In one of the worst data breaches in history, the private information of an estimated 2.9 billion people, including Americans’ Social Security numbers, has been exposed on the dark web.
On April 8, a Florida background check company’s database was breached and put up for sale to cybercriminals willing to pay $3.5 million.
The company has yet to confirm the breach with its own figures, but if true, the scale of the hack would be comparable to Yahoo!’s record-breaking hack in 2013, which exposed the data of three billion people worldwide.
The cybercriminal group selling the data, believed to be based in Latin America and ironically named “USDoD” after the U.S. Department of Defense, shared the file with a cybersecurity expert to confirm its legitimacy.
Most Americans, and even many of their deceased relatives, are likely at risk of having their personal data compromised by the breach unless they have regularly paid for “opt-out” services.
A contender for the largest data breach in history has left the private information of an estimated 2.9 billion people, including Americans’ Social Security numbers, on the dark web. The scale of the hack is comparable to the record-breaking Yahoo! hack in 2013, which exposed the data of three billion people
According to a proposed class action lawsuit filed last Thursday, Jerico Pictures, a Florida background check company doing business as National Public Data, failed to “effectively secure hardware containing protected PII.” [personal identifiable information]’
New court documents reveal that this vast, stolen database contains address histories, family members’ names and more for hundreds of millions of American citizens, including many who have been dead for decades.
Lawyers for the victim, who was first notified of the breach through his own identity protection service, are now launching a class action lawsuit against the database company.
According to that lawsuit filed Thursday, background check firm Jerico Pictures, which does business as National public datafailed to ‘effectively secure hardware containing protected PII’ [personal identifiable information].
The lawsuit also accuses the company of “hijacking” billions of private individuals’ files from other databases without the “consent or knowledge” of those individuals.
“The suspect’s conduct amounts to negligence at the very least,” said the lawyers, led by the company Kopelowitz Ostrowthey argued in their proposed collective complaint.
A cursory scan of the three billion individual files included in the leak, according to the owners of the cybersecurity and malware education website VX-Underground — “immediately found every person” who “did not use the data opt-out services and resided in the United States.”
The files typically contain their first and last names, current addresses, last three residential addresses, their social security numbers, and a wealth of information about their families.
“It also allowed us to find their parents and close siblings,” the cybersecurity writer continued. “We were able to identify someone’s parents, deceased relatives, uncles, aunts, and cousins.”
“Some of the individuals found had been dead for almost 20 years,” they reported.
National Public Data, based in Coral Springs, an hour north of Miami, Florida, has not yet disclosed when or how the breach of its databases occurred.
The company has not yet responded to requests for comment from DailyMail.com.
Worse, the company has still failed to issue warnings to hundreds of millions of affected individuals in the US, and apparently not to individuals abroad who may also be at risk.
Current estimates of the US Census Bureau estimates the total US population at 336.8 million people — or just 11.2 percent of those affected by this massive data breach.
In other words, most Americans, including many of their deceased relatives, will likely be victims of the hack and thus potential plaintiffs in the class action lawsuit.
But as VX-Underground, which reviewed the full 277.1 gigabyte file obtained from the hackers, noted: ‘The database does NOT contain information from individuals who use data opt-out services.’
According to the owners of the website VX-Underground, who viewed the hacker’s entire 277.1 gigabyte file, most Americans, including many of their deceased relatives, are likely victims of the hack and therefore potential plaintiffs in the class action.
“Not everyone who used some form of data opt-out service was present,” VX-Underground reported in a message to the social media site X last June.
Data opt-out services charge up to $499 annually for the tedious task of demanding data brokers remove your personal information from their lists.
But for those looking for a more cost-effective method, the nonprofit Consumer Reports offers a similar service through its Consent form application
USDoD, which first gained notoriety as “NatSec,” has been responsible for a series of hacks this year, including a raid on CrowdStrike, the cybersecurity firm whose flawed update in July grounded airlines and caused global chaos.
In July, the US Department of Defense also claimed it had leaked CrowdStrike’s “full threat actor list.” [indicators of compromise] list’ and databases of both ‘[an] oil company and a pharmaceutical industry (not from the US),’ said a company report.
USDoD, which is selling the new data breach on the dark web, has claimed responsibility for a wave of hacks this year, including a raid on CrowdStrike, the cybersecurity firm whose flawed update in July grounded airlines and caused chaos worldwide (pictured)
Delta’s CEO has threatened to sue CrowdStrike over what he said was $500 million in lost revenue and additional costs related to thousands of canceled flights last July
USDoD was originally portrayed as a pro-Russian hacking enterprise, in part due to the group’s early success with the “#RaidAgainstTheUS” campaign, which targeted the U.S. military and major Pentagon defense contractors.
The hacking group has also targeted domestic U.S. agencies, posing as the CEO of a financial firm to steal the FBI’s 80,000-member InfraGard database. which is designed to securely share national security and cybersecurity information.
InfraGard members include government and private sector employees whose work is critical to maintaining America’s infrastructure.
A report from a cybersecurity journalist Brian Krebs had accused the US Department of Defense of making a political statement by releasing sensitive employee data stolen from the Pentagon’s Airbus airline on the commemoration of the terrorist attacks of September 11, 2023.
But the US Department of Defense denied the claim, claiming that The group’s actions were neither political nor terrorist in nature, but simply cybercriminal business as usual – with a few caveats.
“I will not attack Russia, China, North and South Korea, Israel, and Iran,” USDoD said after Krebs’ announcement. “I don’t care about the rest.”