National Public Data admits hackers stole Social Security numbers in massive breach reportedly affecting nearly all Americans

The company that was named in a class-action lawsuit filed by internet users who claim that the Social Security number of every American was stolen from its servers has confirmed that it was hacked by cybercriminals who obtained the sensitive data.

Jerico Pictures Inc., the Coral Springs, Fla.-based entity that does business as National Public Data, released a statement last week in which it acknowledged that “the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

NPD, which attributed the “data security incident” to an attempted hack by a “third-party bad actor,” released the statement on its website.

It said there was an attempted hack in December 2023 as well as “potential leaks of certain data in April 2024 and summer 2024.”

NPD, which conducts criminal background checks for employers and investigators “for some of the lowest fees in the industry,” did not specify how many people were affected.

The company said it had “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”

NPD also said it undertook “additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

The company said it would be reaching out to all of the affected users “so that you can take action which will assist to minimize or eliminate potential harm.”

NPD recommended that online users “closely monitor your financial accounts and if you see any unauthorized activity, you should promptly contact your financial institution.”

Social Security number holders are also being encouraged to contact the three large credit reporting agencies — Equifax, Experian and TransUnion — in order to obtain a free credit report as well as to place a fraud alert on their file.

Fraud alerts, which are free of charge, lets creditors know that they should contact you in case someone tries to open any new accounts or change existing accounts that are under your name.

At least eight separate lawsuits have been filed against NPD since Aug. 1, when news of the breach came to light.

Christopher Hoffman, a California resident, filed suit on Aug. 1 alleging that a cybercriminal group called “USDoD” posted a database on the dark web which is said to have contained the personal data of 2.9 billion people.

The group put the database up for sale for $3.5 million, according to the lawsuit, which was first reported by Bloomberg Law.

Hoffman’s lawsuit alleges that the hackers obtained data about relatives and past addresses dating back at least three decades.

NPD is accused in the lawsuit of negligence and breaches of fiduciary duty. The lawsuit does not specify how much in damages Hoffman is seeking.