Background check company National Public Data may have compromised the security of every American’s sensitive, personal information. The hack could be one of the biggest in history. The estimated 2.8 billion sensitive records are reportedly for sale on the dark web.
Hoffman vs. National Public Data
In a lawsuit filed on August 1, plaintiff Christopher Hoffman alleges that Jericho Pictures, operating as National Public Data, had significant security vulnerabilities that led to one of biggest cybersecurity leaks in history.
According to the lawsuit, National Public Data failed to secure billions of records on its servers. Records include highly sensitive information including names, Social Security numbers, current and past addresses, and information about each person’s relatives.
Hoffman’s class action lawsuit alleges that the lawsuit may include more than 100 people, some of whom reside in a state different from National Public Data’s home state of Florida. He alleges that the company never obtained permission to collect the affected data and failed to properly encrypt it.
National Public Data Facing Numerous Lawsuits, Including Class Actions
Hoffman says his identity theft protection service alerted him that his information had been found on the dark web. He petitioned for a class-action lawsuit representing others “similarly situated.”
The case was filed in the Fort Lauderdale Division of the United States District Court for the Southern District of Florida.
Other class-action lawsuits filed against National Public Data include Lowanda Wilcox v. Jerico Pictures Inc., Case No. 0:24-cv-61418-AHS; Barry Cotton et al., vs. Jerico Pictures Inc., Case No. 0:24-cv-61396-MD and James Thomas Jones v. Jerico Pictures Inc., Case No. 0:24-cv-61412-XXXX.
So far, all the suits are pending in the Southern District of Florida.
Stolen Records For Sale on the Dark Web
The approximately 2.77 GB file found on the dark web marketplace USDoD included information on individuals who had been deceased for up to two decades. The lawsuit alleges that this information is due to significant security vunerabilites.
National Public Data provides background checks, criminal records, vital records, and asset-related records. Hoffman’s lawsuit says customers can instantly search billions of records containing personally identifying information.
National Public Records allegedly scraped the data from “non-public sources” without the knowledge or consent of the people identified in these records.
The breach affected American, Canadian, and British citizens. Attackers reportedly list the data on the dark web under the name ‘USDoD’ for $3.5 million. USDoD acknowledges that some of the records may be duplicates.
USDoD previously sold a 3 GB file containing the financial records of 58,505 individuals stolen in a separate hack of TransUnion’s systems. The same attackers also used TransUnion’s data to sell the personal information of 3,200 Airbus vendors.
Early Detection by VX Underground
The breach was first detected and reported by international cybersecurity collective VX Underground. The organization said that they confirmed the information was real. They also confirmed that anyone who had opted out of data collection was not present in the stolen records.
However, millions affected by the breach are unaware the company has their information or how to file an opt-out request. Moreover, data is often bought and sold between companies. The companies that users gave permission to may not be the only ones who have their data.
Though the data has already be leaked, residents of Virginia, Colorado, California, and Connecticut can still opt out of their information being sold to National Public Data by third parties by filling out a form on their website.
According to National Public Data, this information is generally provided for advertising purposes and/or used to generate a profile based on data that includes individuals’ economic status, health, personal preferences, behavior, and location.
Related: New Social Security Changes Affect Millions of Recipients
