A massive cyber attack has compromised 2.9 billion records, according to a new class-action lawsuit.
A complaint filed in the U.S. District Court for the Southern District of Florida claims that a cybercriminal group called USDoD hacked Florida-based company National Public Data, which stores personal information.
The hackers put the database up for sale for $3.5 million on a dark web forum.
The class-action complaint alleged that the exposed information includes Social Security numbers, full names, current and past addresses, and information about relatives that spans at least the last three decades.
The plaintiff, listed as Christopher Hoffman on behalf of others affected, has accused National Public Data of failing to “properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices.”
National Public Data has not yet publicly released an official company response. According to its website, various businesses use National Public Data services to access criminal records and conduct background checks. The platform is used by private investigators, consumer public record sites, human resources, and staffing agencies.
Hoffman, in the complaint, alleges that his identity-theft protection service provider notified him in July that his data was exposed in a breach of National Public Data and that the hackers leaked the database on the dark web. Hoffman states that he never provided his information to National Public Data.
The complaint maintains that individuals affected by the breach were not customers of National Public Data, rather their information was “scraped” by “unauthorized third parties” and shared with the company without their knowledge.
Furthermore, the company held unencrypted personal records, which made it easily accessible to hackers. The hackers were able to “exfiltrate” the unencrypted data of billions of individuals stored on the company’s network, according to the lawsuit.
In addition to monetary relief, the plaintiff asked the court to require National Public Data to apply the latest security updates, implement a threat management program, perform regular audits, and appoint an independent assessor to evaluate its cyber security annually for 10 years.
To prevent personal accounts from being hacked, cyber security experts advise people to sign up for credit monitoring and use multi-factor authentication to protect online accounts, as well as ensure that they download and update the latest versions of apps and software.
