Hackers Try to Sell Personal Info of 3 Billion People After April Data Breach

Threat Actor: USDoD | USDoD
Victim: Jerico Pictures Inc. (National Public Data) | Jerico Pictures Inc. (National Public Data)
Price: $3,500,000
Exfiltrated Data Type: Personally Identifiable Information (PII)

Key Points :

  • Jerico Pictures Inc. exposed the personal information of nearly 3 billion individuals in an April data breach.
  • The data breach was announced by the threat actor USDoD on April 8, 2024.
  • USDoD attempted to sell the personal data of 2.9 billion individuals for $3.5 million on a dark web forum.
  • The database contains sensitive information including full names, addresses, Social Security numbers, and family information.
  • The data breach could be among the largest ever recorded, according to experts.
  • Researchers confirmed the authenticity of the data, which is 277.1GB uncompressed.
  • The database does not include information from individuals who opted out of data sharing services.
  • It also contains records of deceased individuals.

Jerico Pictures Inc., operating as National Public Data, exposed the personal information of nearly 3 billion individuals in an April data breach.

A proposed class action claims that Jerico Pictures Inc., operating with the National Public Data, exposed the personal information of nearly 3 billion individuals in a data breach that occurred in April.

On April 8, a threat actor that uses the moniker of USDoD announced the sale of a “National Public Data” database on a dark web forum.

USDoD attempted to sell the personal data of 2.9 billion individuals, they put the data up for sale for $3,500,000.

“On April 8, a cybercriminal group by the name of USDoD posted a database entitled “National Public Data” on a dark web forum, claiming to have the personal data of 2.9 billion people, according to the complaint filed Thursday in the US District Court for the Southern District of Florida, which said the group put the database up for sale for $3.5 million.” reported Bloomberg law.

The experts pointed out that this data breach could be among the biggest ever.

The National Public Data gathers data on billions of individuals by scraping their personally identifying information from non-public sources. The plaintiff and class members did not knowingly provide their PII to the defendant.

“This class action arises out of the data breach that upon information and belief occurred in or around April of 2024 involving Defendant NPD (the “Data Breach”), a background check company that allows its customers to search billions of records with instant results.” reads the complaint filed Thursday in the US District Court for the Southern District of Florida. “Plaintiff brings this Complaint against Defendant for its failure to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices. Upon information and belief, such sensitive information includes, but is not limited to, Plaintiff’s and Class Members’ full names; current and past addresses (spanning at least the last three decades); Social Security numbers; information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and/or other personal information (collectively defined herein as “PII”).”

Researchers from VX-underground reviewed the archive (277.1GB uncompressed) and confirmed the that data is real and accurate. The experts noticed that the database doesn’t contain information from individuals who use data opt-out services. People who did not use data opt-out services and resided in the United States were immediately found. The archive also contains data on deceased individuals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)