More than 2.9 billion private records belonging to people living across North America and the United Kingdom have been hacked after a background check company was hacked by cybercriminals.
In April, the hacker group USDoD stole personal records from National Public Data, a broker that provides background checks and criminal records to private investigators, staffing agencies, and human resources departments, according to a class-action lawsuit filed in federal court in Florida and first reported by Bloomberg Law.
Now, some of that data has been exposed in a series of leaks posted online.
USDoD in April claimed to have stolen records for every person in the U.S., Canada, and the U.K., and put its pilfered database up for sale for $3.5 million. Several threat actors have since shared some of that data and cast doubt that USDoD was behind the data breach, BleepingComputer reports.
The leaked data contains almost 2.7 billion plaintext records, according to BleepingComputer, which reviewed some of the data. The records included peoples’ names, mailing address, social security number, and additional information.
Several people have multiple records — such as one for each address they have lived in — meaning that the scale of the hack is not as wide as previously thought, according to BleepingComputer. It’s also been reported that the datasets don’t contain records for people use data opt-out services. That means that the theft is likely not the biggest data breach in recent history; that distinction belongs to the 2013 hack of Yahoo!, which affected 3 billion accounts.
Troy Hunt, the researcher behind “Have I Been Pwned” found that just 31% of the records they reviewed had unique social security numbers. Extrapolating from that figure, Hunt determined that some 899 million people may be affected, not 2.9 billion people. Hunt also confirmed that some of the data appears to be legitimate.