Was the data of three billion people leaked online last week? This top security expert isn’t so sure
Leading background check company National Public Data was recently hit with a class action lawsuit alleging that the personal information of nearly three billion people was leaked online.
A cybercriminal group called ASDoD has put the database up for sale online for $3.5 million, but there is no evidence that anyone has paid the amount yet.
If this is confirmed, it could be one of the biggest data thefts of all time – or could it be? Troy Hunt, one of the most renowned security experts and founder of the website “Breach Site” HaveIBeenPwnedinvestigated the breach and found that much of the information surrounding the incident did not seem to add up.
Did ASDoD increase the numbers?
First, Hunt said, the original post about the dark web database said it contained 2.9 billion rows of data and that it represented the entire population of the United States, Canada and the United Kingdom – which, according to the latest count, have a combined population of less than 2.9 billion.
The ASDoD also stated that the database contains social insurance numbers (SSNs), which, as Hunt points out, “are a more American construct, with Canada having SINs (Social Insurance Numbers) and in the UK, well, NI (National Insurance) numbers are probably the closest equivalent.”
Second, the ASDoD post claimed the database was 200GB compressed, which expands to 4TB uncompressed, but when Hunt and cybersecurity repository vx-underground checked, the total file size uncompressed was only 277.1GB. Furthermore, when Hunt checked to see if the database contained verifiable data and social security numbers, he found that the first six rows contained the same person, just with alternating first and last names and listed at different addresses in the same city.
When taking a larger sample of the data, Hunt found that of the 100 million rows, only 31% contained a unique SSN. While this means that a significant portion of the data contains the legitimate personal information and SSNs of thousands of victims, the scope may be slightly less than 2.9 billion people and instead consists of just 2.9 billion rows of duplicate data.
As for whether the data was legitimate, Hunt had difficulty attributing the database to a single source because the data was so generic. In Hunt’s words, “How many different places can you find your first and last name, address, social security number, etc.”
Hunt was curious and also looked for his own data that had been caught in the data theft. His email appeared in 28 different lines, but without his own name, address or correct date of birth. This suggests that much of the data may be inaccurate and incorrectly attributed to the victims.
Hunt speculates that the data theft was so widespread on social media and news outlets because the SSNs in the first dump were initially legitimate, and that subsequent data dumps were drawn into the hype of the “biggest data theft ever.” Hunt also suspects that as a data broker, the NPD could have dumped a huge amount of publicly available data into the database before it was stolen.
Ultimately, there are a number of potentially legitimate SSNs in circulation, but the data included in the leak shows that they may not appear with the correct names and addresses. However, there are 134 million email addresses in public circulation that could be used for phishing or to attack people without adequate identity theft protection.
