In a new and concerning development, a massive data breach may have exposed the personal information of billions of individuals, including sensitive details such as Social Security numbers, current and past addresses, and even the names of siblings and parents. This breach could allow fraudsters to infiltrate financial accounts or take out loans in the names of unsuspecting victims. The breach is now at the center of a lawsuit that sheds light on the extent of the damage and the parties involved.
The Lawsuit: A Dark Web Alert
The breach was brought to public attention through a lawsuit filed by Christopher Hofmann, a resident of California. Hofmann’s identity theft protection service alerted him that his personal information had been leaked to the dark web, specifically by a breach related to “nationalpublicdata.com.” This lawsuit, which Bloomberg Law first reported, outlines the alarming scope of the breach.
The breach allegedly occurred around April 2024, orchestrated by a hacker group known as USDoD. This group managed to exfiltrate unencrypted personal data from a company called National Public Data (NPD), a background check service. The stolen data was later leaked on a hacker forum, with reports from tech site Bleeping Computer indicating that 2.7 billion records were made available. Each record reportedly includes a person’s full name, address, date of birth, Social Security number, and phone number. Although the exact number of affected individuals remains unclear, the sheer scale of the breach suggests that nearly everyone with a Social Security number may have been impacted.
Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, emphasized the significance of this breach. “It’s a reminder of the importance of protecting yourself because companies and the government aren’t doing it for us,” Steinhauer told CBS MoneyWatch.
National Public Data’s Response
In response to the breach, National Public Data posted a statement on its website, acknowledging that a “third-party bad actor” attempted to hack into their data in late December 2023. The potential leaks of certain data occurred in April 2024 and throughout the summer of the same year. The company claims it works closely with law enforcement and government investigators to address the situation. NPD also assured that they would notify individuals if any significant developments might affect them directly.
Understanding National Public Data
National Public Data, based in Coral Springs, Florida, is a data company that provides background checks for employers, investigators, and other businesses. The company’s services include searches for criminal records, vital records, Social Security number traces, and more. However, NPD is just one of many companies that scrape public data to create consumer files, which are then sold to other businesses.
“They are data brokers that collect and sell data about people, sometimes for background check purposes,” Steinhauer explained. The U.S.’s lack of a national privacy law allows these companies to collect data without individuals’ consent, creating a significant privacy concern.
