Data breach exposes 3 billion PII records, class action suits filed

In the last week, at least four class action lawsuits have been filed in response to what has been described as the biggest breach of Personally Identifiable Information (PII) on record. More than 200 gigabytes of nearly 3 billion records containing the PII of an unknown number of “U.S., Canadian, and British citizens” – including Social Security numbers and criminal records – were stolen in a hack of the computer systems of National Public Data, a Florida-based data broker.

Data brokers in the U.S. buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight and “little financial incentive to protect consumer data,” says the Electronic Privacy Information Center.

One of the proposed class action suits alleges that the compromised PII has already been used “in identity theft and fraud and can in the future (be used to) commit a variety of crimes including opening new financial accounts in class members’ names, taking out loans in class members’ names, using class members’ information to obtain government benefits, filing fraudulent tax returns … obtaining driver’s licenses in class members’ names but with another person’s photograph, and giving false information to police during an arrest.”

The suit alleges that every class member has “been exposed to a heightened and imminent risk of fraud and identity theft,” and “must now and in the future closely monitor their financial accounts to guard against identity theft.”

The suits assert that class-wide treatment is appropriate because the plaintiffs can prove the elements of their claims on a class-wide basis using the same evidence as would be used to prove those elements in individual actions alleging the same claims. The suits allege that all individuals in the United States whose PII was compromised in the data breach represent a class.

National Public Data is a DBA of Jerico Pictures, Inc., a film and television production company with offices in Los Angeles and Coral Gables, Florida, the website for which makes no reference to National Public Data. The National Public Data website says the company is “a public records data provider specializing in background checks and fraud prevention” and that it “obtain(s) information from various public record databases, court records, state and national databases and other repositories nationwide” for customers which include “private investigators, consumer public records sites, human resources, (and) staffing agencies” who pay to “obtain criminal records” and “(conduct) background checks” through the company’s XML-API Gateway.

The breach came to light when it was revealed in the first proposed class action lawsuit filed August 1 in the U.S. District Court for the Southern District of Florida. Since then, Biometric Update learned, at least three other proposed class action lawsuits were also filed in the U.S. District Court for the Southern District of Florida alleging that National Public Data “failed to properly secure and safeguard the PII that it collected and maintained as part of (its) regular business practices.”

Based on the case numbers given to the two suits filed on August 1, they both were filed at the same time, one after the other. All the suits allege that National Public Data never provided any notice to the affected individuals, nor did it disclose whether it ever opened “an official investigation” into the hack.

Despite numerous media requests for comments, the company has yet to issue a public statement.

Also, no U.S. federal department or agency with cybersecurity responsibilities has provided an official comment.

The proposed class action suits allege that companies like National Public Data “are particularly vulnerable to cyberattacks because of the sensitive nature of the information that they collect and maintain.”

Noted cybersecurity expert MacDonnell Ulsch, who served as the global cyber threat advisor to the CIA from 2012 to 2014 and former senior managing director of cybercrime for PriceWaterhouseCoopers and vice president of information security for Dun & Bradstreet, told Biometric Update that “companies that possess large volumes of valuable data often do not possess the ability to fully protect data,” pointing out that “managing data is a for-profit business” and that “protecting data is a cost-intensive business. Finding the right balance at the right price is extremely difficult. That is why we have so many successful data breaches.”

The first suit filed against National Public Data August 1 by Christopher Hofmann of Fremont, California (0:24-cv-61383) alleges he was only made aware of the breach when he “received a notification (in July) from his identity theft protection service provider notifying him that his PII was compromised as a direct result of the nationalpublicdata.com breach, and that his PII had been found on the dark web.”

In the second case (0:24-cv-61384), also filed August 1, the plaintiff, Yvette Burgen, says she was “informed by Experian and TurboTax that her PII had been “disseminated on the dark web.”

A third class action suit (0:24-cv-61396-MD), filed August 2, alleges that the plaintiffs, Barry Cotton and Gary Lake, as well as “class members,” on or about July 29 “received notice that their personal data, including their PII and social security numbers, was compromised in the data breach and found on the dark web,” and that they only learned about it when they “received these notices from various credit and identity protection monitoring services.”

A fourth proposed class action suit (0:24-cv-61412) was filed August 3, naming James Thomas Jones and “class members” as plaintiffs.

Legal sources said with so many class-action lawsuits having been filed in the same Florida U.S. district court – and probably more to come – they will likely necessarily need to be consolidated into “one big, certified class action.”

Indeed. Already, more than half-a-dozen law firms are “investigating claims on behalf of victims.” They include Oklahoma City-based Federman & Sherwood; Cincinnati, Ohio-based Markovits, Stock & DeMarco; Marlton, New Jersey-based Console & Associates; New York-based Levi & Korsinsky, LLP; Orlando, Florida-based Morgan & Morgan; Fort Lauderdale, Florida-based Kopelowitz Ostrow PA; Haverford, Pennsylvania-based Chimicles Schwartz Kriner & Donaldson-Smith LLP; Sacramento, California-based Clayeo C. Arnold, A Professional Corporation; and El Segundo, California-based Wucetich & Korovilas LLP.

Also beginning to be heard are reinvigorated discussions in Washington, DC about the need to regulate third-party PII data aggregators and data brokers, if not the outright prohibition on the resale of publicly available data.

Congressional sources told Biometric Update that the unprecedented National Public Data breach is invigorating action in the Senate on its version of the bipartisan Fourth Amendment Is Not for Sale Act that recently was passed in the House. The bill would bar governments, law enforcement and intelligence agencies from purchasing Americans’ data from data brokers – data governments would otherwise need a warrant to obtain. The bill, however, is opposed by the White House and law enforcement associations, despite its support by top Democratic members of Congress.

While the legislation only addresses the purchase of third-party PII by governments and entities, Biometric Update has learned that there also are rumblings on Capitol Hill about restricting what types of information about individuals that data brokers can obtain and sell. The debate almost certainly will grow louder as more details of the National Public Data breach emerge.

“Federal and state government cybersecurity and privacy laws are valuable, but they will never stop data breaches,” warned Ulsch, founder of Gray Zone Research & Intelligence, a division of SkyTop Media Group and host of the TV program Gray Zone Report-China. “They may discourage some attackers, they may in some cases reduce or limit damages, but they will never stop a determined, well-funded attacker.”

Ulsch explained, somewhat pessimistically, that “cybercrime groups, especially sophisticated, experienced criminal groups, operate with several critical advantages. One, they often operate outside of U.S. jurisdiction, so prosecution can be extremely difficult. Two, these criminal groups sometimes cooperate with rogue nations, which enable them to operate with impunity. Such complicity between crime gangs and nation states can render cyber insurance useless since such attacks may then be considered instruments of war or acts of war. Also, chances are, if one of these groups is intent on compromising a company’s defenses, they probably will, simply waiting until they find the right vulnerability to exploit. Time is on their side.”

The first-class action suit filed against National Public Data was the first one to allege the acquires at least some of the data it sells by scraping the PII of individuals from non-public sources, and that “at no point (did class members) knowingly provide their PII to” to the company. “To make matters even worse,” the suit alleged, the company “did this without plaintiff’s and class members’ consent or knowledge.”

The suit further alleges that “by obtaining, collecting, using, and deriving a benefit from the PII of plaintiff and class members, defendant assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

While no details have yet been revealed by National Public Data as to how or when the data breach occurred, the lawsuit says “a cybercriminal group by the name of USDoD gained access to (the) defendant’s network prior to April 2024 and was able to exfiltrate the unencrypted PII of billions of individuals stored on (the) defendant’s network. Furthermore … the PII was published, offered for sale, and sold on the Dark Web by cybercriminals.”

In early April, USDoD posted a database called “National Public Data” on the Dark Web hacker forum called Breached, alleging it contained the PII of 2.9 billion individuals, and that the database could be had for $3.5 million.

Subsequently, VX-Underground, a website about malware and cybersecurity, stated on X that “we were informed USDoD intends on leaking the database. We requested a copy in advance to confirm the validity of the data. We reviewed the massive file – 277.1GB uncompressed, and can confirm the data present in it is real and accurate.”

Soon after that post, VX-Underground wrote that “USDoD was a broker and/or middleman for the initial posting,” and they they “were instructed to explicitly state that credit for the compromise is to be given to an individual operating under the moniker “SXUL.”

According to Crowdstrike, “since at least 2020, USDoD has conducted both hacktivism and financially motivated breaches, primarily using social-engineering tactics to access sensitive data. Over the last two years, (USDoD) has focused on high-profile targeted intrusion campaigns. Additionally, since January 2024, (USDoD) has sought to diversify and expand their cyber activities from solely conducting cyber operations into administering eCrime forums.”

USDoD was behind the December 2022 breach of the FBI’s InfraGard database which compromised the PII of over 87,000 InfraGard members.

On July 24, 2024, USDoD claimed on the cybercrime forum BreachForums that it was responsible for leaking CrowdStrike’s “entire threat actor list.” CrowdStrike said USDoD alleged to have obtained CrowdStrike’s “entire IOC (indicators of compromise) list.”

In April, however, USDoD stated on BreachForums that he was giving up hacking, saying, “it is my time to go into the shadows and think about myself, my family, and my life.”

On July 29, Cyber News published an interview with USDoD.