A Massive Leak Exposed Personal Data for Millions. Here's What You Need to Know
A Massive Leak Exposed Personal Data for Millions. Here's What You Need to Know
A hacker broke into National Public Data's computer systems in December 2023. For the next few months, they quietly copied sensitive information. Then, beginning in April 2024, they sold that information on the dark web — a hidden part of the internet used for illegal activity.
The numbers are staggering: up to 2.9 billion records belonging to as many as 170 million people in the United States, United Kingdom, and Canada, according to Microsoft's Defender advisory. The leaked data includes Social Security numbers, home addresses, dates of birth, and other personal details that criminals can use to impersonate you, take over your accounts, or trick you into revealing more information.
What makes this breach unusual is that most of the 170 million people affected never even did business with National Public Data. The company is a data broker — it buys, collects, and sells personal information from public records and other sources. You may never have heard of it, but your information was there anyway.
How the Breach Happened
The attacker did not just break in and steal everything at once. Instead, they entered the system in December and spent four months exploring, learning where sensitive files were kept, and quietly copying data. This staged approach is common among serious cybercriminals: they move slowly to avoid raising alarms.
Data brokers hold a particularly dangerous target because their entire business model is collecting as much information as possible. A single person might appear in many different records within their database, which is why 2.9 billion records can represent only 170 million unique individuals. That does not make the problem smaller — it just means the same person's information was exposed multiple times over.
This Is Part of a Larger Pattern
The National Public Data breach did not happen in a vacuum. NordLayer's 2024 analysis found that data breaches across the year exposed over one billion records total. The number of major breaches in the United States has been climbing steadily. In 2021 alone, 1,862 data breaches were reported, and the trend has not slowed.
Why are breaches becoming more common? Organizations now collect more personal information than ever before — for marketing, personalization, and legal reasons. Criminals have become more organized and professional. And more and more of our data flows across internet-connected systems that are constantly under attack.
A Comparison Worth Noting
The hotel chain Marriott suffered a major breach that was disclosed in 2019. Hackers had access to guest data for four years and stole information about 383 million people, including unencrypted passport numbers from 5.25 million guests. Passport numbers combined with travel history were valuable to foreign intelligence agencies. Authorities eventually blamed Chinese government hackers for the attack.
The comparison matters because it shows how the type of organization that gets breached determines which types of data are at risk. A hotel chain has travel records and passport numbers. A data broker has the raw ingredients of your identity — your name, birthdate, address, and Social Security number all tied together. A criminal does not need to target you directly. They can buy your whole profile from stolen data brokers' files.
We have seen something similar before. In 2016, Yahoo disclosed that three billion user accounts had been breached. Experts debated at the time whether the exposed passwords were truly dangerous. It turned out they were: for years afterward, criminals used those stolen passwords to break into other accounts where people had reused the same password. With the National Public Data breach, the risk may be even longer-lasting. Social Security numbers never change. Addresses change slowly. Birthdays never change. Criminals can use this information for schemes years from now.
What You Can Do Right Now
If you are worried about your own information, there are concrete steps worth taking.
First, place a credit freeze with the three major credit bureaus — Equifax, Experian, and TransUnion. This costs nothing and prevents most types of fraud because lenders cannot extend new credit without unfreezing your account. You can lift the freeze temporarily when you actually need to apply for a loan or credit card. This is one of the most effective tools available.
Second, watch your accounts. Legitimate companies have identity protection services that can alert you if your personal information appears in known breach data or on the dark web. Many banks and employers offer these services for free.
Third, be cautious about emails, phone calls, and text messages from people claiming to be from your bank or government. Criminals now have real details about you — your real name, address, and birthday. They will use those details to sound legitimate.
The Bigger Question
The real structural problem is that data brokers operate in a legal gray zone. They gather information from public records and licensed data sources, which makes it hard for individuals to opt out completely. Some states, like California, have passed stronger laws that give people the right to delete their information. But many states have weaker protections, and a data broker can still collect and sell information about you if you live somewhere with fewer rules.
The broader context here is that each major breach tends to push lawmakers to pay attention. Whether that attention leads to real change or just a few hearings that fade away is still an open question.
What Comes Next
The information stolen from National Public Data will be out there for a long time. Criminals can use it immediately to commit fraud. But they can also hold it and use it years from now for more sophisticated attacks — building fake identities, breaking into accounts, or making phone calls that sound credible because they know your real information.
If you are responsible for security at a company, now is the time to think through how your organization would handle an identity-fraud attack using this stolen data. Do you have the tools in place to spot it. Can you protect your employees and customers if their personal information is weaponized.
Looking back over decades of data breaches, the direction of change has been toward better tools, better laws, and better security practices. That is not wishful thinking — it is what the history shows. But the gap between when a breach happens and when people actually do something about it is where the real damage occurs. Shrinking that gap is what matters most right now.
