A lawsuit has been filed against a South Florida-based company, alleging that hackers have accessed the personal information of billions, including Social Security numbers, historical and current addresses, as well as the names of siblings and parents. This sensitive data poses a risk of identity theft and fraud.
The lawsuit, initiated by Christopher Hofmann from California, claims that his identity theft protection service notified him of a leak related to “nationalpublicdata.com.” The breach reportedly originated in April 2024, with the hacking group USDoD extracting unencrypted data from National Public Data (NPD), a background check firm. Recently, a hacker purportedly released a portion of this stolen information on a hacking forum.
The hacker asserted that this compromised data encompassed around 2.7 billion records, each including an individual’s full name, address, date of birth, Social Security number, and phone number. Experts suggest that nearly everyone with a Social Security number could be affected. Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, highlighted the need for individuals to protect themselves, given that companies and governmental bodies often fail to adequately safeguard such sensitive information.
NPD, located in Coral Springs, Florida, specializes in providing background checks for various entities. It aggregates public data to create consumer profiles, which are then sold to other businesses. According to Steinhauer, the absence of national privacy legislation in the U.S. allows such data collection without individuals’ consent.
The lawsuit specifies that on April 8, the USDoD posted a database claiming to hold records of approximately 2.9 billion individuals on the dark web, initially priced at $3.5 million. However, it was later made accessible for free on a hacker platform.
The exact number of individuals impacted remains uncertain, even though the lawsuit mentions “billions” of victims. The U.S. population is about 330 million, and the breached data reportedly includes records of deceased individuals as well. This suggests that many entries may belong to the same individual due to multiple addresses stored in the database.
As for notifying affected individuals, the lawsuit claims that NPD has failed to alert Hofmann and others about the breach. It argues that most people in the affected class are unaware that their sensitive data has been compromised and remain at significant risk of various forms of harm.
While there’s no indication that NPD has reported the breach to state attorneys general, it is a requirement in several states for companies to do so after such incidents.
For those wanting to check if their information was part of the breach, security professionals recommend using reliable monitoring services that scan for exposed personal data on the dark web.
To mitigate risks, security experts advise consumers to freeze their credit files with the three major credit bureaus—Experian, Equifax, and TransUnion—preventing fraudulent loans or credit cards from being issued in their names. Other recommendations include using long, complex passwords managed by password managers, enabling multifactor authentication, staying vigilant against phishing scams, and keeping security software updated.
Overall, individuals are encouraged to act under the assumption that their data may have been compromised and take appropriate protective measures.