Background check company National Public Data faces at least a dozen class action lawsuits filed in Florida this month after a reportedly massive breach in which hackers may have stolen the data of billions of people, including hundreds of millions of Social Security numbers.
BiometricUpdate.com reported this week that the U.S. Justice Department and lawmakers, along with some state attorneys general, are investigating the data breach. Citing information from risk analysis firm Constella, the news site reported the attack appeared to compromise data for 292 million people, including Social Security numbers for 272 million.
The data does include errors, a Constella official told the site.
Two lawmakers, in a letter seeking information from National Public Data, said that if reports about the hack are true, "this data breach likely represents one of the largest cyberattacks ever in terms of impacted individuals."
In a data breach notice filed in Maine, the company said the hack was discovered on Dec. 30, 2023, and affected 1.3 million Americans.
Christopher Hofmann of Fremont, California, filed his class action lawsuit against Jerico Pictures, doing business as National Public Data, on Aug. 1, accusing the firm of failing to properly safeguard individuals' personally identifiable information, including names, current and past addresses covering decades, Social Security numbers and information about family members.
The company "intentionally, willfully, recklessly or negligently" failed to maintain adequate measures to safeguard the information, the lawsuit alleges, also contending that National Public Data scraped people's information from nonpublic sources without their consent or knowledge.
A Michigan woman filed a similar putative class action suit against National Public Data the same day in the same court — U.S. District Court for Southern Florida in Fort Lauderdale — and 10 other plaintiffs have done the same since, court records show.
A cybercriminal group going by USDoD gained access to NPD's network before April and was able to "exfiltrate" unencrypted data belonging to billions of people and sold it to "unknown criminals" on the dark web, Hofmann's complaint contends.
The lawsuit cites cybersecurity educational website vx-underground as reporting the cybercriminals placed National Public Data's database on a dark web site called Breached, where the hackers claimed they had data on 2.9 billion people and offered it for sale for $3.5 million.