2.9 Billion Records Stolen in Hack, Including Social Security Numbers, Lawsuit Alleges

Rachel Acenas
By Rachel Acenas
August 15, 2024US News
share
2.9 Billion Records Stolen in Hack, Including Social Security Numbers, Lawsuit Alleges
A Social Security card sits alongside checks from the U.S. Treasury in Washington on Oct. 14, 2021. (Kevin Dietsch/Getty Images)

A massive cyber attack has compromised 2.9 billion records, according to a new class-action lawsuit.

A complaint filed in the U.S. District Court for the Southern District of Florida claims that a cybercriminal group called USDoD hacked Florida-based company National Public Data, which stores personal information.

The hackers put the database up for sale for $3.5 million on a dark web forum.

The class-action complaint alleged that the exposed information includes Social Security numbers, full names, current and past addresses, and information about relatives that spans at least the last three decades.

The plaintiff, listed as Christopher Hoffman on behalf of others affected, has accused National Public Data of failing to “properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices.”

National Public Data has not yet publicly released an official company response. According to its website, various businesses use National Public Data services to access criminal records and conduct background checks. The platform is used by private investigators, consumer public record sites, human resources, and staffing agencies.

“Search billions of records with instant results,” the website states.

NTD News reached out to National Public Data but did not receive a response by the time of publication. 

Hoffman, in the complaint, alleges that his identity-theft protection service provider notified him in July that his data was exposed in a breach of National Public Data and that the hackers leaked the database on the dark web. Hoffman states that he never provided his information to National Public Data.

The complaint maintains that individuals affected by the breach were not customers of National Public Data, rather their information was “scraped” by “unauthorized third parties” and shared with the company without their knowledge.

Furthermore, the company held unencrypted personal records, which made it easily accessible to hackers. The hackers were able to “exfiltrate” the unencrypted data of billions of individuals stored on the company’s network, according to the lawsuit.

In addition to monetary relief, the plaintiff asked the court to require National Public Data to apply the latest security updates, implement a threat management program, perform regular audits, and appoint an independent assessor to evaluate its cyber security annually for 10 years.

To prevent personal accounts from being hacked, cyber security experts advise people to sign up for credit monitoring and use multi-factor authentication to protect online accounts, as well as ensure that they download and update the latest versions of apps and software.

More than 1,500 data breaches occurred in the first half of 2024, affecting about 1 billion people, according to a recent report by the Identity Theft Resource Center. That’s 14 percent higher than the previous year.

AT&T notified millions of customers in April that their information had been stolen following a breach in which customer data was illegally downloaded from its workspace on a third-party cloud platform.

Ticketmaster was also hacked in July. A cybercriminal group stole the personal details of 560 million customers and demanded a substantial ransomware payment to prevent the information from being sold to other parties.