MoneyWatch
By Aimee Picchi
Edited By Anne Marie Lee
/ CBS News
A new lawsuit is claiming hackers have gained access to the personal information of "billions of individuals," including their Social Security numbers, current and past addresses and the names of siblings and parents — personal data that could allow fraudsters to infiltrate financial accounts or take out loans in their names.
The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web by the "nationalpublicdata.com" breach. The lawsuit was earlier reported by Bloomberg Law.
The breach allegedly occurred around April 2024, with a hacker group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, according to the lawsuit. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported.
That hacker claimed the stolen files include 2.7 billion records, with each listing a person's full name, address, date of birth, Social Security number and phone number, Bleeping Computer said. While it's unclear how many people that includes, it's likely "that everyone with a Social Security number was impacted," said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, a nonprofit that promotes online safety.
"It's a reminder of the importance of protecting yourself, because clearly companies and the government aren't doing it for us," Steinhauer told CBS MoneyWatch.
In a statement posted to its website, NPD said the breach involved a "third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024."
The company added that it is working with law enforcement and government investigators. NPD said it "will try to notify you if there are further significant developments applicable to you."
Here's what to know about the alleged hack.
What is National Public Data?
National Public Data is a data company based in Coral Springs, Florida, that provides background checks for employers, investigators and other businesses that want to check people's backgrounds. Its searches include criminal records, vital records, SSN traces and more information, its website says.
There are many similar companies that scrape public data to create files on consumers, which they then sell to other businesses, Steinhauer said.
"They are data brokers that collect and sell data about people, sometimes for background check purposes," he said. "It's because there's no national privacy law in the U.S. — there is no law against them collecting this data against our consent."
What happened with the USDoD hack?
According to the new lawsuit, USDoD on April 8 posted a database called "National Public Data" on the dark web, claiming to have records for about 2.9 billion individuals. It was asking for a purchase price of $3.5 million, the lawsuit claims.
However, Bleeping Computer reported that the file was later leaked for free on a hacker forum, as noted above.
How many people have been impacted?
The number of people impacted by the breach is unclear. Although the lawsuit claims "billions of individuals" had their data stolen, the total population of the U.S. stands at about 330 million. The lawsuit also alleges that the data includes personal information of deceased individuals.
Bleeping Computer reports that the hacked data involves 2.7 billion records, with individuals having multiple records in the database. In other words, one individual could have separate records for each address where they've lived, which means the number of impacted people may be far lower than the lawsuit claims, the site noted.
The data may reach back at least three decades, according to law firm Schubert Jonckheer & Kolbe, which said on Monday it is investigating the breach.
Did NPD alert individuals about the hack?
It's unclear, although the lawsuit claims that NPD "has still not provided any notice or warning" to Hoffman or other people affected by the breach.
"In fact, upon information and belief, the vast majority of Class Members were unaware that their sensitive [personal information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the lawsuit claims.
Information security company McAfee reported that it hasn't found any filings with state attorneys general. Some states require companies that have experienced data breaches to file reports with their AG offices.
However, NPD posted an alert about the breach on its website, stating that it believes the information breached includes names, email addresses, phone numbers, Social Security numbers and mailing addresses.
Can you find out if your data was part of the hack?
There are tools available that will monitor what information about you is available on the dark web, noted Michael Blair, managing director of cybersecurity firm NukuDo. Commonly breached data includes your personal addresses, passwords and email, he added.
One such service is how Hofmann, who filed the lawsuit, found out that his information has been leaked as part of NPD breach.
"Make sure to use reputable companies to look that up," Blair said.
What should I do to protect my information?
Security experts recommend that consumers put freezes on their credit files at the three big credit bureaus, Experian, Equifax and TransUnion. Freezing your credit is free, and will stop bad actors from taking out loans or opening credit cards in your name.
"The biggest thing is to freeze your credit report, so it can't be used to open new accounts in your name and commit other fraud in your name," Steinhauer said.
In its statement, NPD also urged people to put free fraud alerts on their accounts, which "tells creditors to contact you before they open any new accounts or change your existing accounts," it said. You'll have to contact just one of the three credit bureaus to create a fraud alert, and that agency will alert the others.
Steinhauer recommends consumers take several additional steps to protect their data and finances:
- Make sure your passwords are at least 16 characters in length, and are complex.
- Use a password manager to save those long, complex passwords.
- Enable multifactor authentication, which Steinhauer calls "critical," because simply using a single password to access your accounts isn't enough protection against hackers.
- Be on alert for phishing and other scams. One red flag is that the scammers will try to create a sense of urgency to manipulate their victims.
- Keep your security software updated on your computer and other devices. For instance, make sure you download the latest security updates from Microsoft or Apple onto your apps and devices.
You can also get a tracking service that will alert you if your data appears on the dark web.
"You should assume you have been compromised and act accordingly," Steinhauer said.
- In:
- Data Breach
- Social Security
Aimee Picchi
Aimee Picchi is the associate managing editor for CBS MoneyWatch, where she covers business and personal finance. She previously worked at Bloomberg News and has written for national news outlets including USA Today and Consumer Reports.