Background Check Firm National Public Data Suffers Massive Data Breach Impacting 2.9 Billion Individuals
A recently filed class action lawsuit has revealed details of a major data breach suffered by background check company National Public Data (NPD) in April 2024. According to court filings, a threat actor known as USDoD hacked into NPD’s systems and stole the personal information of a staggering 2.9 billion individuals.
National Public Data is a background checking service that scrapes personal details of people from non-public sources. On April 8th, 2024, hacker group USDoD reportedly listed the stolen NPD data for sale on a popular dark web forum called Breached. USDoD claimed to have over 277GB of uncompressed data containing information like social security numbers, names, addresses, family details linked to 2.9 billion people. This would make it one of the largest data breaches ever in terms of the number of individuals impacted.
Stolen Data Allegedly Spans Years with No Victim Awareness
The stolen data span from 2019 to 2024, indicating NPD had been collecting and storing individuals’ sensitive personal information for years. However, since NPD scraped the details from non-public sources rather than collecting directly from the individuals, the victims would have been unaware that the firm even had their data, let alone that it may have been stolen in a breach.
The lawsuit filed by plaintiff Christopher Hofmann states that he was notified by his identity theft protection service that his own data was part of the leaked NPD cache circulating on dark web hacking forums. Hofmann claims to have never provided his information directly to NPD and would not have consented without assurances of security and confidentiality. Like billions of others swept up in NPD’s expansive databases, Hofmann had no knowledge or control over how his personal information was being collected and used.
Hack Achieved via Unknown Method, Data Not Encrypted
It remains unclear exactly how the NPD network was breached. Court documents state that hacker group USDoD gained access to NPD’s systems sometime prior to April 2024 and extracted the unencrypted personal records of billions. USDoD later acted as a broker listing the spilled data cache for purchase on the dark web at a pricetag of $3.5 million.
The lawsuit alleges that by scraping, collecting and profiting from individuals’ personal information without consent, NPD assumed responsibilities to safeguard the data. However, the leaked materials showed NPD failed to implement even basic security protections like encryption. The exposed victims now face tangible risks of identity theft, lost privacy and more as their Social Security numbers, financial records and addresses are freely traded among cybercriminals.
Class Action Seeks Damages for Invasion of Privacy and Negligence for National Public Data Data Breach
The class action complaint accuses NPD of invasion of privacy, negligence and more. It aims to obtain restitution for the plaintiffs regarding injuries like diminished value of their personal information, costs incurred while attempting to mitigate the breach impact, and lost time addressing identity theft risks. With nearly 10% of the world’s population possibly exposed in the breach, this lawsuit could represent one of the costliest data compromise cases ever for a company.
The NPD breach serves as a cautionary tale of the dangers of mass data collection and aggregation without user consent or proper security controls. With social media and corporate data harvesting practices increasingly omnipresent, incidents like this demonstrate how our personal details shared privately with some can later be exposed globally through no fault of our own if the custodians of that data fail to protect it adequately. The full scale of this breach’s consequences may not be known for some time.