Nearly 3 billion unencrypted records containing personal data of people living in the U.S., Canada and U.K. may have been leaked, according to a class action lawsuit filed in Florida.
The complaint stated that National Public Data — a Florida-based data broker company owned by Jerico Pictures, Inc. that conducts background checks — was breached in April, revealing people's full names, current and past addresses and Social Security Numbers, as well as data tied to living and deceased family members.
NPD obtains its data by scraping the personally identifiable information of billions of individuals from non-public sources. This means that those affected may not have knowingly provided their data to the company, according to the suit.
It is unlikely that the breach impacted as many as 3 billion people because each address an individual has lived at will generate a separate record.
The data first appeared on April 8, when hacking group USDoD posted a database on "Breached," a dark web forum, and claimed to have 2.9 billion rows of unencrypted records. They put it up for sale for $3.5 million.
"We reviewed the massive file – 277.1GB uncompressed, and can confirm the data present in it is real and accurate," malware source code collector @vx-underground posted on X.
The "full NPD database" became public on Aug. 6 when a user named "Fenice" leaked about 2.7 billion records on the same forum, according to cybersecurity news website BleepingComputer.
"Fenice" attributed the hack to an individual operating under the moniker "SXUL," which was also confirmed by @vx-underground on X.
Get a weekly recap of the latest San Francisco Bay Area housing news. Sign up for NBC Bay Area’s Housing Deconstructed newsletter.
BleepingComputer said that while it cannot verify if the leak contains data on every person in the U.S., "numerous people have confirmed ... that it included their and family members' legitimate information, including those who are deceased."
BleepingComputer also reported that not all information in the database is accurate, with some SSNs being paired with incorrect personal data.
Christopher Hofmann, a named plaintiff in the class action suit, received a notification on July 24 from his identity theft protection service provider that his information had been leaked onto the dark web as a "direct result of the 'nationalpublicdata.com' breach."
In the lawsuit, the Californian resident accused NPD of negligence, breach of third-party beneficiary contract, unjust enrichment and breach of fiduciary duty. He asked the court to require NPD to provide monetary relief, purge the personal information of all individuals affected and implement measures to reduce cybersecurity threats.
No public notice regarding the possible leak has been made by National Public Data. If the breach is confirmed, those who are impacted should remain vigilant and take action to protect their personal information.
