A new lawsuit alleges that hackers gained access to the personal information of “billions of individuals,” including their Social Security numbers, current and previous addresses, and the names of siblings and parents — personal data that allows fraudsters to infiltrate financial accounts or take out loans in their names.
The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web through the breach of “nationalpublicdata.com.” The lawsuit was previously reported by Bloomberg Law.
The breach is said to have occurred around April 2024, with a hacking group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, the lawsuit says. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported.
According to Bleeping Computer, the stolen files contained 2.7 billion records, including a person’s full name, address, date of birth, social security number and phone number.
NPD did not immediately respond to a request for comment.
Here’s what you need to know about the alleged hack.
What is national public data?
National Public Data is a data company based in Coral Springs, Florida, that performs background checks for employers, investigators and other companies that want to check people’s backgrounds. The searches include criminal records, vital records, SSN traces and more information, according to its website.
What happened with the USDoD hack?
According to the new lawsuit, on April 8, USDoD posted a database called “National Public Data” on the dark web, claiming it contained information on approximately 2.9 billion individuals. It asked for a purchase price of $3.5 million, the lawsuit alleges.
However, Bleeping Computer reported that the file was later leaked for free on a hacker forum, as mentioned above.
Did NPD warn people about the hack?
That’s unclear, though the lawsuit states that NPD has “still failed to provide any notice or warning” to Hoffman or other people affected by the breach.
“In fact, the vast majority of the members of the class, on information and belief, were unaware that their sensitive [personal information] were compromised and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the lawsuit said.
Information security firm McAfee said it found no records with state attorneys general. Some states require companies that have suffered data breaches to file reports with their attorney general’s offices.
What should I do to protect my data?
Security experts are advising consumers to freeze their credit files with the three major credit bureaus: Experian, Equifax and TransUnion.
Freezing your credit is free and prevents malicious parties from taking out loans or opening credit cards in your name.
You can also get a tracking service that will alert you if your information appears on the dark web. And make sure to sign up for two-factor authentication, which makes it harder for hackers to access your accounts.
