August 19, 2024 By Jennifer Gregory 3 min read

Billions of people’s data was published on the dark web around April 8, 2024 — from a single breach of National Public Data. However, many of the victims are still unaware of their exposure because they have yet to receive a notification or statement from the company.

Recently, one of the victims filed a class action lawsuit after learning that their data was breached when they received a notification from an identity theft protection service provider. What will this mean for people whose data was unknowingly sold on the dark web?

What happened in the National Public Data breach?

National Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based background check business. The consumers included in National Public Data’s databases did not consent to giving their data to the company.

According to the lawsuit filed by Christopher Hofmann, a cyber criminal group called USDoD has posted a database containing the private data of 2.9 billion U.S. citizens, including full names, social security numbers and addresses on the dark web. The data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

The hacker group put a purchase price on the database of $3.5 million. VX-Underground, an educational website focused on cybersecurity, confirmed that the information in the 277.1GB database was real and accurate after being informed by the group of its intention to leak the database. Because National Public Data is not bound by the CIRCIA requirements for critical infrastructure, the company was not required to report the breach within 72 hours.

“This unencrypted, unredacted PII was compromised, published and then sold on the Dark Web, due to the Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes,” stated the lawsuit.

Full Cost of a Data Breach Report

No public statement from National Public Data

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

In the lawsuit, Hofmann asked for specific actions from National Public Data, including providing monetary relief. He requested that National Public Data purge all breached PII. In addition, he wants the company to encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program. Additionally, he would like a cybersecurity framework evaluation to be conducted annually until 2034.

Impact of the breach

While the details are still evolving, this breach appears to be the largest — or one of the largest — data breaches of all time. Because the 2013 Yahoo Breach included 3 billion accounts and the National Public Data breach appears to include 2.9 billion people, Yahoo may still hold the record after the dust settles from this latest breach. The previous second and third place-holders will move to third and fourth after this breach hits the records books. The 2017 River City Media breach involved 1.37 billion records, while the 2018 Aadhaar breach contained 1.1 billion.

As experts are predicting the decision in this matter, many are turning to past events for comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy Koh rejected Yahoo’s settlement for payout in 2019 to 200 million impacted individuals with close to 1 billion accounts. Koh rejected the settlement offer for the following reasons:

  • Inadequate disclosures of breaches that also occurred in 2012
  • Release of the 2012 claims was “improper”
  • Improper disclosure of the settlement fund size
  • Settlement fund “appears likely to result in an improper” reverter of attorneys’ fees
  • The settlement doesn’t sufficiently disclose “the scope of non-monetary relief”
  • The size of the settlement class isn’t clearly defined

Moving forward

Consumers should continue to monitor the current situation as it evolves to learn if their data was breached. As a precaution, individuals should carefully monitor their credit reports and bank accounts and not respond to unsolicited information or account requests.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning than prior breaches,” Teresa Murray, Consumer Watchdog Director for the U.S. Public Information Research Group told the Los Angeles Times. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today