Unconfirmed Hack of 2.9 Billion Records at National Public Data Sparks Media Frenzy Amid Lawsuits

By Kevin Townsend for SecurityWeek
Wednesday, August 14, 2024

• 1.1k
• More

If this case was brought in this manner to European courts, it would – to put it mildly – go nowhere. But that’s not necessarily so in the US. A fundamental difference in US and European law is that Europe tends to require proof from the plaintiff (which does not exist in this document), while US courts can require evidence from the defendant to confirm or debunk the claim. And that may be the primary purpose of this class action.

Ilia Kolochenko, who combines technical knowledge as CEO of ImmuniWeb, with legal knowledge as a partner at Platt Law LLP, explains: “In the US, the court may compel disclosure of certain information. In the UK, you can ask, but the court will unlikely compel production of data. In the US, you may be compelled to produce certain data – and if you don’t, you will be in contempt of court. You could be fined and criminally prosecuted, and even get a default judgment against you. My guess is this is the starting point, where the plaintiff is also unsure about what happened, and he’s trying to see what can be obtained from the allegedly breached opponent in court.”

In that sense, it is quite possible that the purpose of the Hofmann action is not to immediately prove NPD culpability, but to sufficiently cause the court to demand proof of non-culpability from NPD. It could be a fishing exercise. Either way, as things stand at the point of writing, there is no proof that NPD had almost three billion PII records stolen.

Caution because of the size of the exfiltration is not limited to HackManac. Wearing his technical hat, Kolochenko comments, “I have difficulty imagining that it is technically possible to steal 3 billion records. That’s a massive database. And such databases will usually include scans, PDFs, links, copies of judgments and so on rather than simple line records. It’s not something that can be done in 24 hours – and this was done without NPD noticing. On top of that, there have been no known personal victims until the leak was announced;” which is at the very least almost five months after the breach.

Kolochenko is also surprised at the data being dumped. From his own experience (for example, in obtaining a license to practice law in the US), the data provided by NPD would likely include legal details down to parking tickets, civil family disputes, credit histories, and health conditions such as PTSD or AIDS. “It’s not just about criminal convictions – it’s everything,” he said. And yet there is nothing of this nature in the data being leaked.

So, what do we have? NPD may have been breached, but there is no actual proof of this. There has been a massive data dump, but we have not been given proof that the data comes from NPD (it does not include any of the really sensitive data you could expect from NPD). The Hofmann lawsuit uses an X tweet to tie personal data to NPD, and at the same time makes several factual misconstructions from that tweet. NPD has, at least so far, made no comment on, nor as far as we know, made any disclosure of, a breach. Read Full Article