Florida company faces multiple lawsuits after massive data breach

A class-action lawsuit claims hackers accessed and leaked the personal information of up to three billion people.  (Steve Marcus/Reuters - image credit)
A class-action lawsuit claims hackers accessed and leaked the personal information of up to three billion people. (Steve Marcus/Reuters - image credit)

A Florida-based company is facing multiple proposed class actions, after a massive data breach that one suit claims leaked nearly three billion files containing personal data on people in Canada, the U.S. and the U.K., including names and home addresses.

One of the first suit to be reported on was a proposed class action filed Aug. 1 by California resident Christopher Hofmann in the U.S. District Court for the Southern District of Florida. It alleges that a hacking group called USDoD posted a database on April 8 called "National Public Data" on a dark web forum claiming to have the personal data of 2.9 billion individuals, and attempted to sell it for $3.5 million US.

Tech site Bleeping Computer reported that a hacker then leaked a version of the stolen data for free on a hacking forum on Aug. 6.

At least six complaints have been filed against the company, National Public Data, this month.

Data came from company that does background checks

The data was allegedly stolen from Jerico Pictures Inc., which does business as National Public Data, a Florida-based company that does background checks.

Hofmann says in the suit the company obtained and stored his data without his consent. Because people don't knowingly give their data to the company, it is hard for any individual to know whether they have been affected by the breach.

The suit claims the company "has still not provided any notice or warning" to Hofmann or other people affected by the breach.

"In fact, upon information and belief, the vast majority of class members were unaware that their sensitive [personal information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," it says.

Richard Rogerson, founder of cybersecurity firm Packetlabs, says the alleged magnitude of the breach is "quite scary" and will make it much easier for fraudsters to pull off scams using stolen identities.

"I've never seen a breach at this scale," said Rogerson. "This is kind of uncharted territory."

National Public Data confirmed the breach on Tuesday in a statement on its website, which on Friday appeared to be inaccessible.

The statement said the incident "is believed to have involved a third-party bad actor" that tried to hack into data in late December 2023, "with potential leaks of certain data" in April 2024 and summer 2024. The information the company suspects of being breached contains names, email addresses, phone numbers, social security numbers and mailing addresses.

National Public Data's website says its services "are currently used by private investigators, consumer public record sites, human resources, staffing agencies and more." The company did not respond to a request for comment.

It's not clear exactly how the breach occurred 

Some states require companies to report data breaches to their attorney general offices, but security company McAfee said it has not found any filings with state attorneys general.

The Florida Attorney General's office has not been notified of the breach, it told CBC in an email.

The lawsuit states it is not clear exactly when or how the breach occurred.

"This data will continue to haunt us for a while, because a lot of this data is very static, and it's not going to change over time," Rogerson said.

"If you think about security controls like a fence, it lowers the fence from a 10-foot fence down to a two-foot fence. You can walk over that fence. It makes it a lot easier to pull off [fraud] attacks."

Hofmann claims in the suit that his identity theft protection service alerted him in July that his personal information had been compromised as a direct result of the National Public Data breach and was found on the dark web.

Law firm Schubert Jonckheer & Kolbe, which said on Monday it is investigating the breach, wrote in a blog on its website that the data goes back at least three decades.

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a non-profit that promotes online safety, says while this type of data has been leaked before, the difference is that now it's all in one place.

"I think it may surprise many people that these companies exist and are allowed to collect and store that data — and even worse, they aren't required to meet certain security criteria in order to do so," he said.

Steinhauer says the nearly three billion files in the 277-gigabyte dump appear to include incomplete records, duplicates and records for people who are now dead, explaining how the number is significantly greater than the populations of Canada, the U.S. and the U.K. combined.

It is not yet known whether or to what degree the company may have been negligent in protecting its data, but Steinhauer questions why it was storing so much personal information for so long.

"I mean, do they really need to hold on to all this data about people who died this long ago?" he said.

Steinhauer says people can grow tired of reading about their data being breached and can feel helpless in situations like this, but it's important to know there are things people can do to protect themselves.

He says everyone should assume their information has been compromised, and has several suggestions to protect your money and personal information.

  • Keep your security software updated on your devices.

  • Make your passwords complex, and at least 16 characters long.

  • Use a password manager to save those passwords and generate new ones.

  • Use a monitoring service that will alert you if your personal information has been found on the dark web.

  • Enable multi-factor authentication to add a layer of protection against fraudsters.

  • Use a service to set up monitoring for your credit reports, to "make sure that there aren't any accounts on your credit report that you don't recognize."

  • Be on alert for phishing and other scams, which tend to proliferate when news breaks about a large data breach.