A potentially catastrophic data breach has surfaced, with hackers claiming to have stolen the Social Security numbers and personal information of nearly every American. The alarming revelation came to light through a class-action lawsuit filed in federal court in Fort Lauderdale, Florida, alleging that a hacking group known as USDoD has exfiltrated nearly three billion personal records from National Public Data (NPD), a company that provides background checks for employers, private investigators, and other businesses.
The breach reportedly occurred in April 2024, when USDoD managed to infiltrate NPD's systems, extracting unencrypted data that includes individuals' full names, addresses, dates of birth, Social Security numbers, and phone numbers. According to the lawsuit, the hackers initially attempted to sell the stolen data for $3.5 million but have since posted a significant portion of it for free on a dark web forum. The hackers claim to have amassed records for approximately 2.9 billion people, a figure that far exceeds the combined populations of the U.S., Canada, and the U.K.
While the actual number of affected individuals is uncertain, cybersecurity experts have voiced concerns over the scale of the breach. Bleeping Computer, a cybersecurity news site, examined portions of the leaked data and reported that the information appears to be authentic, heightening fears of a potential surge in identity theft.
National Public Data, based in Coral Springs, Florida, has remained silent in the wake of the breach, declining to respond to numerous media inquiries. The company, which specializes in conducting background checks that include criminal records, vital records, and Social Security number traces, is now at the center of a growing controversy.
The lawsuit was filed by Christopher Hofmann, a California resident, who claims his identity theft protection service alerted him that his personal information had been leaked on the dark web following the NPD breach. Hofmann's legal action highlights the broader risks faced by potentially millions of individuals whose data may have been compromised without their knowledge.
"In fact, upon information and belief, the vast majority of Class Members were unaware that their sensitive personal information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the lawsuit states. It further alleges that NPD has failed to provide any notice or warning to affected individuals, exacerbating the potential fallout from the breach.
In the absence of a response from NPD, security experts are urging consumers to take immediate steps to protect their personal information. One of the most effective measures recommended is placing a freeze on credit files at the three major credit bureaus-Experian, Equifax, and TransUnion. This action, which is free of charge, prevents unauthorized individuals from opening new credit accounts in the victim's name. However, it also means that consumers will need to temporarily lift the freeze if they wish to apply for new credit themselves.
Additionally, consumers are advised to enroll in monitoring services that can alert them if their data appears on the dark web. These services can provide an early warning, allowing individuals to take steps to mitigate the potential damage. Another crucial security measure is the implementation of two-factor authentication (2FA) on all financial and sensitive accounts, which adds an extra layer of protection by requiring a second form of verification beyond just a password.
The implications of this breach are vast, not only for the individuals whose data may have been compromised but also for the broader cybersecurity landscape. The scale of the hack underscores the vulnerabilities inherent in data storage and the potential for widespread harm when such information falls into the wrong hands.
Experts warn that the full extent of the damage may not be immediately apparent. As stolen identities are exploited for financial gain, the consequences could unfold over months or even years. The breach also raises significant questions about the responsibility and accountability of companies that handle sensitive personal information.
While the lawsuit against NPD progresses, consumers are left grappling with the reality that their most sensitive personal information may now be in the hands of criminals. The potential for a tsunami of identity theft is very real, and the need for vigilance and proactive protection measures has never been more critical.