Class action suit reveals major data breach, exposing Social Security Numbers

A massive data breach in early 2024 involving unauthorised access to personal information, including Social Security numbers, and thought to impact billions of people has raised alarms about potential widespread identity theft and fraud.

The breach, which allegedly occurred in April, was revealed in a class-action lawsuit filed in Florida by Christopher Hofmann, a California resident.

Hofmann claims that his identity theft protection service notified him that his personal data had been leaked to the dark web as part of the “nationalpublicdata.com” breach.

The complaint alleges that National Public Data (NPD), a data broker specialising in background checks, failed to secure sensitive personal information, making it accessible to hackers.

NPD’s website states that the company collects data from various public and private records, including court documents and state databases.

However, the lawsuit claims that NPD gathered this data without the consent of those affected, breaching both legal and ethical obligations to protect the information.

With Social Security numbers and other personal details exposed, those impacted are at a significant risk of identity theft, fraudulent financial activity, and other forms of personal and financial harm.

Jasdev Dhaliwal, director of marketing and security evangelist at online protection firm McAfee, expressed concern over the breach, stating, “The mere possibility of breached Social Security numbers alone makes it something worth acting on.”

Yet, McAfee’s website notes that they were unable to find any filings made with state attorneys general, suggesting NPD has yet to notify all individuals whose data was compromised.

The hacker group USDoD has claimed responsibility for the breach, asserting that it obtained the unencrypted personal data of approximately 2.9 billion people. This data was allegedly put up for sale on the dark web for $3.5 million.

Reports indicate that a version of the stolen NPD data was leaked on a hacking forum, with 2.7 billion records of citizens across the US, Canada, and the UK being made available for free.

April 8th, 2024, a Threat Actor operating under the moniker “USDoD” placed a large database up for sale on Breached titled: “National Public Data”. They claimed it contained 2,900,000,000 records on United States citizens. They put the data up for sale for $3,500,000.

National…

— vx-underground (@vxunderground) June 1, 2024

However, a post on X by vx-underground, an online collection of malware source code, samples, and papers, suggested that the numbers aren’t exactly as they seem.

“We can confirm this database also contains information on individuals who are deceased. Some individuals located had been deceased for nearly 2 decades.”

They also confirmed that the database doesn’t contain information from anyone who opted out of sharing their data with NPD.

Troy Hunt, an expert in data breaches and the operator of “Have I Been Pwned,”  a website that tells you if your e-mail address is associated with any breaches, has also examined the data from the massive 2024 breach.

He found further discrepancies, suggesting far fewer people could be affected.

He explains, “I took 100M samples and found that only 31% of the rows had unique SSNs, so extrapolating that out, 2.9B would be more like 899M. This is something to always be conscious of when you read headline numbers: “2.9B” doesn’t necessarily mean 2.9B people; it often means rows of data.”

He added that while the data does include Social Security numbers, many of the records are duplicated or contain inaccurate information.

“Hyperbole is often a theme with incidents like this, so let’s take the headlines with a grain of salt and see what the data tells us.”