The Weekly Breach Breakdown Podcast by ITRC - A Breach By Any Other Name. Again. - S5E26

Show Transcript

Welcome back to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown – supported by Sentilink – and I'm James Lee, the ITRC's COO. This is the episode for August 16, 2024. Each week on this podcast, we look at the most recent events and trends related to data security and privacy. This week, we delve into the National Public data breach.

Long-time followers know that I am a fan of Shakespeare. When we started this podcast about five years ago, one of the very first episodes was entitled A Breach by Any Other Name in honor of the quote from Romeo & Juliet: "A rose by any other name would smell as sweet."

Juliet was arguing that it did not matter that her love interest, Romeo, was from a rival family. In today's cybersecurity terms, it does not always matter how many people have been impacted by a data breach or what data was compromised. What's important is the fact that there has been a data breach, how it occurred, and whether victims were notified. Often lost in translation is the difference between how many records have been exposed and how many victims have been impacted. That leads us to one of the biggest news items from the past week:

You may have seen the headline that screamed 2.9 Billion Users' Personal Data Stolen linked to a data breach. According to a federal court lawsuit filed in Florida, a company known as National Public Data was attacked by identity thieves who offered 2.9 billion records for sale in a criminal marketplace for $3.5 million. A second group later provided much of the same data for free. There are two subtle but important details in that last paragraph about the National Public Data breach: 2.9 billion and federal lawsuit.

Here's why those two items are important: First, media reports almost universally proclaimed that the personal information of 2.9 billion people – going back 30 years – had been compromised in the National Public Data breach. Not true. The criminals stole 2.9 billion records covering three decades of information. However, that's not the same as 2.9 billion people, which would be about 38 percent of the world's population. Multiple records about the same people over 30 years mean fewer individuals are likely to have been impacted than the "billions" claimed in news articles.

We don't know how many people are victims of the National Public Data breach because no government officials or victims have received an actual breach notice. That leads us to the second important detail about this data breach: The company has not filed a breach notice with any government agency under the patchwork of state data breach laws or federal regulations. 

We only know about the National Public Data breach because a person in California received an alert from a monitoring service that their personal information had been found for sale in a criminal identity theft web forum. National Public Data was listed as the source of the information.

National Public Data is a data broker that scrapes information from websites – much of it public information – and then packages it for sale, according to the company, for use "by private investigators, background check websites, data resellers, mobile apps, applications and more."

So why is there no National Public Data breach notice to victims? There are several reasons why the company may not have notified officials or individuals – including the fact that organizations that suffer a data breach are also allowed under state laws to determine if there is a risk to a person from the release of the information. If the decision is there is no risk, there is generally no requirement to notify anyone, including victims.

That's one of the reasons the ITRC has suggested we need a national data breach law with uniform standards for when and how breach victims are notified and what they are told about the incident. Maybe next year.

If you want to learn how to secure your personal or business information, or if you think you have already been the victim of an identity crime like a data breach, speak with an expert ITRC advisor via text or on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for supporting this podcast and the ITRC. Be sure to check out our sister podcast, the Fraudian Slip, wherever you find your podcasts. Until then, thanks for listening.