Project Details
2.9 billion
U.S. citizens data is breached including full names, social security numbers
and addresses.
Billions of
people’s data was published on the dark web around April 8, 2024 — from a
single breach of National Public Data. However, many of the victims are still
unaware of their exposure because they have yet to receive a notification or
statement from the company.
Recently,
one of the victims filed a class action lawsuit after learning that their data
was breached when they received a notification from an identity theft
protection service provider. What will this mean for people whose data was
unknowingly sold on the dark web?
What
happened in the National Public Data breach?
National
Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based
background check business. The consumers included in National Public Data’s
databases did not consent to giving their data to the company.
According to
the lawsuit filed by Christopher Hofmann, a cyber criminal
group called USDoD has posted a database containing the private data of 2.9
billion U.S. citizens, including full names, social security numbers and
addresses on the dark web. The data also included information about the
individuals’ relatives. One of the unique aspects of the data was the longevity
— the addresses spanned decades of residence, and some relatives have been
deceased for as long as two decades.
The hacker
group put a purchase price on the database of $3.5 million. VX-Underground, an
educational website focused on cybersecurity,
confirmed that the information in the 277.1GB database was real and accurate
after being informed by the group of its intention to leak the database.
Because National Public Data is not bound by the CIRCIA
requirements for critical infrastructure, the company was not required
to report the breach within 72 hours.
“This
unencrypted, unredacted PII was compromised, published and then sold on the
Dark Web, due to the Defendant’s negligent and/or careless acts and omissions
and their utter failure to protect customers’ sensitive data. Hackers targeted
and obtained Plaintiff’s and Class Members’ PII because of its value in
exploiting and stealing the identities of Plaintiff and Class Members. The
present and continuing risk to victims of the data breach will
remain for their respective lifetimes,” stated the lawsuit.
Full
Cost of a Data Breach Report
No public
statement from National Public Data
In addition
to neglecting to inform the victims, National Public Data has not released a public statement regarding the
breach.
The Los Angeles Times reported that the company responded
to email inquiries with “We are aware of certain third-party claims about
consumer data and are investigating these issues.” The lawsuit mentions the
lack of notification as a top concern of the Plaintiff.
In the
lawsuit, Hofmann asked for specific actions from National Public Data,
including providing monetary relief. He requested that National Public Data
purge all breached PII. In addition, he wants the company to encrypt all data
going forward, use data segmentation, scan its databases and launch a
threat-management program. Additionally, he would like a cybersecurity
framework evaluation to be conducted annually until 2034.
Impact of
the breach
While the
details are still evolving, this breach appears to be the largest — or one of
the largest — data breaches of all time.
Because
the 2013 Yahoo Breach included 3 billion accounts and the
National Public Data breach appears to include 2.9 billion people, Yahoo may
still hold the record after the dust settles from this latest breach. The
previous second and third place-holders will move to third and fourth after
this breach hits the records books. The 2017 River City Media breach involved 1.37 billion
records, while the 2018 Aadhaar breach contained 1.1 billion.
As experts
are predicting the decision in this matter, many are turning to past events for
comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy
Koh rejected Yahoo’s settlement for payout in 2019 to 200
million impacted individuals with close to 1 billion accounts. Koh rejected the
settlement offer for the following reasons:
- Inadequate disclosures of
breaches that also occurred in 2012
- Release of the 2012 claims was
“improper”
- Improper disclosure of the
settlement fund size
- Settlement fund “appears likely
to result in an improper” reverter of attorneys’ fees
- The settlement doesn’t
sufficiently disclose “the scope of non-monetary relief”
- The size of the settlement class
isn’t clearly defined
Moving
forward
Consumers
should SignUp today to begin preventive measures to render your breach data useless,
because they don’t look like you.
Reprinted in pertinent part from: https://securityintelligence.com/news/national-public-data-breach-publishes-private-data-billions-us-citizens/