A new class action lawsuit filed in Florida reveals a massive data breach that allegedly exposed approximately 2.9 billion records, including Social Security numbers, names, addresses, and more.
[RELATED: Nearly All Maine Residents Victims of State Data Breach…]
“Plaintiffs have filed this Complaint against Defendants alleging that Defendants failed to adequately protect personal information that they collected and maintained as part of the ordinary course of business. Upon information and belief, such sensitive information includes, but is not limited to, Plaintiffs’ and Plaintiff Class Members’ names, current and past addresses (for at least the past 30 years), Social Security numbers, and information about their parents, siblings, and other relatives,” plaintiff Christopher Hoffman states in the lawsuit.
The lawsuit accuses background check company National Public Data (NPD) of failing to securely store billions of records on people in the US, UK and Canada.
The breach allegedly affected people who, like the plaintiffs, did not voluntarily provide information to NPD, and who believe the company obtained their personal information from undisclosed sources.
“Plaintiffs and their Class Members are not current or former customers, but rather individuals who have suffered the misfortune of having their personal information targeted, collected and scraped by Defendants from undisclosed sources without their consent,” the complaint states.
According to the complaint, the records were obtained around April of this year by a cybercrime group known as USD.
On April 8, the US Department of Defense allegedly put 2.9 billion records up for sale on a dark web forum called “Breached,” setting the price at $3.5 million.
According to technology media outlet BleepingComputer, the US Department of Defense has released 277 gigabytes of the files for free after putting them up for sale.
The lawsuit also cites cybersecurity education organization VX-Underground, suggesting that anyone who didn’t use some kind of data opt-out service could have been caught up in the breach, whether or not they knowingly interacted with NPD.
Hoffman’s lawsuit demands that the defendants implement improved security measures going forward and pay damages for their failure to protect his personal information.
Since identity thieves have already had widespread access to data since April, adding new protections now is likely too late to provide any significant benefit.
Additionally, the lawsuit, filed Aug. 1, requests that the case be tried by jury.
