A class action lawsuit brought against background check company National Public Data (also known as Jerico Pictures) alleges the personal information of 2.9 billion individuals has made its way onto the dark web via a data breach.
National Public Data uses a process called ‘scraping’ to collect and store personally identifying data from non-public sources to carry out background checks on billions of people.
This means that sensitive information like social security numbers, full names, addresses, relative’s information was exposed - and crucially, it also means the information was not given willingly to the company, and many victims may not know it was stored at all.
Data in the hands of cybercriminals
Named plaintiff Christopher Hofmann was alerted by his identity-theft protection service provider that his data was exposed and leaked onto the dark web. Cyber criminal group ASDoD had listed a database which claimed to have the personal data of the individuals for sale at $3.5 million.
Hofman and the plaintiffs accused NPD of negligence, breaches of fiduciary duty and third-party beneficiary contract, and unjust enrichment. Hofman is fighting for financial compensation, and for the NPD to segment data, conduct database scanning, employ a threat-management system, and appoint a third-party assessor to conduct an evaluation of its cybersecurity frameworks annually for 10 years.
The court has been asked to require NPD purge personal data of all affected individuals and to encrypt all collected information going forward.
If confirmed, this would be classified as one of the largest data breaches ever in terms of affected individuals - rivalling the Yahoo! 2013 breach which affected three billion customers - and what's worse is that it’s not yet clear how the data breach occurred.
How to stay safe after a data breach
With full names, addresses and Social Security Numbers in hand, there’s a lot that hackers can do with this information, especially when it was made available for sale on the dark web.
While we haven’t heard anything yet from National Public Data, the company will likely have to put out a data breach notification soon given the mess that scraping non-public sources for data has gotten it into. These data breach notifications will likely arrive in the mail, so you’re going to want to keep a close eye on your mailbox for the time being.
Normally after a breach of this size, the company responsible will offer free access to either identity theft protection or credit monitoring for up to two years. In the meantime though, you’re going to want to be careful when checking your inbox or even your messages as hackers often use this type of data to launch targeted phishing attacks. At the same time, you’re going to want to carefully monitor your bank accounts and other financial accounts for signs of fraud or suspicious activity.
Since this is almost as big of a data breach as the one that Yahoo! suffered back in 2013 which saw data on 3 billion people exposed online, this likely isn’t the last we’ll be hearing about it.