National Public Data, a company specializing in background checks and fraud prevention, has experienced a significant data breach. The data collected by the company has reportedly fallen into the hands of a hacking group known as "USDoD," which began selling access to the stolen information in April. The stolen data is said to include details of users from the US, UK, and Canada.
The company is now facing a class-action lawsuit, as reported by Bloomberg Law. The lawsuit was filed by Christopher Hoffman, a resident of California, after his identity protection service alerted him that his personal data had been compromised in the breach.
The scope of the data leak could be one of the largest ever recorded, though the full extent is still unconfirmed. National Public Data has not yet responded to requests for comment. However, in June, malware repository VX Underground reviewed the stolen data, which was initially on sale for $3.5 million.
VX Underground confirmed the authenticity of the massive 277.1GB uncompressed file, noting that the data included real and accurate information. They verified several individuals' details, who consented to the search of their information. According to VX Underground, the stolen data encompasses Social Security numbers, full names, and user address history spanning over three decades. It appears that the personal information of users who opted out of data collection was not included. USDoD acted as a broker for the sale, while a mysterious individual known as "SXUL" was behind the breach.
Although USDoD intended to sell the data to private buyers, it has reportedly been circulating freely on a popular hacker forum, posing a significant risk of identity theft. The archive is said to include dates of birth and phone numbers, though users who have downloaded the 277GB file report numerous duplicates. Some entries pertain to the same individual at different addresses, and others cover deceased persons. As a result, the actual number of affected individuals is estimated to be closer to 225 million, rather than the initially believed 2.9 billion.
National Public Data had previously advertised its People Finder tool, claiming access to over 2.2 billion merged records covering the entire adult population of the USA and its territories. In response to the breach, some identity protection services have already begun analyzing the stolen data and notifying affected consumers whose Social Security numbers were found in the archive. Hoffman's class-action lawsuit demands that National Public Data pay damages and implement several IT security changes, including the deletion of stored data on US users unless a reasonable justification is provided.