National Public Data (NPD), also known as Jerico Pictures, is facing a class action lawsuit following a massive data breach that has exposed the personal information of 2.9 billion individuals. The breach, one of the largest in history, has led to sensitive data being listed for sale on the dark web.
NPD collects and stores personally identifying data from non-public sources using a process called ‘scraping.’ This method gathers information such as social security numbers, full names, addresses, and relatives’ information for background checks. Importantly, much of this data was not provided willingly by the individuals affected, and many may not have known it was being stored.
Data in the hands of cybercriminals
The breach was discovered when plaintiff Christopher Hofmann was alerted by his identity-theft protection service provider that his information had been exposed and was available on the dark web. The cybercriminal group ASDoD listed the database for sale at $3.5 million.
Hofmann and other plaintiffs have accused NPD of negligence, breaches of fiduciary duty and third-party beneficiary contract, and unjust enrichment. They are seeking financial compensation and demanding that NPD take several security measures. These include segmenting data, conducting regular database scanning, employing a threat-management system, and appointing a third-party assessor to evaluate its cybersecurity frameworks annually for the next decade.
Legal and security measures demanded
The plaintiffs also want the court to order NPD to purge the personal data of all affected individuals and to ensure that all collected information is encrypted going forward.
If confirmed, this breach would rival the 2013 Yahoo! incident, which affected three billion customers, marking it as one of the largest data breaches ever in terms of the number of individuals impacted.
Details of breach still unclear
Currently, it is not yet clear how the data breach occurred, adding to the severity of the situation. As the case progresses, more details are expected to emerge, which will shed light on the extent of the breach and the security lapses that led to this unprecedented exposure of personal data. The outcome of this lawsuit could have significant implications for data security practices and regulations in the background check industry and beyond.