.png)
National Public Data Breach 2024
Breach Summary
The National Public Data breach of 2024 was one of the largest data breaches in US history by scope, exposing Social Security numbers, addresses, and personal information for approximately 2.9 billion individuals from a data aggregation company most people had never heard of. The breach illustrated the privacy risks of the data broker industry and the compounding harm of data aggregated without the knowledge or consent of the individuals whose information was compiled.
What Happened
The breach was first reported in April 2024 when stolen data began appearing on hacking forums. The full scope became apparent in August 2024 when a 277GB database was posted publicly. National Public Data parent company Jerico Pictures disclosed the breach and filed for bankruptcy in October 2024 following dozens of class action lawsuits. The breach affected individuals who had no direct relationship with National Public Data.
Attack Vector Detail
National Public Data, a Florida-based data broker that aggregates public records for background check services, was breached by a hacking group in April 2024. The stolen database — which contained names, Social Security numbers, current and previous addresses, and phone numbers compiled from public records — began appearing on hacking forums in April 2024 and was eventually posted publicly in August 2024 in a 277GB compressed file.
The breach was initially reported by cybersecurity researcher Troy Hunt, who analyzed the leaked data and found approximately 900 million unique Social Security numbers. Many individuals in the database were deceased. The data represented years of data broker aggregation from court records, property records, voter registration, and other public records.
Breach Pattern Timeline
December 2023 - April 2024
Threat actor 'USDoD' obtains a database from National Public Data (NPD) — a background check data broker that aggregates SSNs, names, addresses, and other PII without most affected individuals' knowledge. NPD is a small operation (single-individual run) sourcing from public records and brokered data feeds.
April 2024
USDoD attempts to sell the database for $3.5 million on hacking forums. Initially generates limited interest.
June-July 2024
Database circulates among threat actors. Class action lawsuits filed against NPD parent company Jerico Pictures Inc.
August 6, 2024
Per court filings in the class action, NPD breach scope: 2.9 BILLION records (much of it duplicate/overlapping) covering ~272 million unique individuals — possibly the largest U.S. PII breach in history by record count. Includes virtually all U.S. and Canadian SSNs.
August 12, 2024
NPD itself confirms the breach via SEC filing. Data confirmed to include SSNs, names, addresses, dates of birth, and (for some records) phone numbers and prior addresses.
August-September 2024
Industry-wide credit monitoring sign-up surge. SSN reissuance recommendations from privacy advocates. Federal and state-level discussion of data broker regulation accelerates.
October 2024
NPD parent company Jerico Pictures Inc. files for Chapter 11 bankruptcy. Class action consolidation continues against NPD assets in bankruptcy.
2024-2026
NPD breach foundational precedent for data broker regulation. CFPB and FTC accelerate data broker rule-making. State data privacy laws (Texas, California) tighten data broker requirements. The breach demonstrates the systemic risk of unregulated PII aggregation.
Total impact: ~272 million unique individuals affected (virtually all U.S. and Canadian SSNs exposed), 2.9B total records, NPD parent files Chapter 11, foundational precedent for data broker regulation and the systemic risk of unregulated PII aggregation.
Executive Lessons
National Public Data established that data broker companies aggregating sensitive identity data on hundreds of millions of individuals represent systemic privacy risk — concentrated repositories of SSNs, addresses, and family member data that, when breached, affect individuals who never consented to their data being collected. The breach also illustrated that data broker security practices have not scaled to match the sensitivity of the data they aggregate.
Related Reading
Private Equity Implications
For PE sponsors evaluating data broker, data aggregation, or background check businesses, National Public Data established that these businesses carry catastrophic data breach liability. The liability scale — billions of individuals across 50 states — and the emerging regulatory focus on data broker security creates an M&A risk profile that requires specific attention in cyber due diligence.