A proposedย class action lawsuit filed against Jerito Pictures Inc., a background check and fraud prevention company operating under the name National Public Data (NPD), alleges that a massive data breach has exposed the personal data of 2.9 billion people in what has been touted as the biggest data breach in history, asย reported byย Bloomberg.
The complaint was filed by Christopher Hofmann, a California resident and named plaintiff, on August 1, 2024, and submitted to the U.S. District Court for the Southern District of Florida on Thursday.
The lawsuit states that on April 8, 2024, a cybercriminal group under the alias โUSDoDโ released a database called “National Public Data” on a popular dark web forum,ย Breached, which contained sensitive information of nearly 2.9 billion individuals.
To conduct its business, National Public Data scrapes the personally identifying information (PII) of billions of individuals from non-public sources, such as websites and other online sources. This means that the personal data collected by National Public Data was reportedly done without those individuals’ consent or knowledge.
The leaked database included sensitive information such as Americansโ Social Security Numbers (SSNs), full names, information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years), and current and past addresses (spanning at least the last three decades).
Further, the leaked data constituted 277.1GB when uncompressed and was being sold on the dark web to potential buyers for $3.5 million. The threat group also said it would provide buyers with credentials to access the NPDโs server.
Hoffman discovered the data breach on July 24 through his identity theft protection service, which alerted him that his data had been exposed and leaked on the dark web. He has accused National Public Data of negligence, unjust enrichment, and breaches of fiduciary duty and third-party beneficiary contracts.
The plaintiff is asking the court to securely dispose of information about the affected people and encrypt all data collected going forward.
He is also seeking both monetary damages and a series of measures to improve data security, including that National Public Data segment data, carry out database scanning, implement a threat-management program, and employ a third-party assessor to conduct an evaluation of its cybersecurity frameworks annually for 10 years.
It is unclear when or how the data breach occurred. Also, as of the filing, the background check provider has not notified the affected individuals of the data breach.