with attention-grabbing figures drew media attention, further leaks kept the story going, and the company’s apparent security missteps increased the impact.
But there are still lessons here for businesses outside of the data broker industry. NPD had too much data, it did not appear to understand the data it had, and it was not protecting it correctly. So, what can we learn from this one?
Lesson one: If your business falls victim to a data breach, you’ll be in a better position to respond if you have better quality data. This may go against a data broker’s interests, but the first lesson is to ensure you reduce the amount of PII you possess, as well as redundant, obsolete, and trivial data (ROT). In short: only hold on to the minimum amount of data you are entitled to possess. As Hunt’s post makes clear, this breach came out in drips and drabs, with partial data sets and various disparate files featuring overlapping sets of data. Some data was erroneous, there were duplicates and mislabeled files.
It was confusing for citizens of the countries in question, many of whom will have spent time wading through dozens of “How to tell if you are part of the NPD breach,” articles, and taking precautions such as freezing their credit.
Lesson two: Arm yourself with knowledge about your data sources. If you know what you have, you can wade through the hype to understand the real threat, and then communicate with those affected to give them real advice on what to do to protect themselves.
Lesson three: Make sure you know who to talk to in the event of a breach. An experienced breach consultant can help you with the above items, as well as communicating with affected customers and the media and the public to share the truth of the situation. The unique nature of this hack (were the victims of the breach truly “customers” of NPD in a conventional sense?) may have made that tricky.
The evolution of data privacy law offers yet more impetus
While such a large-scale data breach is highly unlikely for most organizations (including, perhaps, the one we have been discussing), these are practices every organization should embed, and not just for data security reasons.
Regardless of where you are based, these measures are also necessary for compliance with emerging privacy law. If you’re based in the United States, you’re dealing with an ongoing patchwork of data privacy laws and the potential for a federal privacy law in the near future.
And if you’re an Australian business, you now have an extra incentive, with a new bill to reform the Privacy Act adding additional penalties for interferences with privacy, a statutory tort for invasions of privacy. You also need to consider how your organization will manage issues like overseas data flows, which must now be made with consideration of the privacy laws of the overseas jurisdiction, as well as the need to disclose how personal information is used for automated decisionmaking.
As we wait to see the eventual outcome of the NPD breach, there is no better time to get started.
🕵️ Privacy & governance
The Conversation: Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era.
Elon Musk's X could be in breach of Australian privacy law thanks to the data-harvesting of its AI, Grok.
Google's PaLM 2 model is under investigation by Irish watchdog Data Protection Commission, which is probing into whether Google complied with regulations when cross-border processing personal data of EU or EEA data subjects.
🔐 Security
Australian airline Qantas is embedding secure by design practices across the group.
Cybersecurity giant Fortinet confirmed it suffered a data breach, in response to a threat actor's claims of stealing 440GB of files from the company's Sharepoint server.
Several French retailers confirm a cyberattacker stole customer data.
What you need to know about the Cicada ransomware.
The Fog ransomware group seems to be targeting new, richer victims, according to researchers.
Russia's notorious special forces unit now has its own cyber warfare team.
Why businesses need quantum-safe networks now.
The latest from RecordPoint
📖 Read:
Due to the nature of legacy applications, it can be tough to argue change is necessary. Learn why modernization and legacy application retirement are crucial to improving security, compliance, and productivity, and reducing risk and overall cost.
Many organizations rely on Google Workspace as their productivity platform of choice. Learn how GWS users can plan for, create, implement and maintain an effective data governance strategy, bridging the privacy gap using RecordPoint.
Successful organizations know where sensitive data resides––no matter where it lives. Take this assessment to discover how your data visibility and governance practices rank and where you can improve.
🎧 Listen:
On the latest episode of FILED, Clayton Utz partner Brenton Steenkamp, who leads the firm's cyber and data governance practice, says embedding security throughout an organization is key in overcoming the data breach threat.
