A new lawsuit is claiming hackers have gained access to the personal information of “billions of individuals,” including their Social Security numbers, current and past addresses and the names of siblings and parents — personal data that could allow fraudsters to infiltrate financial accounts or take out loans in their names. 

The allegation arose in a lawsuit filed earlier this month by Christopher Hofmann, a California resident who claims his identity theft protection service alerted him that his personal information had been leaked to the dark web by the “nationalpublicdata.com” breach. The lawsuit was earlier reported by Bloomberg Law.

The breach allegedly occurred around April 2024, with a hacker group called USDoD exfiltrating the unencrypted personal information of billions of individuals from a company called National Public Data (NPD), a background check company, according to the lawsuit. Earlier this month, a hacker leaked a version of the stolen NPD data for free on a hacking forum, tech site Bleeping Computer reported. 

That hacker claimed the stolen files include 2.7 billion records, with each listing a person’s full name, address, date of birth, Social Security number and phone number, Bleeping Computer said. 

NPD didn’t immediately respond to a request for comment. 

Here’s what to know about the alleged hack. 

What is National Public Data? 

National Public Data is a data company based in Coral Springs, Florida, that provides background checks for employers, investigators and other businesses that want to check people’s backgrounds. Its searches include criminal records, vital records, SSN traces and more information, its website says.

What happened with the USDoD hack?

According to the new lawsuit, USDoD on April 8 posted a database called “National Public Data” on the dark web, claiming to have records for about 2.9 billion individuals. It was asking for a purchase price of $3.5 million, the lawsuit claims. 

However, Bleeping Computer reported that the file was later leaked for free on a hacker forum, as noted above. 

Did NPD alert individuals about the hack? 

It’s unclear, although the lawsuit claims that NPD “has still not provided any notice or warning” to Hoffman or other people affected by the breach. 

“In fact, upon information and belief, the vast majority of Class Members were unaware that their sensitive [personal information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the lawsuit claims. 

Information security company McAfee reported that it hasn’t found any filings with state attorney generals. Some states require companies that have experienced data breaches to file reports with their AG offices. 

What should I do to protect my information?

Security experts recommend that consumers put freezes on their credit files at the three big credit bureaus, Experian, Equifax and TransUnion. 

Freezing your credit is free, and it will stop bad actors from taking out loans or opening credit cards in your name. 

You can also get a tracking service that will alert you if your data appears on the dark web. And you should make sure to enroll in two-factor authentication, which will make it tougher for hackers to get access to your accounts.