If verified, one of the largest breaches ever of personal information of Americans, Canadians, and UK persons went up for sale on a hacking forum on April 7. While researchers and analysts watched and started investigating the listing, the background checks firm allegedly responsible for the data remained silent, neither confirming nor refuting the claimed breach. Four months later, the data have all been leaked for free and the public is still waiting for answers from the firm that allegedly owns the data and was responsible for its security.
Unsurprisingly, lawsuits followed the breach, and with the lawsuits came the headlines. Security Affairs reports on one proposed class action lawsuit that claims that Jerico Pictures Inc., operating as National Public Data, exposed the personal information of nearly 3 billion individuals in the April breach.
[The Data Breach Times notes that the forum sales listing was for 2.9 billion records. The threat actor who listed the data for sale for $3.5 million did not claim that there was data on 2.9 billion unique people.]
The data was initially verified as real by VX-underground, who noted that it did not contain information from individuals who use opt-out services. Their observation may have been a bit optimistic, as this news hound used opt-out services, but accurate data was still found in the data set.
From Hofmann v. Jerico Pictures:
Plaintiff brings this Complaint against Defendant for its failure to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices. Upon information and belief, such sensitive information includes, but is not limited to, Plaintiff’s and Class Members’ full names; current and past addresses (spanning at least the last three decades); Social Security numbers; information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and/or other personal information (collectively defined herein as “PII”).
The original forum posting of April 7 by forum user @USDoD was removed, but the entire data set has subsequently been leaked for free on the forum, with attribution for the breach now listed as “SXUL.” The leaked data are in .csv format and reportedly contain the following data fields:
ID,firstname,lastname,middlename,name_suff,dob,address,city,county_name,st,zip,phone1,aka1fullname,aka2fullname,aka3fullname,StartDat,alt1DOB,alt2DOB,alt3DOB,ssn
With all of the data now freely available to anyone and everyone, consumers may wish to be proactive to guard against fraud or identity theft:
- Check your monthly banking statements and credit card accounts carefully to see if there are any unusual charges or suspicious transactions.
- Do not give out any personal information on the phone or via email if contacted by people claiming to be from NPD or Jerico Pictures. Be sure to warn elderly family members or those who may not be aware of the breach not to give out personal information to anyone who contacts them, even if the person contacting them seems to know a lot about them.
- If you or your family members do not need to open any new accounts that require credit checks, you may wish to place a security freeze on your credit report. That will stop anyone from opening new accounts by using your information if the merchant needs to run a credit check before they open the account. You can read more about how to place a security freeze only at Experian, where you can place a freeze for free and remove it when you need to. Be sure to read their FAQ to find links to repeat the freezing process at Equifax and TransUnion too.
- To the extent VX-underground was right about those who use opt-out services, you might want to explore that so the next time there is a disastrous breach of this kind, you may have less to deal with.