A sample of personal information pertaining to a number of members of the US house of representatives stolen in a recent data breach has been put up for sale online.
The data – lifted from the systems of a Washington DC-based healthcare provider that caters to federal legislators and their families – has reportedly already been purchased by at least one buyer.
The sheer volume of data that has been stolen and subsequently leaked online over the past few years has led cybersecurity software companies like Surfshark to add dark web monitoring tools to their products, so users can check for themselves whether their information has been exposed after attacks.
Data Breach Hits Congress
Earlier this week, US House Chief Administrative Officer, Catherine L. Szpindor, confirmed that DC HealthLink had suffered “a significant data breach” that may have exposed “Personal Identifiable Information” (PII) of members of Congress, their families, and their staff.
Szpindor said that the true scope of the breach is yet to be uncovered, and there was little additional information regarding the nature of the PII. There could be as many as 170,000 individuals affected by the breach overall.
Although there’s currently no evidence that any accounts have been compromised, lawmakers have been provided with the information they need to freeze family credit at Equifax, Experian, and Transunion.
What Data is Up For Sale Online?
According to Bleeping Computer, a threat actor known as IntelBroker has been attempting to sell the House Members’ data on a hacking forum in exchange for cryptocurrency.
The most sensitive information up for sale includes (but is not limited to) work and home emails, home addresses, mailing addresses, phone numbers, social security numbers, and healthcare plan information.
The threat actor claims they were able to extract this from the DC.gov Health Benefit Exchange Authority. They've also posted messages that suggest the data has had at least one buyer since it was put up for sale.
Did the FBI Purchase the Leaked Data?
In a joint letter penned by House Leader Kevin McCarthy and Minority Leader Hakim Jeffries and addressed to the DC Health Benefit Exchange Authority, they confirmed that the FBI has successfully purchased the information as part of the operation.
This will only give them a better idea of exactly what kind of information has been leaked, however, as the seller will have copies of the datasets to sell to multiple parties. Whether the FBI was the buyer referenced by the threat actor remains unclear at present.
Also in the letter, McCarthy and Jeffries say that the impact of the breach “could be extraordinary” due to the sheer volume of US politicians, staffers, and families who’ve used the healthcare service over the past 7 years.
Why You Need Tools to Monitor the Dark Web
In 2023, with hacking techniques more sophisticated than ever before, even the most secure, reputable organizations are at risk of suffering data breaches.
Technology like password managers can greatly reduce the risk that your personal details are compromised in the first place, but if a company you've made an account or shared personal information with is hit by a data breach, there's nothing you can do to reverse that.
What you can do, however, is change your information – and the quicker you do this, the better. That is why tools like Surfshark's Dark Web Monitor, which is part of their Surfshark One package, are becoming more popular. By actively scanning the dark web for references to your personal information, you'll be able to react quickly and reset all of your account credentials.
If you'd prefer to look yourself, websites like haveibeenpwned.com provide a way for you to manually search any of your personal information. Either method works, but it's vital you keep on top of it in 2023.