Background investigation company National Public Data (NPD) has confirmed a data breach that may have exposed 2.9 billion pieces of personal information, affecting individuals in the United States, Canada, and the United Kingdom.
In April of this year, a hacker group known for selling stolen information, “USDoD,” began selling a vast amount of data on the dark web for $3.5 million, claiming that it included records on 2.9 billion people, impacting “the entire populations of the United States, Canada, and the United Kingdom.”
If the hacker group’s claims are true, in terms of the number of people affected, this breach could be one of the largest data leaks in history.
The data breach has already sparked a class-action lawsuit.
California resident Christopher Hofmann revealed that he was notified in July by identity theft protection services that his personal information had been leaked and published on the dark web, leading him to become aware of the issue.
Subsequently, Hofmann and other victims filed a collective lawsuit. The complaint alleges that, for business purposes, NPD collected billions of pieces of personal information from undisclosed sources, meaning the plaintiffs did not willingly provide their data to the company.
According to the complaint, the leaked information includes social security numbers, past and present addresses, as well as sensitive details of the plaintiffs’ parents, siblings, and other relatives (including some deceased relatives from nearly 20 years ago).
Hofmann accuses NPD of negligence, unjust enrichment, breach of fiduciary duty, and breach of third-party beneficiary contracts, seeking compensation.
Hofmann also asks the court to order NPD to erase all personal information of affected individuals and encrypt all future data collected.
For several months, NPD had not made any statements or responses, until earlier this week when NPD finally confirmed the data breach, without specifying how many people’s information had been stolen.
In a statement released on Monday, NPD stated that the hacker group attempted to breach the company’s database in December 2023 and may have exposed some data in April and the summer of 2024.
NPD disclosed that the potentially leaked information includes names, email addresses, phone numbers, social security numbers, and physical addresses.
The company stated that it is collaborating with law enforcement and government investigators and conducting reviews of potentially compromised records. Further notifications will be issued if there are significant developments.
NPD has not responded to requests for comments from several media outlets. However, according to the Los Angeles Times, NPD has responded to some individuals seeking help via email, stating that the company has “deleted the entire database” and removed “undisclosed personal information.”
Cybersecurity experts advise that if individuals receive notifications of their personal information being leaked, the first step should be to change passwords for affected accounts to prevent unauthorized access. It is also recommended to update passwords for any other accounts that use the same password.