Checklist 389: The NPD Leak and an A.I. President, Revisited
National Public Data Leak Worsens: Nearly 2.7 Billion Records Exposed
The recent National Public Data (NPD) breach, already described as catastrophic, has escalated into an even more alarming situation. As first reported on Checklist No. 388 – Everybody’s Data is Out There, the leak has potentially exposed personal information for millions across the United States, Canada, and the UK. New revelations indicate that nearly 2.7 billion records, including names, social security numbers, addresses, and aliases, were leaked on a hacking forum.
This staggering number doesn’t represent 2.7 billion individuals but rather multiple records for each person, capturing all known addresses associated with them. The breach’s severity was amplified by a report from KrebsOnSecurity, highlighted by 9to5Mac, which revealed that an NPD data broker accidentally exposed login credentials for its database on its homepage. This oversight enabled access to a trove of consumer records, further deepening the breach.
KrebsOnSecurity detailed how another NPD property, RecordsCheck.net, inadvertently published a file containing the usernames and passwords of its administrators. Alarmingly, many users retained the initial six-character password, despite instructions to change it.
In response to the breach, affected individuals in the U.S. can check whether their data has been compromised by visiting npdbreach.com or npd.pentester.com. Unfortunately, these resources are not available for those in Canada or the UK.
Security experts recommend several measures in light of the breach:
- Monitor credit reports for signs of fraudulent activity.
- Notify credit bureaus (Experian, Equifax, TransUnion) if suspicious activity is detected.
- Enable two-factor or multi-factor authentication for all accounts.
- Use a password manager and avoid reusing passwords.
- Be vigilant against phishing attempts.
If personal information has been compromised, experts suggest freezing your credit to prevent identity theft. According to usa.gov, a security freeze restricts creditors from accessing your credit report, preventing new accounts from being opened in your name. This can be done for free through each of the three major credit reporting agencies.
While freezing or unfreezing credit online or by phone is immediate, doing so via mail may take several days—another reason to act swiftly if your data is at risk.
Sources: 9to5Mac, Bleeping Computer, Engadget, usa.gov
AI-Generated Biden Robocalls: Culprits Identified and Penalized
In a troubling incident earlier this year, AI-generated voice technology was used to impersonate President Joe Biden in an attempt to influence voters in New Hampshire ahead of the state’s primary. The incident, first reported on Checklist No. 316 – OS Updates and AI Presidents, revealed how deepfakes were weaponized in the political arena. A January report from The Daily Beast via Apple News detailed how New Hampshire voters received calls seemingly from President Biden, urging them to “save their vote” for the November general election, a move that was intended to disrupt a write-in campaign for Biden.
The calls, which originated from the phone number of a former New Hampshire Democratic Party chair, led to an investigation by the state’s attorney general’s office, which condemned the deepfake as an assault on democracy. The investigation eventually identified Steve Kramer, a longtime political consultant working for a rival campaign, as the mastermind behind the calls. Kramer claimed his actions were a stunt to raise awareness about the dangers of deepfakes. However, he is now facing 26 criminal counts of voter intimidation and impersonating officials in New Hampshire, a civil lawsuit from the League of Women Voters, and a proposed $6 million fine from the Federal Communications Commission (FCC).
Kramer did not act alone. He outsourced the robocalling mechanisms to Lingo Telecom, a voice service provider that distributed the AI-generated calls through spoofed phone numbers. Lingo Telecom has agreed to pay a $1 million fine and adhere to stricter oversight protocols as part of a groundbreaking enforcement action by the FCC. This marks the first time federal authorities have penalized a company for its role in transmitting malicious deepfakes.
FCC Chairwoman Jessica Rosenworcel emphasized the importance of transparency, stating, “Every one of us deserves to know that the voice on the line is exactly who they claim to be… If AI is being used, that should be made clear to any consumer, citizen, and voter who encounters it.” New Hampshire Attorney General John Formella echoed this sentiment, noting that the FCC’s action against Lingo Telecom sends a strong message against election interference and deceptive technology.
Despite this enforcement, Lingo Telecom is no stranger to legal trouble. As reported on Checklist 363 – The Imaginary Toothbrush Botnet and highlighted by TechCrunch, Lingo has a history of running illegal call operations under various aliases, including Americatel, BullsEyeComm, and VarTec Telecom, among others. The million-dollar fine and promises to follow the rules are viewed skeptically by many, given the company’s track record.
Source: NBC News