Recently, almost three billion people's personal information was alleged to have been leaked after the background check company National Public Data (NPD) suffered a massive data breach. A cybercriminal group known as ASDoD even went so far as to list this sensitive data for sale online, demanding $3.5 million for access to the databases.
The situation has raised eyebrows across the internet and cybersecurity communities alike. Many are quick to label this incident one of the largest data breaches recorded, but not everyone is convinced by the claims circulating about the extent of the leak.
Troy Hunt, founder of the breach alert site HaveIBeenPwned, has led the charge by investigating the claims surrounding this alleged breach. He discovered inconsistencies and dubious details, indicating not everything was as it seemed.
Initially, ASDoD claimed the database contained about 2.9 billion rows of data, saying it encompassed the entire U.S., Canadian, and U.K. populations combined. That number, Hunt noted, might not actually add up as these countries do not have populations totaling anywhere near 2.9 billion.
Adding to the confusion, ASDoD implied the database included social security numbers (SSNs), which are specific to the U.S. and do not have direct equivalents elsewhere. "Canada has SINs and the U.K. has National Insurance numbers," Hunt stated, challenging the accuracy of the information.
Another point of contention lies with the database's size. ASDoD claims its data was compressed down to 200GB, which would expand to 4TB when unpacked; yet Hunt found the total uncompressed data didn’t even exceed 277.1GB.
When Hunt examined the data, he found alarming redundancy. For example, the first six rows for certain individuals showcased the same name being repeated yet listed with different addresses within the same city.
Taking the investigation even farther, Hunt sampled 100 million rows from the dataset and found only 31% contained unique SSNs. This finding hints at the possibility of large quantities of duplicate or erroneous data instead of the massive leak initially claimed.
Despite the apparent inaccuracies, Hunt did locate legitimate personal information among the data. Nevertheless, it raises questions about whether the names associated with this data were correct or complete.
Seeking to understand the breach's potential reach, Hunt even checked if his own details were included. He found his email linked to 28 different rows but without any of his identifying information, such as name or birth date, leading him to suspect many records could be mixed up.
Hunt theorized the notoriety gained by this data breach prompts many to believe it is the biggest ever. This notoriety could stem from the initial reports claiming legitimate SSNs, which caught public attention and possibly exaggerated the scale of the potential breach.
According to Hunt, it's also plausible the NPD, being primarily a data brokerage, might have compiled this extensive dataset from publicly available sources before it was allegedly stolen. This fact could contribute to the conflicting assessments of whether the breach is truly unprecedented.
The breach contains 134 million email addresses, which could lead to phishing schemes and identity theft for those lacking adequate protections. Experts stress vigilance is necessary for anyone whose details might have been compromised to monitor for suspicious activities.
It's critical to recognize the difference between publicly accessible information and what constitutes legitimate data exposure. This distinction raises the stakes for individuals who could be targeted for identity theft as information continues to circulate.
Raising the alarm, Hunt attempts to alert the public to the deceptive nature of such massive leaks. His work serves as both reassurance and caution, reminding them to verify claims widely shared on social media.
Undoubtedly, the investigation surrounding this potential breach serves as another reminder of how fluid and unpredictable the cybersecurity world can be. The intricacies involved require not only technical expertise but also the need for individuals to be proactive about their personal data security.
Despite uncertainties, the incident reflects broader issues concerning data privacy and protection across industries. It serves as both a warning and a call to action for individuals and corporations alike to reassess their data safety measures.
