Given all the big news events that have been demanding so much attention this summer, you’d be forgiven for missing yet another one: The news that a massive data breach may have leaked billions of records, including names, Social Security numbers, and addresses.
National Public Data (NPD), a background-check data aggregator based in Coral Springs, Florida, recently acknowledged on its website that “a data security incident”—which was “believed to have involved a third-party bad actor” in December 2023—led to data leaks in April of this year. In all, 2.9 billion records were leaked, and were subsequently put up for sale for $3.5 million on the dark web, according to reporting from Bloomberg Law.
Further, in recent days, it’s becoming apparent that the leak may be even worse than initially known. Brian Krebs, a cybersecurity-focused investigative reporter, wrote on his KrebsOnSecurity website this week that National Public Data actually exposed its own passwords as part of the leak.
“KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today,” Krebs writes.
While the leak continues to look worse and worse, National Public Data says it is cooperating with law enforcement, and suggests that consumers freeze their credit, among other things.
Legal complaints piling up in federal courts
The breach became widely known after a class-action lawsuit filed in federal court in Fort Lauderdale against National Public Data’s parent company, Jerico Pictures, was made public earlier this month. And a cornucopia of additional lawsuits has also been filed. At least 14 complaints have been filed in federal court against National Public Data, according to a search of the Justia database, since early August.
To get a sense of what those suits are alleging, in one such filing, filed on August 19, lawyers argue that National Public Data “breached its duties by, among other things, failing to implement and maintain reasonable security procedures and practices to protect individuals’ PII [personally identifiable information] from unauthorized access and disclosure,” and that the “Defendant has not provided any notice to affected individuals, including Plaintiff, who only learned that her SSN and other PII was posted on the dark web as a result of the Data Breach from LifeLock.”
Further, “Plaintiff and Class members now face constant surveillance of their financial and personal records, monitoring, and loss of rights. Plaintiff and Class members are incurring and will continue to incur such damages, in addition to any fraudulent use of their PII [personal identifying information],” the suit reads.
We’ve reached out to National Public Data for comment.
As for people who are worried that their data may have been scooped up by cybercriminals, freezing your credit and monitoring your accounts is a good first step. You can also use tools, such as npdbreach.com, to see if your data shows up in the archive of leaked information. Other similar tools are out there too, although these tools do require that you provide your name or other information.
This year is shaping up to be a huge one for cybercrime: During the first half of 2024, there was a 490% increase in the number of data breaches compared to the first half of 2023.
It’s likely that we’ll continue to see even more breaches in the months to come—and lawsuits, too.