Hackers may have stolen the Social Security numbers of many Americans. Here's what to know.
A new lawsuit is claiming hackers have gained access to the personal information of "billions of individuals," including their Social Security numbers, current and past addresses and the names of siblings and parents — personal data that could allow fraudsters to infiltrate financial accounts or take out loans in their names.
The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web by the "nationalpublicdata.com" breach. The lawsuit was earlier reported by Bloomberg Law.
The breach allegedly occurred around April 2024, with a hacker group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, according to the lawsuit. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported.
That hacker claimed the stolen files include 2.7 billion records, with each listing a person's full name, address, date of birth, Social Security number and phone number, Bleeping Computer said.
NPD didn't immediately respond to a request for comment.
Here's what to know about the alleged hack.
What is National Public Data?
National Public Data is a data company based in Coral Springs, Florida, that provides background checks for employers, investigators and other businesses that want to check people's backgrounds. Its searches include criminal records, vital records, SSN traces and more information, its website says.
What happened with the USDoD hack?
According to the new lawsuit, USDoD on April 8 posted a database called "National Public Data" on the dark web, claiming to have records for about 2.9 billion individuals. It was asking for a purchase price of $3.5 million, the lawsuit claims.
However, Bleeping Computer reported that the file was later leaked for free on a hacker forum, as noted above.
How many people have been impacted?
The number of people impacted by the breach is unclear. Although the lawsuit claims "billions of individuals" had their data stolen, the total population of the U.S. stands at about 330 million. The lawsuit also alleges that the data includes personal information of deceased individuals.
Bleeping Computer reports that the hacked data involves 2.7 billion records, with individuals having multiple records in the database. In other words, one individual could have separate records for each address where they've lived, which means the number of impacted people may be far lower than the lawsuit claims, the site noted.
The data may reach back at least three decades, according to law firm Schubert Jonckheer & Kolbe, which said on Monday it is investigating the breach.
Did NPD alert individuals about the hack?
It's unclear, although the lawsuit claims that NPD "has still not provided any notice or warning" to Hoffman or other people affected by the breach.
"In fact, upon information and belief, the vast majority of Class Members were unaware that their sensitive [personal information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the lawsuit claims.
Information security company McAfee reported that it hasn't found any filings with state attorneys general. Some states require companies that have experienced data breaches to file reports with their AG offices.
What should I do to protect my information?
Security experts recommend that consumers put freezes on their credit files at the three big credit bureaus, Experian, Equifax and TransUnion.
Freezing your credit is free, and it will stop bad actors from taking out loans or opening credit cards in your name.
You can also get a tracking service that will alert you if your data appears on the dark web. And you should make sure to enroll in two-factor authentication, which will make it tougher for hackers to get access to your accounts.
