A class-action lawsuit filed against background check company National Public Data (also known as Jerico Pictures) alleges that the personal information of 2.9 billion people has found its way onto the dark web via a data breach.
National Public Data uses a process called “scraping” to collect and store personally identifiable data from nonpublic sources to perform background checks on billions of people.
This means that sensitive information such as social security numbers, full names, addresses, and family information was exposed, and more importantly, it also means that the information was not voluntarily given to the company and many victims may not even know it was stored.
Data in the hands of cybercriminals
The plaintiff identified as Christopher Hofmann was alerted by his identity theft protection service provider that his data had been exposed and leaked to the dark web. The cybercriminal group ASDoD had listed a database claiming to have people's personal data for sale for $3.5 million.
Hofman and the plaintiffs accused NPD of negligence, breach of fiduciary duties and breach of contract with third-party beneficiaries, and unjust enrichment. Hofman is seeking monetary damages and for NPD to segment data, perform database analysis, employ a threat management system, and appoint an outside consultant to conduct an assessment of its cybersecurity frameworks annually for 10 years.
The court has been asked to order the NPD to purge the personal data of all affected individuals and to encrypt all information collected in the future.
If confirmed, this would rank as one of the largest data breaches in history in terms of individuals affected, rivaling the 2013 Yahoo! breach that affected three billion customers, and what's worse is that it's still unclear how the data breach occurred.
Experts recommend using an identity theft protection service to receive alerts if your information has been compromised – read more about our tips and recommendations here.
Through Bloomberg