2024-08-12
PII of 2.9 Billion Individuals Stolen from Background Check Company
According to a class-action lawsuit against Jerico Pictures, Inc., doing business as National Public Data, personally identifiable information belonging to 2.9 billion people was stolen and offered for sale on the dark web. National Public data provides background check and fraud prevention services. Of particular concern is that most people are likely unaware that National Public Data collected their information, as the company regularly scraped PII from non-public sources without consent.
Editor's Note
First of all: This data was likely stolen multiple times before in prior breaches. Secondly: Why does any one entity collect that much data? I have seen a lot of less-than-brilliant advice to victims. Using strong passwords and running up to date antivirus will not help you if organizations aggregating your data without your knowledge are missing fundamental controls like that. The only option you have is to first of all freeze your credit, and secondly opt out of whatever data collection possible. Assume that your data was breached and be careful even if someone uses supposedly confidential data to attempt to establish trust. There have been a number of reports of more sophisticated law enforcement impersonation scams that used data like SSN, address, phone numbers and such to establish authority.
Johannes Ullrich
This is basically the OPM hack all over again but on steroids. It really calls into question the right of individuals not to have their personal information collected by data brokers. We sorely need a national data privacy law akin to the EU's GDPR.
Curtis Dukes
The prudent position for most people today is to assume that all their PII is public, or at least on the Dark Web. They should freeze their data on the credit bureaus and be vigilant.
William Hugh Murray
Legitimate background check companies exist to help companies, people, and law enforcement. While those companies do exist and require extensive credentialing to access those databases, there are also 3rd party downstream brokers that take these feeds and aggregate them. These 3rd parties need more well-defined practices and well. If what is said here is true, this broker, who appears to be a 3rd party downstream aggregator with an address located in a residence, may be one of these smaller brokers. Getting 280GB of structure data from one of these 3rd parties would have taken a long time, and this is potentially one of the biggest breaches in history. Given that there are only 350 million people in the US and the breach is supposedly for 3 billion people, I am wondering who the remaining 2.65 billion people are. Are these people who are no longer alive, or is it that are we looking at duplicate records? It's hard to say without looking at the data itself.
Moses Frost
This is the largest breach since the Yahoo breach of 3 billion in 2013. It appears we are finding out about this breach due to the lawsuit rather than a notification by the company. The lawsuit was triggered by an alert the lead plaintiff received from his identity monitoring service. While we could pull the lack of notification thread, the better move is to make sure you have identity monitoring and that you've fully configured it to watch for issues. In this day and age, we need background check companies like this to support the integrity of our hiring process. That said, with ever growing collections of information, with increased fidelity, you need to be proactive in monitoring breaches of your own data.
Lee Neely
Read more in
Bloomberg Law: Personal Data of 3 Billion People Stolen in Hack, Suit Says (1)
Tech Times: Almost 2.7 Billion Data Records From National Public Data Leaked in Hacking Forum
Cybersecurity News: National Public Data Hacked: 2.9 Billion Users Personal Data Stolen
Mashable: Background check company breached, nearly 3 billion exposed in data theft