A massive data breach that exposed billions of records’ worth of personal information is now under investigation by federal lawmakers.
National Public Data, a Florida-based credit and criminal background check company, confirmed earlier this month that at least 1.3 million people were affected by the December 2023 breach.
In an Aug. 22 letter to National Public Data President Salvatore Verini, the House Oversight Committee requested an immediate briefing on the incident, which is already the subject of a class-action lawsuit.
“The Committee on Oversight and Accountability is investigating recent news reports about a possible cyberattack executed against National Public Data by a cybercriminal group identified as USDoD,” the lawmakers wrote, citing the lawsuit filed earlier this month.
The letter was signed by Rep. James Comer (R-Ky.), chairman of the Oversight Committee, and Rep. Nancy Mace (R-S.C.), chairwoman of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
The lawsuit charges that USDoD hackers placed the stolen data—including Social Security numbers, phone numbers, email addresses, and mailing addresses—up for sale for $3.5 million on the dark web. The total number of people affected by the leak is unknown, although the lawsuit alleges that it could be as high as 2.9 billion people.
“If true, this data breach likely represents one of the largest cyberattacks ever in terms of impacted individuals,” the Republicans wrote. “The Committee requests a briefing to confirm the veracity of the attack, and if accurate, assess the potential impacts of the breach to the U.S. government, businesses, and the American people, as well as National Public Data’s response to the attack.”
National Public Data acknowledges on its website that there “appears to have been a data security incident” involving “a third-party bad actor.” The company also states that “potential leaks of certain data” may have occurred as early as April of this year.
The Maine attorney general’s office also published a notice of the hack—submitted by Verini—on Aug. 17, revealing that 2,760 residents of the state had been affected.
According to the lawsuit, many of those whose information was exposed in the breach were not customers of National Public Data but had their information “scraped” by unauthorized third parties and provided to the company without their knowledge.
The complaint also alleges that the company held unencrypted personal records, making them easily accessible to hackers, and that it failed to provide adequate notice of the breach to those affected.
“National Public Data’s lack of transparency about the cyberattack is staggering in light of the alleged compromised information and potential harm to so many victims,” Comer and Mace wrote, noting that the company has yet to provide a detailed explanation of what happened.
To remedy that, they asked that the requested briefing take place no later than Aug. 30.
“To the extent known and understood, we expect the briefing to describe the timing and nature of the breach, including the manner in which it occurred, a description of the data exfiltrated, and actions being undertaken by National Public Data in response to the breach,” they wrote.
The Epoch Times has contacted National Public Data for comment.
Rachel Acenas and Jack Phillips contributed to this report.