Nearly 3 billion people hacked in National Public Data breach

What you need to know

Cybersecurity professional working on a laptop.

Nearly 3 billion individuals had their personal data leaked during a cyber attack targeting National Public Data (NPD), a background checking service also known as Jerico Pictures. The data breach is one of the biggest in history and surfaced when a proposed class action lawsuit was filed two days ago. 

The lawsuit alleges that personal data from nearly 3 billion people was leaked during a cyber attack targeting the company in April. Neither NPD, nor Jerico Pictures have yet confirmed a cyberattack.

Until the NPD breach, the Yahoo data breach in 2013 stood as the worst cyberattack in history. The first attack occurred in 2013, with more to follow over the next three years. Only after Verizon bought out Yahoo in 2017, did the actual number of records affected come to light. It was determined that all 3 billion of Yahoo’s accounts were affected. That particular breach included the theft of names, email addresses, phone numbers and birthdates, but did not involve financial information.

What is National Public Data and what kind of data was stolen?  

National Public Data is owned by Jerico Pictures, Inc., and is headquartered in Coral Springs, Florida. It is a background checking service that scrapes personally identifiable information of individuals from non-public sources. This means that many of the people who were affected by the breach did not knowingly provide any of their personal information to NPD.

Some of the information leaked includes Social Security numbers, current and past addresses spanning decades, full names, information about relatives and more, according to the complaint filed in the United States District Court for the Southern District of Florida.

Here’s what was learned from the lawsuit filed against NPD 

NPD has not yet confirmed a cyberattack and has not notified anyone in their database of a breach. The breach became public when a lawsuit was filed against NPD alleging negligence, unjust enrichment, and breaches of fiduciary duty and third-party beneficiary contract.

On July 24, 2024, Christopher Hofmann received a notification from his identity theft protection service provider notifying him that his PII was compromised as a direct result of the “nationalpublicdata.com” breach, and that his PII had been found on the Dark Web.

The lawsuit alleges that on April 8, 2024, a criminal gang that goes by the name of USDoD posted a database entitled “National Public Data” on a Dark Web hacker forum called “Breached.” USDoD alleged to have the PII of approximately 2.9 billion individuals and offered the database for purchase at a price of $3.5 million.

Steps you can take to protect your identity and data

Identity theft plans available typically include some combination of account monitoring, alerts and restoration support. This means the plans can't stop criminals from targeting you and can only offer remediation assistance after the fact. If the NPD data breach is confirmed, it would highlight the fact that data breaches can arise despite the best intentions of individuals to protect and store their information safely. This information was scraped from nonpublic sources and stored without encryption or other safeguards. 

“As the list of mega-breaches continues to grow, it is essential to consider investing in protective services that surpass the traditional practice of just monitoring changes in your credit report, particularly those that provide continuous surveillance of your bank accounts, your mailing address, and the dark web to detect any potential signs of identity theft at an early stage. Embracing the latest technology is crucial to safeguarding your identity” says Odysseas Papadimitriou, WalletHub CEO. 

Here are some other suggestions for protecting your identity and data:

  • Sign up for 24/7 credit monitoring.
  • Activate two-factor authentication.
  • Don’t respond to unsolicited requests for information.
  • Review credit card and bank accounts on a regular basis.
  • Sign or use your PIN to verify debit card purchases.
  • Freeze your three primary credit reports. In this context, “freezing” means that you prohibit your credit reports from being accessed by most third parties. In return for a fee you get a PIN from the credit bureaus. This PIN acts as an additional key and it must be given in order for your credit reports to be accessed and used to open accounts or obtain loans.

Bottom line

This breach demonstrates third-parties can collect, store and lose your data all without your participation or knowledge. You must be vigilant in monitoring your accounts and mind your surroundings when using credit cards or when providing personal information. 

Consider using a credit card for expenses and not your debit card. All major credit cards offer blanket liability against unauthorized credit card purchases. If your debit card is appropriated, your bank account could be drained and you will potentially face a lengthy process to try and recover your money. And by using a credit card and not a debit card, you’ll also have the opportunity to rack up rewards you can spend elsewhere.  

 

This article was written by Donna LeValley from Kiplinger and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.

This information is provided for your education only through the Voya® family of companies. This information is not intended to be considered tax or investment advice. Neither Voya or its affiliated companies or representatives offer legal or tax advice. Consult your tax and legal advisors regarding your individual situation.

3624556_0824

CN3794767 _0826