A cyber attack has exposed the private data of millions of Americans, the Daily Caller reported. Their personal information, including social security numbers, was posted as a database for sale on the dark web.
One victim filed a lawsuit against the company National Public Data, alleging that it failed to keep private information safe. The legal action stemmed from the actions of the hacker group USDoD, which claims to have obtained the information from the company.
The group put the database up for sale on the dark web on April 8 under the name "National Public Data." It's asking $3.5 million for the trove of information, which includes the addresses, birth dates, and social security numbers of some 3 billion people.
The data goes back decades and even includes information on long-dead relatives. The size and scope of this hack rivals a 2013 Yahoo! data breach that impacted billions of the website's users.
The breach was the impetus for a lawsuit from California resident Christopher Hofmann. He discovered that his data made it to the dark web after being notified by an identity theft monitoring company.
The plaintiff is seeking monetary compensation and changes to the way data is collected and handled by companies like National Public Data. In his complaint, Hofmann notes that the company scrapes the data from private sources without the individuals' consent.
The company does this to perform background checks, which utilize a wide range of digital data sources. Cliff Steinhauer from the nonprofit National Cybersecurity Alliance told CBS MoneyWatch that the scope of this breach likely includes "everyone with a Social Security number," though the information hasn't been confirmed.
"It's a reminder of the importance of protecting yourself, because clearly companies and the government aren't doing it for us," Steinhauer added. From his view as the organization's director of information security and engagement, Steinhauer contends that this is a hole in the law system.
"They are data brokers that collect and sell data about people, sometimes for background check purposes. It's because there's no national privacy law in the U.S. — there is no law against them collecting this data against our consent," Steinhauer said.
Data breaches are a growing problem as information increasingly finds its way online through many sources. President Joe Biden attempted to keep it out of the hands of foreign adversaries with an executive order he signed in February.
CNN reported that the order was part of an effort to curb foreign nations' ability to compile data on Americans through online intermediaries. Transactions allow data brokers to siphon personal information, such as location, health information, and other useful data.
That information can then be used for anything from garden variety identity theft to international blackmail. Because of this exposure, the administration targeted problematic nations in its effort to clamp down on the practice.
"Countries of concern, such as China and Russia, are buying Americans’ sensitive personal data from data brokers," a senior administration official warned at the time. A report declassified in 2023 revealed that intelligence agencies from all over the world, including the U.S., use this as an intelligence-gathering tactic.
Cyberattacks are a novel threat to personal and national security, and the number of victims is growing. Lawsuits and other actions are vital to stopping this threat, though it's clear more work must be done.