A lawsuit filed this month alleges that a recent data breach may have leaked the personal information of billions of people, including Social Security numbers.
Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group, said this information could fuel future identity thefts, fraud and other crimes, according to the Los Angeles Times.
“This class action arises out of the data breach that upon information and belief occurred in or around April of 2024 involving Defendant NPD (the “Data Breach”), a background check company that allows its customers to search billions of records with instant results,” said the class action suit brought against Jerico Pictures, Inc. dba National Public Data by plaintiff Christopher Hofmann. A copy of the suit was published by Bloomberg Law.
Law firm Schubert Jonckheer & Kolbe LLP announced that it is investigating the data breach. It said the breach impacted the private information in 2.9 billion records stored by National Public Data, which it described as a Florida-based background-check company.
“NPD scrapes data from public record databases, national and state databases, and court records, including nonpublic sources,” said the law firm. “It then sells this private data to a wide range of organizations, including background check websites, investigators, app developers, and data resellers.”
Cliff Steinhauer – director of information security and engagement at The National Cybersecurity Alliance, a nonprofit that promotes online safety – told CBS MoneyWatch that NPD and other companies can do this “because there’s no national privacy law in the U.S. – there is no law against them collecting this data against our consent.”
He said this data is often scraped for background check purposes and it is bought and sold by data brokers.
It is possible “that everyone with a Social Security number was impacted,” Steinhauer said.
Per the Los Angeles Times, people often provide their Social Security number and personal information to banks, insurance companies and service providers when seeking accounts.
While people may need to provide this information in certain situations, the Social Security Administration warns that people open themselves up to risk every time they divulge their SSN.
“Because many organizations still use SSNs as the primary identifier, exposure to identity theft and fraud remains,” the administration added.
In a statement on the National Public Data website, the company said: “There appears to have been a data security incident that may have involved some of your personal information.”
It said the breach is “believed to have involved a third-party bad actor,” that tried to hack into data last December. Information was then leaked this April and in the summer. Through an investigation, National Public Data discovered that information included in the suspected breach included names, email addresses, phone numbers, social security numbers, and mailing addresses.
“A few key pieces appeared to be missing from the hackers’ haul,” the Los Angeles Times reported. “One is email addresses, which many people use to log on to services. Another is driver’s license or passport photos, which some governmental agencies rely on to verify identities.”
Citing the lawsuit, the Los Angeles Times identified the hacker group as USDoD. It said that a purported member of USDoD identified as Felice told a hacking forum that they were offering “the full NPD database,” last week, based on a screenshot provided by BleepingComputer.
According to the Los Angeles Times, NPD said in an email that it “purged the entire database, as a whole, of any and all entries, essentially opting everyone out,” but also said that it “may be required to retain certain records to comply with legal obligations.”
“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” said the National Public Data statement. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”
However, Steinhauer said the breach should be a reminder to everyone to protect their personal information.
“If people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them,” Murray told the Los Angeles Times.
Michael Blair, managing director of cybersecurity firm NukuDo said there are tools available for those who want to check if their personal data is on the dark web. That’s actually how Hofmann, the man who filed the lawsuit, found that his information had been breached.
Anyone concerned that their data may have been breached is advised to put a freeze on their credit reports from Equifax, Experian and TransUnion. This will prevent any new accounts to be opened in someone’s name. Freezes should not take more than three business days to take effect or to be taken off, according to USA.gov, which provides information about how to freeze credit reports.