Nearly Every American’s SSN Is Believed to Have Been Leaked in April Cybersecurity Breach, Class-action Lawsuit to Follow
Nearly every American’s social security number and other sensitive information is believed to have been leaked and sold on the dark web in what has been described as the largest data breach in today’s digital age.
Bloomberg Law first reported on the data breach after a proposed class action lawsuit was filed last week in the US District Court for the Southern District of Florida. The lawsuit details that a nefarious group by the name of USDoD compiled and posted a database on the dark web titled “National Public Data.” The database which is reported to have the personal data of nearly three billion people was put up for sale and eventually sold for $3.5 million.
Murmurs of the data breach were first reported in April. After the group USDoD posted the date for sale on the dark web, other nefarious actors followed in their tracks. One actor known online as “Fenice” posted the most complete version of the data for free in August, as reported on by the tech and cybersecurity news outlet, BleepingComputer.
According to the lawsuit, it’s not yet clear how the data breach happened, but officials have been able to pinpoint how the information of nearly three billion individuals was targeted, extracted, and compiled for profit on the dark web.
At the center of what will likely be a historic data breach — following the 2013 Yahoo breach which is believed to have impacted nearly three billion individuals – is the company Jerico Pictures Inc., which operates under the name National Public Data.
National Public Data is a background check company, one of hundreds if not thousands in the country. The company collects the personal identifying information (PII) of individuals by scouring non-public sources. These sources include national and state databases, public records, and court records. The company then sells this aggregated data to background check websites, investigators, data resellers, and app developers. Included in the data is everything from an individual's name to their social security number, date of birth, all known addresses, and other sensitive information. The complaint details that the PII the company collected was done so without the consent of the plaintiffs.
National Public Data states in the lawsuit that it has cooperated and will continue to work with investigators. Despite this assurance, California resident and lead plaintiff, Christopher Hofmann, alleges that National Public Data was negligent in failing to safeguard its systems, engaged in unjust enrichment, and breached its fiduciary duty and third-party beneficiary contracts.
In the lawsuit, Hofmann is seeking to have a court require that National Public Data purge the PII of all the individuals impacted, essentially nearly every American if the reports of the individuals impacted are verified. Additionally, Hoffmann is seeking to have National Public Data encrypt all data collected going forward.
Keeping in line with cybersecurity practices, Hoffman is also asking the court to require National Public Data to segment data, conduct database scanning, implement a threat-management program, and appoint a third-party assessor that will evaluate cybersecurity frameworks every year for 10 years.
