Hackers steal personal data of nearly 3 billion people in one of the largest data breaches ever

No matter how cautious you are online, your data can still fall into the hands of hackers, as evidenced by a recent data breach that exposed the sensitive information of nearly 3 billion people. According to a report from Bloomberg, hackers have stolen the sensitive data of 2.9 billion people from Jerico Pictures Inc., a background-check company operating as National Public Data.

The exposed data includes full names, past and current addresses spanning 30 years, Social Security Numbers, and information about relatives, some deceased for nearly two decades. This hack, one of the largest data breaches ever reported, is the latest addition to a growing list of companies targeted by cybercriminals in recent months.

The breach became public on April 8 when a group of cybercriminals named USDoD posted a database titled “National Public Data” on a dark web forum, claiming to have personal data on 2.9 billion people. They listed the database for sale at $3.5 million, as stated in a complaint filed Thursday in the US District Court for the Southern District of Florida.

National Public Data Hacked

This record-breaking data breach was later disclosed as part of a class action lawsuit filed earlier this month. The complaint alleges that National Public Data, which specializes in background checks and fraud prevention, has been negligent.

The hackers attempted to sell the vast collection of personal data on the dark web for $3.5 million. Given the number of people affected, the data likely includes individuals from both the U.S. and other countries.

How Data Scraping Became a Gateway for Hackers

The exact timing and method of the breach remain unclear, and the provider hasn’t notified affected individuals. Here’s what we know so far and some steps you can take to protect yourself if your personal information is exposed.

National Public Data collects personal data by scraping websites and other online sources. According to the complaint, the company scraped personally identifiable information (PII) from non-public sources, meaning individuals did not knowingly provide their data to the company.

Bloomberg wrote:

“To conduct its business, National Public Data scrapes the personally identifying information of billions of individuals from non-public sources—meaning plaintiffs didn’t knowingly provide their data to the company, the complaint said.”

Exposed information includes Social Security numbers, addresses spanning decades, full names, and information about relatives, some deceased for nearly two decades.

One plaintiff, a California resident, discovered the breach when his identity theft protection service notified him that his data was leaked on the dark web. National Public Data did not respond to Bloomberg’s request for comment.

Named plaintiff Christopher Hofmann received a notification from his identity theft protection service on July 24, informing him that his data was exposed in the breach and leaked on the dark web. He accused National Public Data of negligence, unjust enrichment, and breaches of fiduciary duty and third-party beneficiary contracts.

Hofmann asked the court to require National Public Data to purge the personal information of all affected individuals and to encrypt all data collected in the future. He also requested several measures, including data segmentation, database scanning, a threat-management program, and an annual third-party assessment of its cybersecurity frameworks for 10 years.