Up to 2.9 Billion Records Stolen in a Hack of US Background Check Company
A class action lawsuit claims Jerico Pictures Inc. (National Public Data) was hacked earlier this year, exposing 2.9 billion confidential records, primarily of U.S. citizens, stolen by the hacker group USDoD.
- On April 8, the cybercriminal group USDoD posted a "National Public Data" database on a dark web forum, offering 2.9 individual records for $3.5 million, according to a complaint filed Thursday in the US District Court for the Southern District of Florida.
- The exposed data for potentially hundreds of millions of people includes full names, Social Security numbers, current and past addresses, and information about relatives, including deceased family members, according to the complaint.
It's critical to clarify that each person has multiple records for each known address, so the breach did not impact ~3 billion individuals, contrary to many inaccurate reports.
- According to VX Underground, which verified that the data is real, "the database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present."
- Since then, various threat actors have released partial copies of the data, each with different records and content. On August 6th, a threat actor known as "Fenice" leaked the most complete version of the stolen National Public Data for free on the Breached hacking forum.
- The leaked data consists of two text files totaling 277 GB, containing almost 2.7 billion plaintext records, slightly less than the 2.9 billion originally claimed by USDoD. Unlike previous leaks, this 2.7 billion record set does not include phone numbers and email addresses.
- Numerous people said that their data is incomplete or inaccurate, but many have confirmed that the data included their and family members' legitimate information, including those who are deceased. Previously leaked samples also included email addresses and phone numbers.
"Finally, this data may be outdated, as it does not contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup," reported Bleeping Computer.
- Those affected by this cyberattack may be unaware of their involvement. National Public Data reportedly gathers its data by scraping information from non-public sources without individuals' knowledge or consent.
"Criminal Records, Background Checks and more. Our services are currently used by investigators, background check websites, data resellers, mobile apps, applications and more." - National Public Data Website
- According to National Public Data's website, the incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.
Case Filing
NPD Page / Archive
Troy Hunt Analysis / Archive
Bleeping Computer Article / Archive
TechRepublic Article / Archive