August 19, 2024 By Jennifer Gregory 3 min read

Billions of people’s data was published on the dark web around April 8, 2024 — from a single breach of National Public Data. However, many of the victims are still unaware of their exposure because they have yet to receive a notification or statement from the company.

Recently, one of the victims filed a class action lawsuit after learning that their data was breached when they received a notification from an identity theft protection service provider. What will this mean for people whose data was unknowingly sold on the dark web?

What happened in the National Public Data breach?

National Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based background check business. The consumers included in National Public Data’s databases did not consent to giving their data to the company.

According to the lawsuit filed by Christopher Hofmann, a cyber criminal group called USDoD has posted a database containing the private data of 2.9 billion U.S. citizens, including full names, social security numbers and addresses on the dark web. The data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

The hacker group put a purchase price on the database of $3.5 million. VX-Underground, an educational website focused on cybersecurity, confirmed that the information in the 277.1GB database was real and accurate after being informed by the group of its intention to leak the database. Because National Public Data is not bound by the CIRCIA requirements for critical infrastructure, the company was not required to report the breach within 72 hours.

“This unencrypted, unredacted PII was compromised, published and then sold on the Dark Web, due to the Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes,” stated the lawsuit.

Full Cost of a Data Breach Report

No public statement from National Public Data

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

In the lawsuit, Hofmann asked for specific actions from National Public Data, including providing monetary relief. He requested that National Public Data purge all breached PII. In addition, he wants the company to encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program. Additionally, he would like a cybersecurity framework evaluation to be conducted annually until 2034.

Impact of the breach

While the details are still evolving, this breach appears to be the largest — or one of the largest — data breaches of all time. Because the 2013 Yahoo Breach included 3 billion accounts and the National Public Data breach appears to include 2.9 billion people, Yahoo may still hold the record after the dust settles from this latest breach. The previous second and third place-holders will move to third and fourth after this breach hits the records books. The 2017 River City Media breach involved 1.37 billion records, while the 2018 Aadhaar breach contained 1.1 billion.

As experts are predicting the decision in this matter, many are turning to past events for comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy Koh rejected Yahoo’s settlement for payout in 2019 to 200 million impacted individuals with close to 1 billion accounts. Koh rejected the settlement offer for the following reasons:

  • Inadequate disclosures of breaches that also occurred in 2012
  • Release of the 2012 claims was “improper”
  • Improper disclosure of the settlement fund size
  • Settlement fund “appears likely to result in an improper” reverter of attorneys’ fees
  • The settlement doesn’t sufficiently disclose “the scope of non-monetary relief”
  • The size of the settlement class isn’t clearly defined

Moving forward

Consumers should continue to monitor the current situation as it evolves to learn if their data was breached. As a precaution, individuals should carefully monitor their credit reports and bank accounts and not respond to unsolicited information or account requests.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning than prior breaches,” Teresa Murray, Consumer Watchdog Director for the U.S. Public Information Research Group told the Los Angeles Times. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today