• members[at]ginicoe.com
  • 347 464 9144

Data Breaches

Project Details

2.9 billion U.S. citizens data is breached including full names, social security numbers and addresses.

 

Billions of people’s data was published on the dark web around April 8, 2024 — from a single breach of National Public Data. However, many of the victims are still unaware of their exposure because they have yet to receive a notification or statement from the company.

 

Recently, one of the victims filed a class action lawsuit after learning that their data was breached when they received a notification from an identity theft protection service provider. What will this mean for people whose data was unknowingly sold on the dark web?

 

What happened in the National Public Data breach?

National Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based background check business. The consumers included in National Public Data’s databases did not consent to giving their data to the company.

 

According to the lawsuit filed by Christopher Hofmann, a cyber criminal group called USDoD has posted a database containing the private data of 2.9 billion U.S. citizens, including full names, social security numbers and addresses on the dark web. The data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

The hacker group put a purchase price on the database of $3.5 million. VX-Underground, an educational website focused on cybersecurity, confirmed that the information in the 277.1GB database was real and accurate after being informed by the group of its intention to leak the database. Because National Public Data is not bound by the CIRCIA requirements for critical infrastructure, the company was not required to report the breach within 72 hours.

 

“This unencrypted, unredacted PII was compromised, published and then sold on the Dark Web, due to the Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes,” stated the lawsuit.

 

Full Cost of a Data Breach Report

 

No public statement from National Public Data

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach.

 

The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

 

In the lawsuit, Hofmann asked for specific actions from National Public Data, including providing monetary relief. He requested that National Public Data purge all breached PII. In addition, he wants the company to encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program. Additionally, he would like a cybersecurity framework evaluation to be conducted annually until 2034.

 

Impact of the breach

While the details are still evolving, this breach appears to be the largest — or one of the largest — data breaches of all time.

 

Because the 2013 Yahoo Breach included 3 billion accounts and the National Public Data breach appears to include 2.9 billion people, Yahoo may still hold the record after the dust settles from this latest breach. The previous second and third place-holders will move to third and fourth after this breach hits the records books. The 2017 River City Media breach involved 1.37 billion records, while the 2018 Aadhaar breach contained 1.1 billion.

 

As experts are predicting the decision in this matter, many are turning to past events for comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy Koh rejected Yahoo’s settlement for payout in 2019 to 200 million impacted individuals with close to 1 billion accounts. Koh rejected the settlement offer for the following reasons:

 

  • Inadequate disclosures of breaches that also occurred in 2012
  • Release of the 2012 claims was “improper”
  • Improper disclosure of the settlement fund size
  • Settlement fund “appears likely to result in an improper” reverter of attorneys’ fees
  • The settlement doesn’t sufficiently disclose “the scope of non-monetary relief”
  • The size of the settlement class isn’t clearly defined

 

Moving forward

Consumers should SignUp today to begin preventive measures to render your breach data useless, because they don’t look like you.

 

Reprinted in pertinent part from:  https://securityintelligence.com/news/national-public-data-breach-publishes-private-data-billions-us-citizens/

Project Photos

Project Video