One of the worst data breaches in history has left private details of an estimated 2.9 billion people, including Americans’ Social Security numbers, on the dark web.
The database of a Florida-based background check company was raided and then put up for sale on April 8, offered to any cybercriminal willing to pay $3.5 million.
The company has yet to confirm the breach with its own numbers, but if true, the scope of the attack rivals the record-breaking 2013 hack of Yahoo!, which exposed the data of three billion people worldwide.
The cybercriminal group selling the data, believed to be based in Latin America and ironically nicknamed “USDoD” after the U.S. Department of Defense, shared the file with a cybersecurity expert to confirm its legitimacy.
Most Americans — and even many of their deceased relatives — likely have private data at risk from the breach, unless they have regularly paid for “opt-out” services.
An alleged attack on Yahoo!, considered the worst in history, has left the private data of some 2.9 billion people, including the social security numbers of Americans, on the dark web. The scope of the attack rivals the Yahoo! attack in 2013, which set a record and exposed the data of three billion people.
According to a proposed class action lawsuit filed Thursday, a Florida-based background check company, Jerico Pictures, doing business as National Public Data, failed to “effectively secure hardware containing protected personally identifiable information.”
This sprawling stolen database contains address histories, family names and more on hundreds of millions of American citizens, including many who have been dead for decades, new court documents show.
Lawyers for the victim, who was first alerted to the data breach by her own identity theft protection service, are now filing a class-action lawsuit against the database company.
According That demand filed Thursday, the background check company Jerico Pictures, which operates under the name National public datafailed to ‘effectively secure hardware containing protected personally identifiable information (PII).’
The suit also accuses the company of “scraping” its billions of files on private individuals from other databases without those individuals’ “consent or knowledge.”
“The defendant’s conduct amounts to at least negligence,” said the lawyers, led by The Kopelowitz Ostrow Companythey argued in their proposed class action lawsuit.
A cursory analysis of the three billion individual files contained in the leak, according to the owners of the cybersecurity and malware education website VX-Underground — ‘immediately found’ any individual who ‘did not use opt-out services and resided in the United States.’
The files typically contained their first and last name, current address, their last three residential addresses, their Social Security number, and a wealth of data about their families.
“It also allowed us to find their parents and closest siblings,” the cybersecurity writer continued. “We were able to identify someone’s parents, deceased relatives, uncles, aunts, and cousins.”
“Some of the people found had been dead for almost two decades,” they reported.
National Public Data, which is based in Coral Springs, about an hour north of Miami, Florida, has not yet disclosed when or how its databases were breached.
The company has not yet responded to DailyMail.com’s requests for comment.
Worse, the company has yet to alert or issue warnings to hundreds of millions of affected people within the United States, or apparently to those abroad who might also be at risk.
Current estimates of the U.S. Census Bureau They estimate the total US population to be 336.8 million people, or just 11.2 percent of the people caught up in this massive data breach.
In other words, most Americans, including many of their deceased relatives, are likely victims of the hack and therefore potential plaintiffs in the class action lawsuit.
But as noted by VX-Underground, which reviewed the full 277.1 gigabyte file obtained from the hackers: ‘The database does NOT contain information from individuals who use data opt-out services.’
According to the owners of cybersecurity and malware education site VX-Underground (who reviewed the hacker’s full 277.1-gigabyte archive), most Americans, including many of their deceased relatives, are likely victims of the attack and therefore potential plaintiffs in the class-action lawsuit.
“Not all people who used some kind of data opt-out service were present,” VX-Underground reported in a post on the social networking site X This past June.
Data opt-out services charge up to $499 per year to perform the tedious task of requiring data brokers to remove your personal data from their lists.
But for those looking for a more cost-effective method, the nonprofit Consumer Reports offers a similar service through its Permission slip application.
The US Department of Defense, which first became famous under the name “NatSec,” has claimed credit for a wave of cyberattacks this year, including an attack on CrowdStrike, the cybersecurity firm whose faulty update grounded airlines and caused chaos around the world in July of this year.
In July this year, the US Department of Defense also claimed that it had leaked CrowdStrike’s “full list of threat actors,” its “full list of indicators of compromise,” and databases from “(an) oil company and a pharmaceutical company (non-US),” according to a company report.
The US Department of Defense, which is selling the new data leak on the dark web, has claimed credit for a wave of attacks this year, including a raid on CrowdStrike, the cybersecurity firm whose faulty update grounded airlines and caused chaos around the world in July (pictured)
Delta’s chief executive has threatened to sue CrowdStrike over what he said was $500 million in lost revenue and additional costs related to thousands of canceled flights last July.
The USDoD had originally been portrayed as a pro-Russian hacking firm, in part due to the group’s early successes with its “#RaidAgainstTheUS” campaign, which targeted the US military and major Pentagon defense contractors.
The hacking group has also targeted US domestic agencies, posing as the CEO of a financial firm to steal the FBI’s 80,000-member InfraGard database. which is designed to securely share national security and cybersecurity intelligence.
InfraGard members include government employees as well as members of the private sector whose work is considered critical to maintaining U.S. infrastructure.
A report from a journalist specializing in cybersecurity Brian Krebs had accused the USDoD of making a political statement by publishing confidential employee data stolen from the Pentagon’s aerospace contractor, Airbus. on the 2023 anniversary of the 9/11 terrorist attacks.
But the US Department of Defense denied the claim, stating that The group’s actions were not political or terrorist acts, but simply normal cybercriminal activities, with some caveats.
“I will not attack Russia, China, South and North Korea, Israel and Iran,” the Defense Department said after Krebs’ report. “The rest, I don’t care.”