Data Firm Faces a Dozen Suits Over Social Security Number Leak

News August 29, 2024 at 01:15 PM
Share & Print

What You Need To Know

  • The data breach is thought to have compromised the Social Security numbers of 272 million people.
  • If reports are true, the attack on National Public Data may be one of the largest ever in terms of the number of people affected, lawmakers say.
  • National Public Data didn't adequately safeguard personal information, plaintiffs argue.
A hooded hacker uses a computer.

Background check company National Public Data faces at least a dozen class action lawsuits filed in Florida this month after a reportedly massive breach in which hackers may have stolen the data of billions of people, including hundreds of millions of Social Security numbers.

BiometricUpdate.com reported this week that the U.S. Justice Department and lawmakers, along with some state attorneys general, are investigating the data breach. Citing information from risk analysis firm Constella, the news site reported the attack appeared to compromise data for 292 million people, including Social Security numbers for 272 million.

The data does include errors, a Constella official told the site.

Two lawmakers, in a letter seeking information from National Public Data, said that if reports about the hack are true, "this data breach likely represents one of the largest cyberattacks ever in terms of impacted individuals."

In a data breach notice filed in Maine, the company said the hack was discovered on Dec. 30, 2023, and affected 1.3 million Americans.

Christopher Hofmann of Fremont, California, filed his class action lawsuit against Jerico Pictures, doing business as National Public Data, on Aug. 1, accusing the firm of failing to properly safeguard individuals' personally identifiable information, including names, current and past addresses covering decades, Social Security numbers and information about family members.

The company "intentionally, willfully, recklessly or negligently" failed to maintain adequate measures to safeguard the information, the lawsuit alleges, also contending that National Public Data scraped people's information from nonpublic sources without their consent or knowledge.

A Michigan woman filed a similar putative class action suit against National Public Data the same day in the same court — U.S. District Court for Southern Florida in Fort Lauderdale — and 10 other plaintiffs have done the same since, court records show.

A cybercriminal group going by USDoD gained access to NPD's network before April and was able to "exfiltrate" unencrypted data belonging to billions of people and sold it to "unknown criminals" on the dark web, Hofmann's complaint contends.

The lawsuit cites cybersecurity educational website vx-underground as reporting the cybercriminals placed National Public Data's database on a dark web site called Breached, where the hackers claimed they had data on 2.9 billion people and offered it for sale for $3.5 million.

Vx-underground also reported that USDoD planned to leak the information, according to the complaint. Individuals who had used data opt-out services weren't included in the database, according to the suit, which cited vx-underground.

The complaint from Yvette Burgen of Michigan cited a report asserting the cybercriminals claimed to have 2.9 billion records on all U.S., Canadian and British citizens.

National Public Data recently posted information about a "security incident" involving a breach in April and this summer that may have compromised individuals' personal information.

A company investigation found that potentially breached data included names, email addresses, phone numbers, Social Security numbers and mailing addresses, NPD posted on its website.

NPD recommended that people closely monitor their financial accounts and promptly contact their financial institution if they see any unauthorized activity. The company also suggested contacting the three U.S. credit reporting agencies to obtain a free credit report.

The National Cybersecurity Alliance has recommended consumers freeze their credit.

While Hofmann's suit describes the company as headquartered in Coral Springs, neither the Jerico nor the National Public Data names appeared on a Florida business entity search website.

A recording at Jerico's Florida phone number directed callers to the company's Los Angeles office. ThinkAdvisor left a message at that number Wednesday.

Image: Sergey Nivens/Adobe Stock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center