A massive data breach that exposed billions of records’ worth of personal information is now under investigation by federal lawmakers.
“The Committee on Oversight and Accountability is investigating recent news reports about a possible cyberattack executed against National Public Data by a cybercriminal group identified as USDoD,” the lawmakers wrote, citing the lawsuit filed earlier this month.
The letter was signed by Rep. James Comer (R-Ky.), chairman of the Oversight Committee, and Rep. Nancy Mace (R-S.C.), chairwoman of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
The lawsuit charges that USDoD hackers placed the stolen data—including Social Security numbers, phone numbers, email addresses, and mailing addresses—up for sale for $3.5 million on the dark web. The total number of people affected by the leak is unknown, although the lawsuit alleges that it could be as high as 2.9 billion people.
“If true, this data breach likely represents one of the largest cyberattacks ever in terms of impacted individuals,” the Republicans wrote. “The Committee requests a briefing to confirm the veracity of the attack, and if accurate, assess the potential impacts of the breach to the U.S. government, businesses, and the American people, as well as National Public Data’s response to the attack.”
The Maine attorney general’s office also published a notice of the hack—submitted by Verini—on Aug. 17, revealing that 2,760 residents of the state had been affected.
According to the lawsuit, many of those whose information was exposed in the breach were not customers of National Public Data but had their information “scraped” by unauthorized third parties and provided to the company without their knowledge.
The complaint also alleges that the company held unencrypted personal records, making them easily accessible to hackers, and that it failed to provide adequate notice of the breach to those affected.
“National Public Data’s lack of transparency about the cyberattack is staggering in light of the alleged compromised information and potential harm to so many victims,” Comer and Mace wrote, noting that the company has yet to provide a detailed explanation of what happened.
To remedy that, they asked that the requested briefing take place no later than Aug. 30.
“To the extent known and understood, we expect the briefing to describe the timing and nature of the breach, including the manner in which it occurred, a description of the data exfiltrated, and actions being undertaken by National Public Data in response to the breach,” they wrote.
The Epoch Times has contacted National Public Data for comment.