A massive data breach has led to a class-action lawsuit against National Public Data, a background-check service accused of exposing the personal information of approximately 2.9 billion individuals. This breach, one of the largest in history, resulted in the compromised data being offered for sale on the dark web for $3.5 million.

The data breach, which occurred on April 8, 2024, involved the cybercriminal group known as USDoD posting a database on the dark web hacker forum Breached, claiming to contain sensitive information such as Social Security numbers, full names, family information, and historical addresses.

The data breach was first reported in early June, revealing that the stolen information came from residents of the United States, Canada, and the UK​. The lawsuit claims that National Public Data failed to implement adequate security measures to protect the personally identifiable information (PII) it collected. The complaint alleges that the data was unencrypted and unredacted, making it easily accessible to hackers.

According to court documents, the hackers gained access to the database through a vulnerability, which allowed them to exfiltrate the unprotected PII of billions of people. The stolen data spans from 2019 to 2024 and includes 2.9 billion rows of information, constituting 277.1 GB when uncompressed.

The class-action lawsuit, filed in Florida, seeks to hold National Public Data accountable for its alleged negligence in protecting sensitive information. The plaintiffs are asking the court to mandate the company to purge the compromised data and implement stricter security measures, including encryption, employee training, and regular security audits by third-party experts.

Christopher Hofmann, the lead plaintiff, claims he was unaware that his data was collected by National Public Data and only discovered the breach through a notification from his identity theft protection provider. The lawsuit highlights the risks associated with unauthorized data scraping and the potential for identity theft, fraud, and harassment.

The breach raises serious concerns about data security practices and the responsibilities of companies handling large volumes of sensitive information. As data breaches become more frequent and severe, there is increasing pressure on organizations to enhance their cybersecurity measures to protect consumers from identity theft and related crimes.