What Happened
National Public Data (operated by Jerico Pictures, Inc.), a background check and data broker service, suffered a breach that exposed approximately 2.9 billion records containing Social Security numbers, names, addresses, and other personal information of individuals in the US, UK, and Canada. The breach data was first offered for sale on dark web forums in April 2024 for $3.5 million, and subsequently leaked in full for free in August 2024.
The company filed for Chapter 11 bankruptcy in October 2024, citing the financial burden of class-action lawsuits and regulatory investigations resulting from the breach.
How It Happened
Details of the initial compromise remain limited. The threat actor USDoD (also known as EquationCorp) claimed responsibility and first listed the data for sale on the Breached hacking forum in April 2024. National Public Data acknowledged a “security incident” but provided minimal details about the attack vector.
The company’s business model involved scraping and aggregating personal data from public records, court filings, and other sources to sell background check services. This aggregated dataset containing SSNs alongside names, addresses, and relatives made the breach particularly dangerous for identity theft.
Exposed Data
The breach exposed full Social Security numbers for US individuals, full names including aliases and maiden names, current and historical addresses spanning decades, full dates of birth, current and historical phone numbers, names and relationships of family members, and national identification numbers for UK and Canadian individuals.
Timeline
Initial unauthorized access to National Public Data systems occurred in approximately December 2023. In April 2024, threat actor USDoD listed 2.9 billion records for sale for $3.5 million on the dark web. Partial data leaks began appearing on hacking forums in June 2024. The complete dataset was leaked for free on the Breached forum in August 2024. Class-action lawsuits were filed in Florida federal court that month. National Public Data acknowledged the breach on its website in August 2024. Multiple state attorneys general launched investigations in September 2024. Jerico Pictures filed Chapter 11 bankruptcy in October 2024.
Scale and Impact
The 2.9 billion record count includes duplicate and historical records. The actual number of unique individuals affected is estimated at approximately 270-300 million, which still represents the majority of the US adult population.
The combination of SSN, name, date of birth, and address is sufficient to commit identity fraud, open credit accounts, file fraudulent tax returns, and access existing financial accounts. Unlike payment card data, Social Security numbers cannot be easily changed or rotated.
Data Broker Accountability
The breach intensified scrutiny of the data broker industry. Data brokers aggregate massive datasets with minimal security oversight. No federal law specifically regulates data broker security practices. Many consumers were unaware that National Public Data held their information. The company’s bankruptcy filing may limit victims’ ability to recover damages.
Regulatory Response
Multiple state attorneys general launched investigations. There was renewed congressional interest in federal data broker regulation. The Consumer Financial Protection Bureau proposed rules restricting data broker activities. Several states introduced bills requiring data brokers to register and meet minimum security standards.
Key Lessons
Data brokers represent a massive, underregulated attack surface, aggregating the most sensitive personal data with often minimal security investment. SSN as a national identifier is fundamentally insecure when it cannot be rotated after compromise. Breach bankruptcy is an increasing trend, as companies without sufficient cyber insurance or reserves simply cannot survive the legal and regulatory costs of a major breach. Consumers have no visibility into which data brokers hold their information and no practical way to opt out of all of them.