A class-action complaint has been filed against a background-check company in connection to a data breach in April that exposed sensitive personal data of more than 2.9 billion people that the hackers later reportedly tried to sell on the dark web for $3.5 million.

The complaint, filed August 1 in a U.S. District Court in South Florida, accuses Jerico Pictures – operating as National Public Data – of failing to properly protect the personally identifiable information (PII) that it collected, including individuals’ names, current and previous addresses dating back at least three decades, Social Security numbers, and information about parents, siblings, and other relatives, some of whom have been dead for more than 20 years.

The plaintiffs, with Christoper Hofmann of California named as the lead plaintiff, also argue in the 50-page complaint that they never gave National Public Data permission to collect their information. Instead, the company scrapes the information from non-public sources, they said.

“By obtaining, collecting, using, and deriving a benefit from the PII of Plaintiff and Class Members, Defendant assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion,” they argue.

Complaint Seeks Monetary Payment, Reforms

The plaintiffs are asking the court to order National Public Data to pay a financial penalty. In addition, they also want National Public Data take steps to better manage and protect data, including segmenting data, running database scans, and putting a threat-management program in place. In addition, the court should require the company to bring in a third-party assessor to evaluate its cybersecurity protections every year for 10 years.

According to National Public Data, the company gets data from such sources as public record databases, national and state databases, and court records, and then sells the information to wide range of organizations, including background check websites, investigators, mobile app developers, and data resellers.

The information can be accessed through the company’s API to integrate into applications, mobile apps, websites, and documents or delivered in XML to embed into applications and website, according to National Public Data’s site. It also will develop custom XML feeds for customers.

Stolen Data Goes Up for Sale

According to the complaint, National Public Data’s networks were breached sometime before April, with a cybercriminal group called USDoD on April 8 posting on a dark web forum called “Breached” a databased titled “National Public Data.” The hackers said they had the personal data of 2.9 billion people and offered to sell the database for $3.5 million, the plaintiffs said.

The company has yet to reveal details about the breach and it hasn’t yet sent out notice to those whose data was stolen, according to the complaint. Hofmann learned about the breach July 24, when the identity theft protection service he uses notified him that his personal information was among that stolen in the incident and appeared on the dark web.

He never gave his data to National Public Data nor would have done so without being assured that it was maintained as confidential and that the company would keep it that way and put effective protections around it.

The plaintiffs claim the data stolen was not encrypted or redacted and noted that VX-Underground, which collects information about malware and cybersecurity, posted about the breach and claims by the USDoD group and later analyzed a 277.1GB file from the hacker gang, verifying that data it contained was real and accurate.

The VX-Underground group also noted while the information of people who don’t use a data opt-out service and lived in the United States did have their data stolen, the file didn’t contain information from those who did use such a service.

Information Comes Out

Reports about the data breach began surfacing in early June, with reports saying the stolen information belonged to residents in the United States, Canada, and the UK and that it was hackers using the name SXUL who were responsible for the breach and then passed the files to USDoD, which was a data broker.

“This unencrypted, unredacted PII was compromised, published, and then sold on the Dark Web, due to Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data,” the complaint reads. “Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.”

There were multiple security practices that National Public Data should have had in place, including an awareness and training program for employees, strong spam filters to catch phishing emails, scans for all incoming and outgoing emails, and firewalls configured to block access to known malicious IP addresses.

“The occurrence of the Data Breach indicates that Defendant failed to adequately implement one or more of the … measures to prevent cyberattacks, resulting in the Data Breach and the exposure of the PII of allegedly billions of individuals, including that of Plaintiff and Class Member,” the complaint says.