Massive data breach exposes nearly 3 billion

A data breach involving National Public Data has exposed the personal information of nearly 3 billion people.

What happened?

A class action lawsuit has been filed against Jerico Pictures Inc., also known as National Public Data, for a data breach that exposed the personal details of nearly 3 billion people. The complaint, submitted to the U.S. District Court for the Southern District of Florida, describes an incident on April 8, where a hacker group called USDoD allegedly released a database labeled "National Public Data" on a dark web forum. This database, containing sensitive information from 2.9 billion individuals, was put up for sale for $3.5 million. 

National Public Data has not yet notified those affected and reportedly collected personal data from various non-public sources without consent. The leaked information includes Social Security numbers, decades-old addresses, full names, and information about relatives, including deceased individuals.

See also: HIPAA Compliant Email: The Definitive Guide

Going deeper

Christopher Hofmann, a California resident and named plaintiff, discovered his data was leaked through his identity-theft protection service on July 24. He accuses National Public Data of negligence, unjust enrichment, and violations of fiduciary duties and contractual obligations. Hofmann seeks monetary damages and measures to enhance data security, such as removing and encrypting personal information, improving data management practices, and conducting annual cybersecurity assessments by an independent third party.

What was said 

According to a court document, the Plaintiff, Christopher Hofmann, made a complaint against the defendant, Jerico Pictures Inc., “for its failure to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices.” This complaint is on behalf of the plaintiff and all affected individuals, due to the defendant’s failure to  (i) adequately safeguard the PII of the plaintiff and class members, (ii) alert them about the defendant's inadequate information security processes, and (iii) secure hardware that contains protected PII using feasible measures devoid of vulnerabilities or data breaches.

The effects of the data breach include “(i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach,  including  but  not  limited  to  lost  time;  (iv)  loss  of  benefit  of  the  bargain;  and  (v)  the  continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for  unauthorized  third  parties  to  access  and  abuse;  and  (b)  remain  backed  up  in  Defendant’s  possession  and  is  subject  to  further  unauthorized  disclosures  so  long  as  Defendant  fails  to  undertake appropriate and adequate measures to protect the PII.” As a result of the data breach the affected individuals, including the plaintiff, seek  that the defendant “remedy  these  harms  and  prevent  any  future  data  compromise  on  behalf  of  himself  and  all  similarly  situated  persons  whose  personal  data  was  compromised and stolen as a result of the Data Breach and who remain at risk due to Defendant’s inadequate data security practices.”

See also: What is the difference between PII and PHI?

Why it matters 

The National Public Data data breach exposed the personal information of nearly 3 billion people, marking one of the largest breaches, highlighting several critical issues:

• Sensitive information: The compromised data includes sensitive information such as Social Security numbers, addresses, full names, and information about relatives. This type of data is highly valuable to cybercriminals and can be used for identity theft, fraud, and other malicious activities.
• Lack of consent: The data was collected without the consent of the individuals involved. This raises significant privacy and ethical concerns about how personal data is obtained and handled by companies.
• Cybersecurity implications: The breach highlights vulnerabilities in data security practices and the need for stronger cybersecurity measures. It underscores the importance of companies implementing robust data protection protocols to safeguard sensitive information.
• Legal and regulatory consequences: The class action lawsuit could lead to significant legal repercussions for National Public Data and set precedents for how companies are held accountable for data breaches. It may also influence future regulations and standards for data protection.
• Consumer trust and safety: Such breaches erode consumer trust in companies and institutions responsible for protecting their data. It also emphasizes the need for individuals to take proactive steps in protecting their personal information and staying vigilant against potential misuse.
• Call to action: The incident serves as a wake-up call for both organizations and individuals about the importance of data privacy and the need for ongoing vigilance and improvement in cybersecurity practices.

Read more: Top 10 healthcare data breaches so far in 2024

FAQs

What is a data breach?

A data breach is an incident where unauthorized individuals gain access to sensitive, protected, or confidential data, often resulting in the exposure, theft, or misuse of that information.

How can I protect my personal information online?

To protect your personal information online, use strong, unique passwords for each account, enable two-factor authentication, regularly update software and devices, avoid sharing sensitive information on public platforms, and monitor your accounts for suspicious activity.

Related: Tips on proactive data breach prevention for small healthcare practices

How do companies collect personal data?

Companies collect personal data through various methods, such as online forms, cookies, tracking technologies, purchasing data from third parties, and scraping publicly available information from the internet.