A threat actor known online as USDoD has posted a data dump containing 2.7 billion records, and says that it contains the Personally Identifiable Information (PII) for all citizens of the United States, Canada, and the UK.
The data appears to have originated from a company called National Public Data – a US company which specialises in conducting background and criminal records checks.
National Public Data uses a technique known as web scraping to obtain the data from other sites – the data contains information such as names, Date of birth, phone numbers, email addresses, physical addresses, online aliases, Social Security Numbers, and much more.
The claim that the data dump contains records for all citizens in three countries is incorrect in that the population of the three countries is roughly 451 Million (US ~ 345 Million, Canada ~37 Million, UK ~69 Million).
The claim of 2.9 Billion records will include the fact that many records will relate to the same individual, but with different data, such as address, etc. – regardless, this does appear to have the making of the largest data dump ever seen.
The data dump was initially offered for sale in April by USDoD for $3.5M USD, but since then, other threat actors have posted parts of the data dump online for free.
In June, another threat actor called Fenice, posted the entire dump for free. They stated that USDoD was not the originator of the breach, but that it was a user called SXUL instead.
In their post, Fenice also hinted at a larger breach of PII was due to be announced soon.
What is web scraping?
Web scraping is the term given to the mass collection of data form websites – typically undertaken by bots – Programs designed to automate such tasks.
A web scraper bot will fetch (download) and parse (process) huge amounts of data from websites and place any data it finds into a database to be used for whatever purpose the designer sees fit.
The legality of web scraping varies throughout different countries. In general, web scraping may be against the terms of service of some websites, but the enforceability of these terms is unclear (as are many such activities on the WWW).
Who is USDoD?
The identity of the threat actor(s) behind the USDoD name is not known, but their previous activity is.
Previously known as NetSec on the RaidForums site, USDoD gained notoriety with a campaign known as #RaidAgainstTheUS which targeted the U.S. Army and some defence contractors.
In February 2022, a report highlighted breaches of multiple U.S. defence databases, and suggested that USDoD was/is a pro-Russian threat actor. However, USDoD refutes this, clarifying that the collaborations with Russians were based on personal or business connections, not political motivations.
The name change from NetSec to USDoD occurred in December 2022, where they posted data stolen from InfraGard, a partnership between the FBI and private sector firms.
Using social engineering, USDoD impersonated a CEO and successfully gained membership to the partnership, exposing a significant security lapse within InfraGard.
In September 2023, USDoD posted the stolen data from approx. 3,200 Airbus contractors which they obtained via an employee’s credentials from a Turkish airline, which they found in the logfiles of an infostealer.
In November 2023, USDoD was responsible for the upload of 35 Million LinkedIn records to the breached forum along with 2.5 Million records of LinkedIn premium members.
In early 2024, UsDoD posted the database of the Metropolitan Club of the City of Washington by obtaining PII about the General Manager. From here, USDoD was able to crack the login details for the organization’s admin panel.
The Metropolitan Club of the City of Washington is a private club in Washington, D.C. In September 1983, The New York Times called it “Washington’s oldest and most exclusive club”. There is a five year waiting list for membership.
