August 19, 2024 By Jennifer Gregory 3 min read

Billions of people’s data was published on the dark web around April 8, 2024 — from a single breach of National Public Data. However, many of the victims are still unaware of their exposure because they have yet to receive a notification or statement from the company.

Recently, one of the victims filed a class action lawsuit after learning that their data was breached when they received a notification from an identity theft protection service provider. What will this mean for people whose data was unknowingly sold on the dark web?

What happened in the National Public Data breach?

National Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based background check business. The consumers included in National Public Data’s databases did not consent to giving their data to the company.

According to the lawsuit filed by Christopher Hofmann, a cyber criminal group called USDoD has posted a database containing the private data of 2.9 billion U.S. citizens, including full names, social security numbers and addresses on the dark web. The data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

The hacker group put a purchase price on the database of $3.5 million. VX-Underground, an educational website focused on cybersecurity, confirmed that the information in the 277.1GB database was real and accurate after being informed by the group of its intention to leak the database. Because National Public Data is not bound by the CIRCIA requirements for critical infrastructure, the company was not required to report the breach within 72 hours.

“This unencrypted, unredacted PII was compromised, published and then sold on the Dark Web, due to the Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes,” stated the lawsuit.

Full Cost of a Data Breach Report

No public statement from National Public Data

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

In the lawsuit, Hofmann asked for specific actions from National Public Data, including providing monetary relief. He requested that National Public Data purge all breached PII. In addition, he wants the company to encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program. Additionally, he would like a cybersecurity framework evaluation to be conducted annually until 2034.

Impact of the breach

While the details are still evolving, this breach appears to be the largest — or one of the largest — data breaches of all time. Because the 2013 Yahoo Breach included 3 billion accounts and the National Public Data breach appears to include 2.9 billion people, Yahoo may still hold the record after the dust settles from this latest breach. The previous second and third place-holders will move to third and fourth after this breach hits the records books. The 2017 River City Media breach involved 1.37 billion records, while the 2018 Aadhaar breach contained 1.1 billion.

As experts are predicting the decision in this matter, many are turning to past events for comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy Koh rejected Yahoo’s settlement for payout in 2019 to 200 million impacted individuals with close to 1 billion accounts. Koh rejected the settlement offer for the following reasons:

  • Inadequate disclosures of breaches that also occurred in 2012
  • Release of the 2012 claims was “improper”
  • Improper disclosure of the settlement fund size
  • Settlement fund “appears likely to result in an improper” reverter of attorneys’ fees
  • The settlement doesn’t sufficiently disclose “the scope of non-monetary relief”
  • The size of the settlement class isn’t clearly defined

Moving forward

Consumers should continue to monitor the current situation as it evolves to learn if their data was breached. As a precaution, individuals should carefully monitor their credit reports and bank accounts and not respond to unsolicited information or account requests.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning than prior breaches,” Teresa Murray, Consumer Watchdog Director for the U.S. Public Information Research Group told the Los Angeles Times. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Biden-⁠Harris administration releases roadmap to enhance internet routing

2 min read - The Biden-Harris Administration has taken another step toward improving the nation’s cybersecurity. In September, the White House Office of the National Cyber Director (ONCD) announced it was putting policies in place to address a key security vulnerability associated with the Border Gateway Protocol (BGP). BGP is a set of rules that helps the internet work by selecting the best route for data to travel between networks. It is a fundamental protocol that allows networks to communicate with each other. However,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today