FORT LAUDERDALE, Fla. (WJET/WFXP) — Billions of records containing personal information of U.S. residents may have been exposed after a background check company fell victim to a breach, a new lawsuit alleges.
The class action lawsuit was filed against Jerico Pictures Inc., which was doing business as National Public Data (NPD), a background check company that provides access to public records obtained “from various public record databases, court records, state and national databases and other repositories nationwide.”
However, the complaint, filed in Florida, argues NPD “scrapes the [personal information] of potentially billions of individuals from non-public sources” and does so without the consent of those individuals.
Among those allegedly impacted is Christopher Hofmann, the named plaintiff in the case. According to the lawsuit, Hofmann received a notification from his identity theft protection service provider on July 24 alerting him that his data was exposed in a breach and leaked on the dark web.
The suit claims Hofmann never gave NPD access to his personal information.
Attorneys in the case say NPD told those submitting a background check that their information would be “safe,” “confidential” and private, and held only as long as needed. They alleged that instead, NPD failed “to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices.”
The lawsuit acknowledges that NPD has not made an official notification regarding the exact details of the breach, including “how or when the data breach occurred,” and that those impacted have not been notified.
However, the lawsuit points to the findings of VX-Underground, said to be “an educational website about malware and cybersecurity.” The website reported that in early April 2024, “a Threat Actor operating under the moniker ‘USDoD’ placed a large database up for sale on Breached titled: ‘National Public Data.’ They claimed it contained 2,900,000,000 records on United States citizens. They put the data up for sale for $3,500,000.” (It’s unclear whether there were 2.9 billion pieces of personal data accessed, or, as the lawsuit says later, personal information of “approximately 2.9 billion individuals.”)
VX-Underground said it was informed USDoD planned to leak the database, which was put up for sale for $3.5 million. According to the lawsuit, VX-Underground received an advanced copy of the database — a “massive file” of 277.1GB of data — and determined it was “real and accurate.”
The site claimed those who used a “data opt-out service” did not have personal information in the database, but the lawsuit did not explain how VX-Underground determined this. The site did report finding names, addresses (including previous addresses dating back more than three decades), Social Security numbers, and enough information to identify relatives of those who did not use a data opt-out service, including some who are deceased, in the database.
The lawsuit accuses NPD of failing to protect the personal information of those impacted and notifying them of the apparent breach.
While those impacted are said to reside in the U.S., it’s unclear how many people may have been affected. (The database allegedly contained information belonging to more than 2.9 billion people, however, the U.S. has a population well below 1 billion, and the global population is around 8.07 billion, U.S. Census data shows.)
If billions of people have been impacted, this breach could be one of the largest in history. In 2013, Yahoo’s network was attacked, affecting all 3 billion of its user accounts, making it the most widespread breach on record.
As of Sunday, there are no future court dates scheduled in the case. Nexstar reached out to NPD for comment but did not receive a response.
How to protect yourself from a data breach
Avoiding data breaches entirely can be tricky in our ever-digitized world, but consumers can take some steps to help protect themselves going forward.
The basics include creating hard-to-guess passwords and using multifactor authentication when possible. If you receive a notice about a breach, it’s a good idea to change your password and monitor account activity for any suspicious transactions.
You’ll also want to visit a company’s official website for reliable contact information — as scammers sometimes try to take advantage of news like data breaches to gain your trust through look-alike phishing emails or phone calls.
In addition, the Federal Trade Commission notes that nationwide credit bureaus — such as Equifax, Experian and TransUnion — offer free credit freezes and fraud alerts that consumers can set up to help protect themselves from identity theft and other malicious activity.
The Associated Press contributed to this report.