Cyber Crime Junkies
Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
Biggest Data Breach in Modern History. What To Do Now.
The world of cybersecurity has been rocked by a data breach so colossal that it's being called the Biggest Data Breach in Modern History. The National Public Data breach and hacker USDoD are discussed in a true cyber crime story.
The biggest data breach in modern history, involving National Public Data and its sister site Records Check. The breach compromised sensitive personal data of over 2 billion people and exposed vulnerabilities in cybersecurity practices. The hacker behind the breach, known as USDOD, is a Brazilian citizen and has a history of high-profile hacks. The conversation emphasizes the importance of cybersecurity for businesses, especially small to mid-sized ones, and the need for stronger regulations for data brokers. It also provides recommendations for individuals to protect themselves, such as freezing credit and monitoring financial accounts.
Chapters
- 00:00 What Happened and What You SHould Do
- 03:00 The Biggest Data Breach in Modern History
- 08:04 Protecting Small Businesses from Cyber Threats
- 13:03 Blind Spots in Cybersecurity
- 26:09 The Need for Stronger Regulations for Data Brokers
- 35:09 Taking Steps to Protect Personal Information
- 46:49 Making Cybersecurity a Priority in Business Operations
Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446
Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
Summary
The conversation discusses the biggest data breach in modern history, involving National Public Data and its sister site Records Check. The breach compromised sensitive personal data of over 2 billion people and exposed vulnerabilities in cybersecurity practices. The hacker behind the breach, known as USDOD, is a Brazilian citizen and has a history of high-profile hacks. The conversation emphasizes the importance of cybersecurity for businesses, especially small to mid-sized ones, and the need for stronger regulations for data brokers. It also provides recommendations for individuals to protect themselves, such as freezing credit and monitoring financial accounts.
Chapters
- 00:00 Introduction and Background
- 03:00 The Biggest Data Breach in Modern History
- 08:04 Protecting Small Businesses from Cyber Threats
- 13:03 Blind Spots in Cybersecurity
- 26:09 The Need for Stronger Regulations for Data Brokers
- 35:09 Taking Steps to Protect Personal Information
- 46:49 Making Cybersecurity a Priority in Business Operations
Topics: Biggest Data Breach in Modern History, biggest data breaches of all time, data brokers, National Public Data breach, UsDod, benefits of security roadmap, best practices for protecting personal data online, best practices to limit cyber liability, do americans value their personal data, fun security awareness no cost, new approaches to security awareness, new ways to limit cyber liability, security best practices for business, tips for staying safe on social media, top ways to stop social engineering, understanding the hacker mindset, understanding the neuroscience of social engineering
Dino Mauro (00:03.02)
As we dive into today's story, I'm joined by my mysterious friend, TJ. TJ's voice has had to be filtered to protect his identity, given the nature of his work and who his employer is. I'm sure you understand. TJ Michaels, welcome to the studio, sir. Good morning, Dino. Thanks for letting me join. As you mentioned, I'm TJ Michaels, a security researcher who really enjoys investigating these cases.
They've got a lot of life lessons baked inside. Things we can learn, you know. I'm happy to be here today. The biggest data breach in modern history is your personal and business data safe. When you think of the biggest data breaches of all time, what do you picture? What's in your mind's eye? What do you do about it? When you hear about these massive breaches on TV, social media, or when out at events, what do you think? First, I want to know. I mean, text us direct.
right here to our studio at 904 -867 -4466. That's 904 -867 -4466. You can text us right now or at any time later and we directly get your message. We want to know what you think about when you hear about data breaches in the news. We want to know what you think.
What does it make you do? Does it make you change behavior? That's what we want to
So circling back, when you hear about these breaches, does it make any sense? I mean, more importantly, what do you do about it? You, individually, what do you do? What about at work? Does any of it change your behavior? I don't think it does. That's part of the problem. That's the mission of this podcast and the point of this story. The world of cybersecurity has been rocked by a data breach so colossal
Dino Mauro (02:04.334)
that it's being called the biggest of modern times. Imagine a treasure trove of sensitive information, 2 .9 billion records to be exact, containing details of citizens from the US, Canada, and the UK weighing in at a staggering four terabytes. This digital gold mine is now in the hands of a notorious threat actor known only by the alias USDOD. And if that's not shocking enough,
It's up for sale on the dark web for a jaw -dropping $3 .5 million. The impact. It's not been just numbers, but lives and livelihoods. This isn't just another headline about stolen data. It's a cyber crisis of unprecedented scale. With personal information of nearly 3 billion people compromised, the ripple effects are beyond actual comprehension.
from small and mid -sized businesses, SMBs, to individual citizens, no one is really safe. And people are either ignoring it or they just figure something bad's gonna happen, that's why I've got credit monitoring or that's why I've got things. But there are specific steps that small to mid -size, mid -tier, mid -market businesses can do and specific steps that every single one of us should be doing.
And we want to help you do that. At the end of this episode, we're going to lay out exactly what to do with resources that are no cost so that you can do them. The leaked data can lead to identity theft, financial fraud, and even targeted attacks on critical infrastructure. If you think this doesn't affect you or your business, think again. The implications are meaningful.
They are profound and the time to act is now. Who is behind this massive cyber heist? None other than the same threat actor responsible for infiltrating the FBI's InfraGuard, a network we're proud members of, demonstrating an audacity that few in the hacking world can match. Known as USDUD, this hacker has not only stolen billions of records, but has also been publicly exposed or doxed.
Dino Mauro (04:28.992)
after getting into a heated exchange with CrowdStrike, a leading cybersecurity company that famously claims to stop breaches. In a twist worthy of a Hollywood thriller, USDUD engaged in a trash talking match with CrowdStrike, even exposing some of their proprietary indicators of compromise, IOC. CrowdStrike responded by tracking down and exposing his real identity. This cyber outlaw has been revealed as a Brazilian citizen.
an international debate. Should he be extradited to face justice in the US? The story has become a global spectacle, but behind the drama lies a serious threat to our digital security. So this is really a call to action. You need to freeze your credit and stay vigilant. Business owners need to invest in specific security layers and realize the overwhelming risks taken by failing to do so.
So we're going to talk about a true cybercrime story. I'm about to tell you a true story, one that has caused many to stand up and kind of shout enough, enough of the attacks, enough of the lame excuses victims make after not taking just basic precautions, reusing passwords, failing to just do basic things to avoid risks and remaining essentially negligent in their own security posture.
It's shocking. It's real. The following is our clearly our personal opinions, not the opinions necessarily of our employers or partners. The opinions expressed here come though, as a result of interviewing over 250 business leaders, cybersecurity experts, hackers, threat actors, and government leaders over the past several years. Also,
Check out the end portion before leaving since we share specifically what you individually can do personally, as well as your role as a business leader or owner need to do and how to meet that duty we owe to our personal brands, our families, our friends, as well as what you may owe to the brand that is your business. These days, a small mistake can have colossal consequences.
Dino Mauro (06:53.994)
National Public Data, NPD, a consumer data broker, recently made a grave error that exposed millions of Americans' sensitive information online. But the story takes a shocking twist. An affiliated company of National Public Data called Records Check accidentally published its own administrative passwords on its homepage. This blunder made their backend database vulnerable, exposing source codes, user credentials,
outdated but reusable passwords. However, a new layer of the breach came to light when a reader discovered an archive on Records Check's website. This file, publicly accessible until mid -August, contained plain text usernames and passwords, and shockingly, many users never updated their default credentials. The revelation also highlighted a worrying trend, hackers leveraging old breaches to exploit new vulnerabilities.
As the dust settles, experts warn Americans to take immediate steps, freezing credit files, monitoring financial accounts, and securing personal information.
So let's take a reality check, real life impact from data breaches. In recent weeks, I've traveled across a couple Midwestern states, flyover states that are the heart of this phenomenal country. And I drove by three specific mid -sized businesses that I've known for years and I've had business dealings with over the past several years. Two of the three are shuttered.
completely closed down. I sat down with the C -suite leadership of the third one. And the third sits there today with approximately 40 % of its prior workforce. So what was the straw that broke the camel's back for all three? Do you me to blame Trump? Do you want me to blame Biden, Kamala? No, it's not our thing.
Dino Mauro (09:03.342)
But also it goes back to business ownership initiative and decisions. Some of it was risky investments and most of it for all three, which is why I'm bringing up these three, all stemmed from how they approached cybersecurity. After over 250 interviews conducted in our podcast where we dug into business leaders, threat actors and cybersecurity leaders,
We've got a different perspective. It won't be surprising at all.
Dino Mauro (09:41.56)
data breaches and the unforeseen fallout of them long term. As for the technical industry, we've done a terrible job at measuring cybersecurity risk. And because not all data breaches are created equal, the industry hasn't done a great job assessing proximate causation either. The industry has also done business leaders a disservice by over -promising and under -delivering. You, vendor,
Do not stop breaches, nor do you solve social engineering. But you are useful, very useful, and critically needed. Just be forthright in your advertising claims, and don't let the income you earn give you a sense of overly inflated self -importance. What I learned after interviewing various people involved in those three businesses were life lessons and the importance of taking action on the advice people have been providing.
The lack of taking the advice from people who are genuinely trying to help is that business owners and leaders are operating their companies with massive high risk blind spots. It is similar to the problem with mentorship. So many people seek a mentor and then fail. Why? They fail to actually take the actions recommended by the mentor. They don't do the push ups required. So Dino, bring us back to the topic of blind spots. You were saying? I talk about blind spots.
a lot because I think that we look at cybersecurity sometimes as business leaders and in a business sense, and we look at it like we look at IT. I mean, there's cheaper ways to manage IT. And so people tend to take that same rationale with cybersecurity. And it's a huge mistake because even if you don't invest in
various controls and various layers, right? Kind of like bulletproof glass. takes a lot of layers, but even if you don't do it, you are going to wind up paying more or jeopardize closing down the business. They're blind spots and part of security awareness. The heart of security awareness is just to raise awareness literally of where those blind spots might be.
Dino Mauro (12:05.438)
so that a decision can be made. Because oftentimes there's a lot of leaders that are very bright people, but they don't even know what they don't know. Blind spots are basically areas of significant risk that businesses are operating with that they don't even know to take action about. And that my friends, it gets right to the heart of security awareness. It gets to the heart of the difference between cybersecurity
and compliance. I compliance is the evidence that a security action has been taken, right? On a specific control or rule, right? Up to like a baseline minimum, but it doesn't mean it's effective. Cybersecurity awareness is the actual learning of your risk. Leadership is about taking action and driving help for those who were previously blind.
So what do we know so far about the biggest breach in modern history? Well, in December 2023, just this past December, National Public Data, we'll call it NPD. It's a company offering access to extensive public records. They experienced a significant breach, sensitive personal data from over two billion, that's with a B, people.
There's not even two billion people in the US, Canada, and the UK. Doesn't even add up to two billion. So this expands way beyond the entire population of all of
The sensitive personal data of over 2 billion people was compromised. And this means nearly all Americans, clearly. The stolen information soon found its way to the dark web and to the underground marketplaces, putting countless individuals at risk. The breach, already a major incident, took an even darker turn when months later in August 2024,
Dino Mauro (14:15.274)
That's this month everybody. It was discovered that one of NPD's sister sites, recordscheck .net, had accidentally published its own admin passwords on its homepage.
Let that sink in, published its own admin passwords on its homepage. This is where the story gets complicated and concerning. The security blunder on RecordsChecks site allowed anyone who stumbled upon the page to access the site's administrative back end. This is more than just a careless mistake. It highlights a glaring failure in cybersecurity practices. One.
that should have been avoided with basic protocols in place. Let's break down what happened and why this matters, particularly for small to medium -sized business SMB owners here in the United States. The initial breach in December, 2023 was the first domino to fall. NPD, like many companies offering public records access, stored a vast amount of sensitive data.
Everything from social security numbers and birth dates to home addresses. This kind of information is a gold mine for cyber criminals, and it's precisely what was exposed during the breach. Once the data was leaked, it didn't take long for it to circulate in dark web markets, where stolen identities and personal records are bought and sold. What escalated this situation was the subsequent incident involving recordscheck .net.
This site, closely linked to NPD, used shared databases and systems, meaning it was a critical component of the overall operation. When recordscheck .net accidentally published a file containing its admin login credentials on its homepage, it was akin to leaving the front door wide open in a neighborhood filled with thieves. Anyone who accessed that page had the potential to exploit these credentials, gaining access to the backend systems of the site.
Dino Mauro (16:28.404)
and potentially more sensitive data. The exposure wasn't just a brief, easily contained error. The passwords remained publicly accessible for an unknown period, adding to the damage that had already been done by the initial breach. This event demonstrates a failure, not just in securing data, but in the entire cybersecurity infrastructure of the company. So who exactly is this guy? Who is USDOD?
who the infamous hacker is in real life, actually just came out in the past couple days, thanks to him being doxxed. Fact -checking friends will realize that he was, in fact, doxxed a few months back, but now it's all coming to light. The entity behind the NationalPublicData .com breach, known as USDUD, is a notorious figure in the cyber criminal world, though not widely recognized in mainstream databases like
MITRE ATT &CK or MALPEDIA. USDOD is a single individual rather than a group and has a history of executing similar high -profile hacks and data leaks. This individual was previously associated with other significant breaches targeting organizations such as the FBI's InfraGuard, Airbus and more. He has given interviews and his true identity and location has been exposed.
The breach of nationalpublicdata .com is particularly alarming due to the scale and the nature of the data involved. Over 2 .9 billion records were compromised, including deeply sensitive personal information such as social security numbers. The attack was meticulously planned and executed, likely over an extended period. The hacker used advanced techniques to exfiltrate the data
without detection, which is remarkable given the enormous size of the database. Typically, databases of this magnitude include various complex records like scans, PDFs, and legal documents, making them challenging to steal in bulk without raising alarms. After successfully extracting the data, USDUD attempted to monetize it by offering the entire data set for $3 .5 million
Dino Mauro (18:54.614)
on a dark web forum called Breach Forums. The hacker's declaration, I'm not a group, I'm not a gang, I'm an only one man army, reinforces the belief that US DUD operates independently, driven by motives that are not entirely clear, but likely involve a mix of financial gain and notoriety, security weak. This breach is consistent with his prior modus operandi, where he not only targets large scale organizations,
but also looks to disrupt and challenge the broader cybersecurity ecosystem. This kind of large scale data sale is a hallmark of US DUD's operations, reflecting a sophisticated understanding of both technical and criminal aspects of cybersecurity. So who owns National Public Data, the data broker who made millions selling all your personal information for profit? So where did National Public Data get its consumer data?
The company's website doesn't say, but it's operated by an entity in Coral Springs, Florida called Jericho Pictures. All right, so dig this. The website for Jericho Pictures is not currently responding. However, the legendary Brian Krebs investigated and found cached versions of it at archive .org. And it shows that it's a film studio with offices in Los Angeles,
in South Florida, namely, it's this guy. Salvatore Verini, as Brian Krebs found out. Enough said about this piece of work and his data broker collection practices with substandard security posture. As Brian Krebs explained, it's unclear how the thieves originally got their hands on these records from national public data. Krebs reached out to USDUD, who confirmed he sold the same data set.
that recently leaked on breach forums but insisted the leaker didn't get it from them. He explained that the data stolen from national public data has been passed around several times since it was first taken in December 2023. The database has been floating around for a while, he said. I wasn't the first one to get it. US DoD also mentioned that the original thief goes by the name SX
Dino Mauro (21:19.762)
U -L -S -X -U -L. It looks like this hacker deleted their Telegram account a few days ago, likely due to the media frenzy surrounding the breach. Let me add this, a word on data brokers. Data brokers, such as national public data, typically collect information by sifting through government records across federal, state, and local levels. This encompasses data from voting registries, property filings, marriage certificates, motor vehicle records,
criminal records, court documents, death records, professional licenses, bankruptcy filings, among others. While many Americans may believe they have the option to prevent their records from being collected and sold, experts indicate that this isn't possible. These so -called public records are exempt from all state consumer privacy laws, including those in California.
Dino Mauro (22:17.44)
Okay now, Dino, my voice is tired. Why don't you walk us through how US DoD was exposed or DOCS -XED as we call it. So let's talk about the doxing, the exposing of the true identity of US DoD. In this kind of mind blowing unmasking of this person, right, behind the mask.
It's been like it's been played out in the media as a dramatic twist and it just happened over the last several days. The notorious USDOD we learned also goes by the name of Equation Corp and his true identity has been revealed. It sent shockwaves through the cyber world. mean, you have to understand cyber criminals do not operate with their real
names. It's all based on anonymity. That is why the quintessential version of the hacker has the Guy Fawkes mask on. So who is he? Well, he's a Brazilian citizen and that Brazilian citizen stands behind one of the largest data breaches in history, which is a revelation that not only deepens the mystery, but also casts a shadow on the international hunt for justice that's now ongoing.
See the breach, infamous for compromising that over $3 billion worth of social security numbers and sensitive private information now carries new weight as global tensions are rising over what this means for the future of cyber warfare.
And then it gets weirder because USDOD takes to PR both after the breach as well as before the breach. As TJ pointed out, he's famous for having breached the FBI's InfraGuard program as well as Airbus. So unlike
Dino Mauro (24:30.082)
major ransomware gangs or the cyber crime gangs that make the news repeatedly with volume breaches. He works alone and he targets big whales and he does an extremely effective job.
So in a revealing interview, this hacker known as USDOD clarified that his motivations are neither political nor even financial. Instead, he just likes the challenge of it. He gained notoriety, like we mentioned, for very high profile breaches, including the FBI's infigard, of which we are proud members, and Airbus using social engineering and impersonation.
shocking, right? He emphasizes that he is not pro -Russia nor a terrorist despite the way he's been portrayed in the media. His activities are driven by personal reasons and a desire to test his skills even at the risk of getting caught. The damage caused by this one Brazilian citizen single -handedly is estimated at a jaw -dropping three billion dollars.
and it exposes vulnerabilities across major institutions, leaving a trail of chaos in its wake. As Brian Krebs stated this week, this breach stands as a testament to the growing sophistication of cyber criminals who can inflict significant damage with relative impunity.
More than just numbers, the stolen data carried intimate personal and financial details, fueling waves of identity theft and fraud. And that is where we get to specific steps on ways you can protect yourself and things that employers must do. The impact is a grim warning of what awaits when cybersecurity fails to meet the ever -advancing threats in our digital age.
Dino Mauro (26:39.182)
So what makes this guy different? Well, he's not gone after volume or even the notoriety of being affiliated with one of the major gangs. You have to realize these are $100 million, $500 million entities and they brag and they're popular among thieves and in certain parts of the world. He's stayed away from all of that. He works solo and he targets whales.
And he is incredibly effective. Throughout the interview that he gave, USDOD remained an enigma. He never revealed too much, always leaving a sense of intrigue in his wake. His responses were thoughtful, calculated, much like his approach to cybersecurity. He spoke of the importance of evolving beyond traditional methods.
and staying one step ahead in a game where the rules were constantly changing. He hinted at new technologies a group that he's affiliated with Sparrow Group was developing, tools that would redefine the standards of digital security. As the interview was wrapping up, one thing was evident, USDOD wasn't just a player in the cybersecurity realm, he was a game changer. His work with Sparrow Group had already sent ripples through the cyber
And whatever comes next is sure to make waves. In a domain where anonymity is often the key to survival, USDOD has made a name for himself. And people know exactly who he is. We'll show you on the screen and we'll have links in the show notes. You can see who he is. He was on Instagram. There's pictures of him.
And so not while he's made a name, it's not through his own self promotion or through publicity, but just through the sheer power and effectiveness of his efforts. In an interview with hackreed .com, which include a brief video message, USDOD admitted that he had been doxed by CrowdStrike after the breach. Remember CrowdStrike, everybody knows who CrowdStrike is, but if you're not in the cyber world,
Dino Mauro (29:02.434)
or the cybersecurity industry, because we do have a whole host of listeners that are not. CrowdStrike is the cybersecurity firm that was recently in the spotlight for the flawed update that disrupted Windows devices worldwide and crippled airports, et cetera. And they're the we stop breaches guys, right? And so why did CrowdStrike go after him? Well, he's got a history with.
So let's talk real briefly about CrowdStrike versus USDOD. The notorious hacker that recently, you know, made headlines that give rise to this entire episode.
and followed up with another, you know, the prior major attack when he infiltrated the FBI's InfraGard platform. And in that instance, he exposed the information of 8 ,700 members. These incidents are just a few in a long list of major hits and web scraping operations that have been leaked to him. So how did the...
like the the the conflict just between CrowdStrike and HimStart. What all actually started a couple months back in July of 2024, the hacker claimed responsibility for scraping and leaking a 100 ,000 line IOC, indicators of compromise. It's like a proprietary list that CrowdStrike uses in less than a month.
CrowdStrike responded by revealing the hacker's identity. So now we get back and we circle back to the Brazilian revelation, right? And this is going to complicate things because his admission that he's a Brazilian citizen, it throws the entire pursuit of justice in a turmoil because Brazil notoriously resists extraditing its citizens
Dino Mauro (31:17.816)
to the US. And so this is going to be a formidable barrier to any US efforts to bring this guy to justice. With the revelation, the breach now moves beyond borders, sparking international legal battles and heightening the uncertainty of whether anything will ever happen to this guy.
Dino Mauro (31:42.734)
In the interview, he does admit to being doxxed by CrowdStrike, but he has a caveat. USDOD says the following. He goes, quote, so congrats to CrowdStrike for doxxing me. They are late to the party. Intel 421 Plus and a few other companies already doxxed me even before the InfraGuard breach. I wanna say thank you.
It is time to admit I got defeated and I will retire my jersey. Yes, this is Luan. He identifies his name. He says, yes, this is Luan speaking. I won't run. I'm in Brazil, the same city where I was born. I'm a huge valuable target and maybe I will talk soon to whoever is in charge, but everyone will know that behind us DOD, I'm a human like everyone else. To be honest, I wanted this to happen.
I can't live with multiple lives and it's time to take responsibility for every action of mine and pay the price. It doesn't matter how much it may cost me. This is not my end. Thank you. See you around. Don't worry, Brazilian authorities. I'm coming to meet you. I'm not a threat. In fact, I can do much for my country.
Let that sink in for a second. That statement highlights the legal diplomatic hurdles that the US is gonna have. And given the US's government track record with international pursuits, it's uncertain whether Brazil's legal protections are gonna be firm in such a high profile case. So when we think of the question of whether the US can actually extradite him, according to the Brazil and US extradition treaty, and you can check this out,
in the article that we published about this case. In the Brazilian US extradition treaty, the US could request his extradition to face charges for cybercrimes. However, Brazil has a longstanding practice of refusing to extradite its own citizens, which will complicate things. If Brazil opts not to extradite, the hacker could still face legal consequences under Brazilian law.
Dino Mauro (34:06.092)
depending on how the country addresses cybercrime.
Dino Mauro (34:13.277)
As for USDOD himself, he says and gives the last words here. He says, quote, as long as I am here, I am untouchable. The world may hate me, but Brazil's laws keep me safe.
Dino Mauro (34:35.982)
So his expressed desire to kind of turn from cybercrime and contribute positively to Brazil, it might influence how authorities approach his case. This could potentially shift the focus toward rehabilitation rather than trying to punish him. But it's doubtful given the history of various cybercriminals, but who knows? Stranger things have happened.
Dino Mauro (35:09.198)
So what should business leaders do and what should individuals do? First, let's tackle business leaders. Let's talk about specific steps and what a breach like this actually means to small to mid -sized business owners. We're not addressing the Nikes of the world, the Anheuser -Busch's of the world. We're talking about small to mid -sized businesses, 1 ,000 employees and below. So what does this mean for us? Well,
This story underscores the critical lessons for all businesses, regardless of size, but special attention, like I mentioned, is paid here to organizations under a thousand employees. These are the top of mind best practices that the industry suggests. And every meet, every single week, we meet leaders and organizations who still don't implement these basic requirements.
which is still shocking, but some of it's budget related, but some of it is just either myths that are believed in. You know, I met a business owner two weeks ago that was like, look, son, I'm an hour and a half out of a metro area. I don't need to worry about cyber crime like this. And I almost banged my head against the window. Like this, like...
It does not matter where you are geographically. It does not matter if the town you're in is safe. You're not safe when you get online. And if you don't start doing things, it's going to get really bad really soon. We're not spreading for uncertainty that we genuinely are trying to raise awareness so that you can do what you don't have to do anything with, with, with us or with groups that we're affiliated with, but take steps to protect.
your own brand because this is, after all, war. I mean, think about this, like that kind of attitude. Do remember back in the day when there were no seat belts in cars, right? People were flying around on high speeds with no seat belts, smoking Marlboro Reds, and there were Marlboro Red ads on TV, right? Things have changed. People resisted in the beginning.
Dino Mauro (37:32.236)
denied that any of that was harmful in the beginning. Well, now they kind of came around and they started doing the right things. And guess what? Life expectancy went up. Health has actually gone up. That's good, right? So that's what we're trying to drive. So first and foremost, no business is too small for cyber threats. The fact that you're located an hour plus from a major metro area is absolutely irrelevant. When you get online,
you enter their world. One of the biggest misconceptions among SMBs is that cyber criminals won't target them because they're too small to be worth the effort. In reality, smaller businesses are often easier targets precisely because they tend to have weaker cybersecurity defenses. Hackers know this. We've interviewed hundreds of them and they often prioritize them over large corporations because they're quick smash and grabs.
They can put you out of business and where they live in the world, they're rewarded for it. The NPD incident, it's a stark reminder that even businesses handling public data are vulnerable and SMBs can be prime targets if they aren't careful. So use a business leader, owe your brand a duty, not just to invest in its growth like sales and marketing.
but to value your brand and invest in protecting it. That actually means putting money where it's needed to at least reach fundamental levels. So what is recommended? What do people recommend? Starting at the beginning, right? Start at the beginning with a security assessment. Figure out what the best practices are, the standards, the controls for your specific industry.
assess where you're at, assess all the technology that you have. Most business owners have no idea everything that is connected to their network, right? And figure out how it's configured or misconfigured within your systems. I mean, how can somebody sleep without knowing that somebody is watching your shop 24 seven and the internet and online operates 24 seven.
Dino Mauro (39:53.896)
even if the people aren't in the office. So there's a lot of opportunity to have good discussions there, right? There's outsourced SOC as services. There's so many different layers that aren't very expensive at all. You don't need to build your own teams. You don't need to hire a bunch of people. There are so many valuable opportunities to make wise decisions with limited funds.
also basic policy enforcement and implementing them. Most SMBs need to have policies that are actually enforced, ones like AI use, password policies, multi -factor authentication, right? The mistake made by records check, right, was basic yet catastrophic. Poor password management, having strong passwords, regularly updating them and ensuring they're stored securely, never ever on a public facing page.
are all fundamental practices that even businesses must enforce. For SMBs, it's a relative easy fix, but it's often overlooked. Implementing robust password policies and utilizing password managers can go a long way in preventing similar mishaps. Let's talk about shared systems and third -party risks.
Dino Mauro (41:20.654)
What we recommend for individuals is consider placing fraud alerts, reviewing your credit and freezing your credit to protect yourself and to protect any children that you have. Place a credit freeze on your credit and place a credit freeze on your children's credit. Identity theft on children can be used for years until they become adults and nobody sees it. Since parents don't normally pull their
As a next step, you may want to reach out to the three major US credit agencies, Equifax, Experian, and TransUnion and obtain a free credit report from each. You can do this by calling 1 -877 -322 -8228 or visiting annualcreditreport .com. It's free. You can also set up a free fraud alert on your credit file. All of this is free.
The initial alert stays in your credit report for one year and you can renew it after that period. We have links in the show notes for how you can get in touch with Equifax experience in TransUnion. It's free to freeze your credit. You just look at Equifax .com, go to Experian .com or go to TransUnion .com and there's 1 -800 numbers for each. After placing a fraud alert request the free credit report,
from each bureau and review it on any accounts or inquiries that you don't recognize. If you discover that your personal information has been misused, visit the FTC's website and identity theft .gov. That's identity theft .gov report the threat, the theft, and you will receive guidance on recovery steps. Even if no suspicious activity is found initially, it's recommended to check your credit reports regularly to
quickly identify and address any potential issues. We strongly urge you to freeze your credit. This prevents potential creditors. And if you are listening to this show, you've had the Godfather of cyber crime, the original of the U S secret service called them the original Godfather of cyber crime on. And he said, if people would just friggin freeze their credit, 80 % of all of the harm that can come to individuals.
Dino Mauro (43:47.456)
and therefore come to companies would go away, but they still don't do it. So once again, we're getting back to the basics, right? Just take action, do it, do it for yourselves, do it for your family. also like we say, freeze the credit of children that you have their identity thefts go on for decades because parents failed to do this no cost step. So
As we wrap up, why did data brokers need more regulation? I mean, this incident underscores the vulnerabilities in data aggregation practices. Experts argue that companies like National Public Data, which act as data brokers, often collect vast amounts of personal data without adequate security measures, without any regulation. An important point to understand, data brokers are widely unregulated.
How can that be okay? You need training, certification and government approval to cut my hair, but to manage take without my knowledge or consent and then screw all of our personal private data up. No parent is in the room for that. It's a ridiculous state of affairs here in the United States. This breach has reignited calls for stronger regulations and transparency in how data brokers operate.
and it should.
The legal and regulatory implications of this breach continue to unfold and will update you as they go on. As a final word, look, the national public data breach. It's a cautionary tale for businesses and for individuals. It serves as a reminder that cybersecurity cannot be an afterthought. It needs to be woven into the fabric of every business operation. Why?
Dino Mauro (45:47.704)
Because technology is a river that flows through every aspect of your business and every aspect of our individual lives where technology is basic fundamental hygiene has to exist. Otherwise things are going to get bad and continue to get worse.
I mean, think about it. Does your organization have a next generation firewall? Great. It's needed, right? But it's not enough. You've got a small company helping you out for IT support. Great. But that's not cybersecurity. It's not enough. By continuing with the way it's always been, it's tantamount to negligence. And these are going to be the allegations that will fill the paperwork of coming lawsuits arising out of the next
data breach to hit the organization should things not change.
Dino Mauro (46:49.4)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award -winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.