The hacking of 270 million social security numbers from National Public Data reinforces the best practice for personal data: always encrypt PII.
The cat is out of the bag for National Public Data. In mid-August, the data aggregator officially confirmed a huge data breach, although the cybersecurity community had inklings of the incident months earlier, in April.
A large file containing 2.9 billion records was offered for sale in April. KrebsOnSecurity says 137 million email addresses and 272 million social security numbers were leaked.
In its statement, NPD said the breach affects 1.3 million people.
The details of how the breach happened are unclear. In my experience, a breach like this generally occurs when the database containing personally identifiable information (PII) is not encrypted. In addition to that faux pas, NPD seems to have made its admin passwords available in a plaintext archive on a sister site.
The errors in the NPD breach are obvious. There are no new infosec lessons to be learned from this event. It only serves as a pointed reminder of basic security tenets for network admins and executives:
- PII should always be encrypted,
- network security is only as strong as its weakest link.
Keep personal info secure with encryption
It’s unconscionable in 2024 that the stolen data contains accessible personal information, especially social security numbers. Details such as name, social security, address, email, and passwords should always be in an encrypted database. The private information should only be decrypted as needed, and then only when authenticated systems request access to it.
For passwords specifically, using PAP in your RADIUS ecosystem provides far better security than other protocol options. When you use PAP, passwords can be stored in salted/hashed form. This is the most secure form of password storage. In the event of a database breach, when an attacker copies the database contents, they cannot use that information to “crack” people's passwords.
See my blog about the PAP protocol for more insights on database security.
What are the consequences of the NPD breach?
In the weeks following NPD’s announcement, at least 8 lawsuits were filed against the company. The victims of the data breach should be angry. NPD sells background check data. It collected their information from public sources, without their consent, and then failed to protect the data. Malicious agents are making the personal records of more than a million people available to any cybercriminal who wants to pay the price. These people don’t want to hear “We’re sorry” after the fact. The threat of identity theft will hang over these individuals for years.
An event on the scale of the NPD data breach is not the kind of black mark you want staining your reputation. Fortunately, it is avoidable. Encrypt personal information.
On a related note, using social security numbers for ID verification and transactions is a poor business practice. At this point, we can be fairly confident that many people’s SSNs are easily available to malicious actors. It should no longer be considered a private piece of information; therefore it is not suitable as an identifier.
NPD’s massive data breach is sliding mostly under the radar of the general public, but it reminds those of us in the industry to maintain good security practices. The two key takeaways from the NPD situation are: encrypt personal identifying data and move away from using the SSN as a personal identifier.
Need expert guidance on network security?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Big Tech Concentration Made CrowdStrike Update a Catastrophe
As we dissect the CrowdStrike outage, we’ll find the human error was multiplied by the concentration in Big Tech, says network security expert Alan DeKok of InkBridge Networks.
What Not To Do About BlastRADIUS
There’s a lot of misinformation circulating about the BlastRADIUS vulnerability. For us, as RADIUS experts, it’s a depressing reminder of how little people understand about this foundational protocol that underpins so many network interactions. But for a CIO, CISO, system administrator, or network technician, this bad advice is dangerous.