Man holding laptop
Who is National Public Data? Why Should You Care? Data Aggregators and Your Personal Information

Data Aggregators and Your Personal Information!

Everything we do online — every action we take — generates data. That data is collected and then (since they have our permission) the website owners can do whatever they want with the collected data.   

Wait. You don’t remember giving anyone permission to gather and use your data?

The user agreements that we accept (by using a site or creating an account) grant permission for the website owner to use any content as if it is their own and/or to sell that data to the highest bidder.

Snapshot of an actual data policy:

Some companies, like Vizio, have reported higher quarterly revenue from the sales of user-generated data collected through the use of smart TV platforms and apps than earnings from the sale of devices like televisions.

Consider the magnitude of this on a platform the size of Facebook, X, Instagram, or TikTok. Facebook settings default to open external links Facebook’s own browser; occasionally, users can adjust that, but often with updates, the settings revert. Our information is valuable, so they want users to remain on their platform.  

Data Is Big Business

National Public Data (NPD) is a data broker company that deals in background checks and fraud prevention. They say their main source of information is from state and national databases, court records, and other public records sources like the Oklahoma Supreme Court Network (OSCN). Organizations like NPD utilize bots or other software to scrape these public websites for information, compile the data, and package it up to sale. The funny thing about OSCN, et al., is that this site is just a file repository of scanned documents with very little (if anything) redacted for the individual’s protection. These scanned documents contain things like birthdates, social security numbers (SSNs), and all kinds of other “good” (good = valuable, saleable) information.  Websites like OSCN can be accessed and searched by any and all users until their heart’s content (that’s a topic for another day). Who knows what information other state databases include or how they protect this information?

Unlike the consent given when creating online accounts, consumers in NPD’s databases did not provide permission to be included.  Also, in the latest class action lawsuit against NPD, information surfaced that they actually broke into non-public systems to collect data.

Data Is Valuable

National Public Data failed to encrypt and properly secure the personally identifiable information (PII) they mined. The cyber criminal group USDoD breached NPD’s systems in April 2024, then published and sold the information on the Dark Web.  This breach involved over 3 billion records of personal information including names, addresses, SSNs, address history from up to three decades, and included information about parents, siblings and other close relatives. Security breaches aren’t a new phenomenon, but this amount of information is massive. Since news broke of this incident and the first class action lawsuit regarding it was filed on August 1st, 2024, at least eight different lawsuits have followed and been filed against NPD. Most data aggregators try to consolidate information into a single record for easy resale, however the inconsistent format of this leaked data makes it impossible to pinpoint the original source(s). There’s one positive thing to mention in all this — not all of the data appears to be accurate, and luckily, no emails have been found.

Data — Personal Data — Is Yours

Why should you care about this breach? I mean, does it really matter if someone uses this type of information to buy a car, get a loan or other things?

Simply Put — Identity Theft

What if you receive a targeted phishing scam email using your PII that tricks you into revealing information about your bank accounts, medical information, or more?

The repercussions of identity theft can be widespread and often surface in these ways:

Financial

     You could be held responsible for items you didn’t purchase, you might receive debt collection calls, and your credit score could be negatively impacted, resulting in loan applications being denied.  Unemployment claims could be filed in your name, negatively impacting the process if you ever need to file unemployment insurance.

Medical

     Fraudulent claims could be filed under your name and medications or procedures obtained using your health insurance.  These things could disrupt medical care and potentially add incorrect information to your medical records that could be dangerous to your future care.

Criminal

     If a person is arrested and gives law enforcement your name and personal information, it could result in a criminal record or a warrant for crimes you didn’t commit.

Other

     You could find yourself being sued for debts that aren’t yours, bank accounts could be drained, new utilities set up in your name, or a tax return filed in your name and someone else receiving your refund.

How can you protect your information? There are several ways to protect yourself – I recommend starting with these steps:

  1. Monitor your credit report at least once every 12 months.
  2. The three major credit bureaus, Equifax, Experian, and TransUnion, each allow one free report per 12-month cycle  —   by staggering these, you can check your credit report (for free) 3 times a year.
  3. Go to Annual Credit Report.com – Home Page – (Don’t search for “free credit report,” the search results will display paid ads you’ll have to dig through).
  4. Freeze your credit, this is easy to do if you are an adult, more challenging if you are under 18 and/or haven’t yet established any credit. (We can talk later about all the trouble a criminal can cause for holders of new SSN who don’t have credit established; a persona can be created using a SSN in less than12 months and that persona can receive credit cards, loans, etc.)
  5. Read my blog about spotting phishing emails here (Spot a Phishing Email – Skye Crest Technology) or current elder scams here (Staying Safe Online: A Guide for Seniors and Their Loved Ones – Skye Crest Technology).

Considering this massive data breach, what can you do now?

Residents of the United States should access npdbreach.com or npd.pentester.com to see if their information was exposed in this breach. If your personal information has been exposed, now is the time to start the checklist above to protect your credit and your identity.

Hopefully sooner rather than later, a state or federal organization will start holding entities accountable for these breaches.  Right now, these cases pad the pockets of lawyers, but anyone dealing with identity theft is left holding the bag.

Keeping your personal information, as well as your organization’s information safe is now more important than ever. Reach out to discover how Skye Crest Technology can help.