National Public Data (NPD) is a company that provides background checks. Which means that it maintains a vast database of information about hundreds of millions of people both living and dead, including names, addresses, email addresses, phone numbers, and social security numbers.
In August, a hacker named Fenice leaked nearly 3 billion records (including duplicate data) that had been stolen from NPD in a breach that may date back to December 2023.
While some details of what happened are still the subject of contention, and much remains to be adjudged in the potential lawsuits and legal challenges to NPD and its parent company Jerico Pictures Inc., the basics of what happened are fairly clear—and there are some important lessons to take away from the incident.
First things first
As an individual, you’ll want to figure out whether your personal data is included in the breach and take steps to protect yourself from identity theft. There are several services that let you search for your data in the breach. I like the one provided by pentester.com. (It found 16 versions of my data, all of them including my social security number.)
Next, if your data was breached, you can go to each of the three major credit reporting agencies—Equifax, Experian, and TransUnion—and place a freeze on your credit report. This is free, and it prevents identity thieves from trying to open new credit accounts in your name. You can lift the freeze permanently or temporarily whenever you want, so you can still apply for credit fairly easily. This article from Krebs on Security provides a lot of useful details about credit freezes.
By the way, even if you don’t find your data included in this particular breach, there’s still a mighty good chance that your data is out there somewhere. My whole family has had freezes on our credit reports for years now. It makes it a little more inconvenient to buy a car or apply for a line of credit, but not enough to make a real difference. And it provides considerable peace of mind that the worst kinds of identity theft are much less likely.
So, what happened? And can it be prevented?
How was it possible for someone to get through NPD’s (presumably) strong security to get access to all that data? Well, it turns out this was not a complex or sophisticated attack. NPD had a .zip file posted on its website that contained passwords to its back-end database, and someone found it, figured out what it was, and used it to steal 3 billion records.
For a more detailed technical account of exactly what was where and who got to it, Krebs provides a good summary here. But yeah, what it comes down to is that someone made a dumb mistake, and no one noticed until it was too late.
Now, the first part of that—someone making a mistake—is not preventable. Mistakes happen, at least as long as there are human beings involved.
But the second part—no one noticing the mistake for too long—is absolutely preventable. Routine, frequent security audits that include a thorough accounting of all data that is publicly exposed via websites and apps should be a part of any enterprise’s security practice.
And, to the extent possible, such audits should be augmented with automated monitoring of data and files posted or stored in unsecured environments. One such automated service that many Barracuda customers benefit from is called Data Inspector, which scans your entire Microsoft 365 environment and finds a wide variety of sensitive data that is improperly stored in locations that aren’t secure enough.
That reduces your risk of data loss, supports regulatory compliance, and also turns up any malware that might be lurking unnoticed in your SharePoint and OneDrive deployments. You can actually run a free Data Inspector scan on your Microsoft 365 right now if you want.
Adapting to the post-breach era
All right, one lesson of this amazing breach is that people make mistakes, and you need to accept that and build mistake-hunting into your security practice.
But there’s another, broader lesson to take away from this, in my opinion. It’s just that huge amounts of data have already been breached and are already available for cyber-crooks to leverage however they like. Even before the NPD breach, there had been plenty of breaches in which hundreds of millions of records were exposed.
And it’s not just names and phone numbers and social security numbers. It’s also usernames and passwords. The truth is, if you really want to protect something and control who can access it, you have to start with the assumption that passwords are not sufficient—that if they haven’t already been stolen, they soon will be. Even multi-factor authentication can be very vulnerable to modern attacks.
Instead, the gold standard for access control in the “post-breach” era is zero trust access. The zero-trust model is quickly being adopted by lots of your peers, and if you haven’t looked into it, you should.
The basic idea of zero trust is that many different parameters are constantly monitored to ensure the identity of anyone accessing digital resources. Any anomaly gets flagged. So, if I’m logging in to my work network with my credentials, but using an unfamiliar device, or from an unexpected location, or at a time that is incongruous, that gets recorded and may end up being considered an indication that something is wrong.
Zero trust access is built into a growing number of Barracuda solutions and is a fundamental element of our new SASE platform offering, SecureEdge.