National Public Data breach: Lawsuit claims failed to protect billions of personal records

Gavel sits on macbook keyboard
(Image credit: Getty Images)

A proposed class action lawsuit has alleged that nearly three billion records were stolen during a cyber attack targeting background checking service, National Public Data, in April.

Jerico Pictures, which operates National Public Data (NPD), is a background-checking service which scrapes personally identifiable information (PII) of individuals from non-public sources.

On 8 April, the threat actor USDoD listed National Public Data on a popular underground forum, Breached, hosted on the dark web, claiming to have personal data linked to over 270 million people, according to the court docket from the proposed case.

USDoD claimed the cache held sensitive information such as social security numbers, full names, family information, as well as current and past addresses.

The leaked data spans from 2019 to 2024, with 2.9 billion rows, constituting 277.1GB when uncompressed, which users can buy access to for $3.5 million.

USDoD said it would also provide buyers with credentials to access the NPD’s server.

First reported by Bloomberg Law, court documents stated it was not clear how the attack happened, but that USDoD gained access to the network prior to April 2024, and was able to exfiltrate the unencrypted personal information of billions of people.

If confirmed, it could be one of the largest data breaches in history in terms of the number of individuals affected.

Dark web monitor vx-underground noted that USDoD clarified it was simply a broker or middleman for the initial listing of Jerico Pictures, and that credit for the compromise should be given to an individual with the handle ‘SXUL’.

Affected individuals unaware NPD had collected their PII

Because NPD scraped the PII from non-public sources, individuals would not have been aware the firm had access to their sensitive data, nor that it may have been potentially leaked on the dark web.

Vx-underground added that the database did not contain any information from individuals who use data opt-out services. The plaintiff, Christopher Hofmann, and billions of others, were not so lucky.

Hofmann claimed he had received a notification from his identity theft protection provider notifying him that his PII was compromised as a direct result of the NPD breach, and that it had subsequently ended up on the dark web,

The docket stated Hofmann never directly provided his PII to NPD, adding he would never have done so without assurances the information would remain confidential and the appropriate precautions were taken to prevent leaks.

RELATED WHITEPAPER

Court documents claim Hofmann and other individuals affected by the breach were not current or former customers, but “had the misfortune of having their PII targeted, mined, and scraped by [Jerico Pictures] from non-public sources without their consent.”

The class action alleges that by obtaining, collecting, using, and deriving benefit from the affected individuals’ PIII, Jerico Pictures assumed legal and equitable duties and knew, or at least should have known, it had a responsibility to protect this data from being made public.

The lawsuit is seeking restitution for a series of injuries caused by the incident, including invasion of privacy, lost or diminished value of PII, lost opportunity costs associated with attempting to mitigate the consequences of the breach and more.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.