A case in the USA is currently causing a stir. The data broker National Publik Data is said to have had a lot of data stolen. There is talk of almost three billion data records. This could make the data leak one of the biggest of all time.
Data leak at National Public Data in the USA?
National Public Data is a US-based background check company. The Florida-based data broker provides nationwide access to data from various public databases, court records and other sources.
According to the security portal Infosecurity Magazine, the company has since confirmed the incident in a statement: "It is suspected that a malicious third party attempted to hack into the data in late December 2023, with possible data leaks in April 2024 and summer 2024". Further details about the incident have not yet been released.
However, juicy details of the data leak emerge from a lawsuit filed on August 1, 2024 at the U.S. District Court in Fort Lauderdale (Florida) against Jerico Pictures Inc. The company operates National Publik Data.
Reading tip: Study on risk management for new technologies in the financial sector
Affected party sues National Public Date
According to the lawsuit, a hacker group called USDoD allegedly published a database called "National Public Data" in a forum on the darknet on April 8. The group claims to be in possession of the personal data of 2.9 billion people. The hackers offered the database for sale for 3.5 million US dollars.
If the incident is confirmed, it could be one of the largest data breaches of all time in terms of the number of people affected. A data leak at Yahoo! in 2013 is estimated to have affected the data of 3 billion people.
The information disclosed included social security numbers, full names, addresses and information about relatives. This included people who had been deceased for almost two decades.
The Californian Christopher Hofmann has filed a lawsuit. On July 24, he was informed by his identity protection service that his data had been passed on in connection with a crime and published on the darknet. As Bloomberg Law reports, the plaintiff is not only demanding financial compensation from National Public Data. The company should also be obliged to delete the personal information of all those affected and to encrypt all data collected in future. In addition, an independent auditor is to evaluate the company's cyber security measures annually for the next ten years. The plaintiff points out that he never consented to his data being used by the company.
Link tip: Hofmann v. Jerico Pictures, Inc., S.D. Fla., No. 0:24-cv-61383
Is there now a national data protection law for the USA?
Criticism also comes from data protectionists. Cliff Steinhauer is Director of Information Security at the National Cybersecurity Alliance, a non-profit organization that promotes internet security. For him, the problem is obvious: "This is because there is no national data protection law in the USA. There is no law that prohibits such companies from collecting this data without our consent," he explains to CBS News.
Could this incident be the straw that breaks the camel's back? With the GDPR, the EU has already shown how effective data protection can be implemented. This could also be a model for the USA.