In August 2024, a previously obscure data broker called National Public Data confirmed a breach that exposed approximately 2.9 billion records containing sensitive personal information, including 272 million unique Social Security numbers. The breach, potentially affecting 170 million individuals in the US, UK, and Canada, ranks as one of the largest data exposures in history and has raised fundamental questions about the unregulated data broker industry.
Breach scope
| Metric | Value |
|---|
| Total records | 2.9 billion |
| Unique SSNs | 272 million |
| Individuals affected | Up to 170 million |
| Countries | US, UK, Canada |
| Data broker | National Public Data (Jerico Pictures) |
Data exposed
| Data type | Included |
|---|
| Full legal names | Yes |
| Social Security numbers | Yes |
| Current addresses | Yes |
| Historical addresses | Yes (decades of history) |
| Dates of birth | Yes |
| Phone numbers | Yes |
| Relatives and associates | Yes |
Timeline
| Date | Event |
|---|
| December 2023 | Initial breach attempts begin |
| April 2024 | Primary data exfiltration occurs |
| April 2024 | Hacker “USDoD” offers data for $3.5 million |
| July 2024 | Data begins appearing on dark web forums |
| August 6, 2024 | Free database dump posted online |
| August 16, 2024 | National Public Data confirms breach |
| October 2, 2024 | Jerico Pictures files Chapter 11 bankruptcy |
| December 2024 | National Public Data shuts down |
The data broker nobody knew
What is National Public Data?
| Aspect | Details |
|---|
| Legal entity | Jerico Pictures, Inc. |
| Location | Coral Springs, Florida |
| Business model | Aggregating and selling personal data |
| Data sources | Public records, other data brokers |
| Customers | Background check services, skip tracers |
| Regulation | Effectively none |
How they obtained the data
| Source | Method |
|---|
| Public records | Court records, property filings |
| Other data brokers | Purchased aggregated datasets |
| Scraping | Web scraping of public sources |
| Data enrichment | Combining sources to build profiles |
Most individuals whose data was exposed had never heard of National Public Data and did not knowingly provide their information to the company.
Threat actor: USDoD
The breach was claimed by a threat actor using the handle “USDoD”:
| Detail | Information |
|---|
| Initial asking price | $3.5 million |
| Forum | BreachForums |
| Final action | Free public release |
| Motivation | Unknown (financial or notoriety) |
After failing to sell the data privately, USDoD released the entire database publicly, maximizing the damage.
Verification and analysis
Troy Hunt analysis
Security researcher Troy Hunt (Have I Been Pwned) analyzed the leaked data:
| Finding | Details |
|---|
| Record count | 2.9 billion rows |
| Unique SSNs | 272 million |
| SSN accuracy | High (verified against known data) |
| Data age | Some records decades old |
| Deceased individuals | Many included |
Data quality issues
| Issue | Observation |
|---|
| Outdated information | Many old addresses |
| Deceased individuals | Included in dataset |
| Duplicates | Multiple records per person |
| Errors | Some SSN/name mismatches |
While imperfect, the data is accurate enough to enable identity theft and fraud at massive scale.
Impact and fallout
Consumer impact
| Risk | Description |
|---|
| Identity theft | SSN exposure enables account fraud |
| Tax fraud | Fraudulent tax returns using stolen SSNs |
| Financial fraud | Credit applications, loan fraud |
| Long-term exposure | SSNs cannot be changed like passwords |
Class action litigation
| Status | Details |
|---|
| Lawsuits filed | 14+ federal suits |
| Consolidated litigation | MDL in Southern District of Florida |
| Claims | Negligence, breach of implied contract |
| Outcome | Pending (company bankrupted) |
Bankruptcy
| Date | Action |
|---|
| October 2, 2024 | Chapter 11 bankruptcy filed |
| Stated reason | Cannot afford credit monitoring for victims |
| Implication | Victims likely to receive minimal compensation |
| December 2024 | Company ceased operations |
Congressional response
House Oversight Committee investigation
| Action | Status |
|---|
| Investigation launched | August 2024 |
| Focus areas | Data broker practices, security standards |
| Testimony requested | From company executives |
Legislative proposals
| Proposal | Description |
|---|
| Data broker regulation | Mandatory security standards |
| Consumer notification | Breach notification requirements |
| Data minimization | Limits on data retention |
| Right to deletion | Consumer control over data |
The data broker problem
Industry overview
| Characteristic | Reality |
|---|
| Regulation | Minimal federal oversight |
| Consumer awareness | Most people unaware of data collection |
| Security standards | No mandatory requirements |
| Data retention | Often indefinite |
Scale of the industry
| Metric | Estimate |
|---|
| Data brokers in US | 4,000+ |
| Industry revenue | $200+ billion annually |
| Records per person | Average American in 500+ databases |
How data brokers operate
| Step | Process |
|---|
| 1. Collection | Aggregate from multiple sources |
| 2. Enrichment | Combine sources to build profiles |
| 3. Sale | Sell to businesses, investigators, anyone |
| 4. Repeat | Continuously update with new data |
Protecting yourself
| Action | Purpose |
|---|
| Freeze credit | Prevent fraudulent credit applications |
| Monitor credit reports | Detect unauthorized activity |
| Review financial accounts | Identify suspicious transactions |
| Enable fraud alerts | Additional verification on credit applications |
Credit freeze instructions
| Bureau | Contact |
|---|
| Equifax | equifax.com/personal/credit-report-services |
| Experian | experian.com/freeze/center.html |
| TransUnion | transunion.com/credit-freeze |
Credit freezes are free and can be temporarily lifted when you need to apply for credit.
Long-term vigilance
| Practice | Frequency |
|---|
| Review credit reports | Annually (minimum) |
| Monitor financial accounts | Weekly |
| Watch for tax fraud | File taxes early |
| Consider identity monitoring | Ongoing service |
Check if you’re affected
HaveIBeenPwned
Troy Hunt added the National Public Data breach to haveibeenpwned.com:
| Resource | URL |
|---|
| Email check | haveibeenpwned.com |
| Phone number check | Available |
| SSN check | Not provided (too sensitive) |
Context
The National Public Data breach exposes a fundamental problem in the digital economy: companies most people have never heard of possess their most sensitive information, often without adequate security controls or regulatory oversight.
Key issues:
| Problem | Implication |
|---|
| No security standards | Data brokers set their own (often minimal) security |
| No consumer relationship | Victims had no way to know their data was at risk |
| Bankruptcy escape | Company avoids full accountability |
| SSN exposure | Permanent damage—SSNs cannot be changed |
The breach has renewed calls for comprehensive data broker regulation, including:
| Reform | Purpose |
|---|
| Mandatory security standards | Baseline protection requirements |
| Data minimization | Limit collection and retention |
| Consumer notification | Right to know when data is collected |
| Right to deletion | Consumer control over data |
For now, the 170 million affected individuals are left to protect themselves through credit freezes and ongoing monitoring, while the company that failed to protect their data has simply ceased to exist.
The National Public Data breach is a case study in regulatory failure: an industry that profits from personal data without adequate accountability for protecting it.
