National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected

The Florida business behind data brokerage National Public Data has filed for bankruptcy, admitting "hundreds of millions" of people were potentially affected in one of the largest information leaks of the year.

In June, the hacking group USDoD put a 277.1 GB file of data online that contained information on about 2.9 billion individuals, and asked $3.5 million for it. The data came from National Public Data - a data brokerage owned by Jerico Pictures - which offered background checks to corporate clients via its API.

NPD confirmed it had been hacked in an attack on December 2023 and initially said just 1.3 million people had lost personal details, such as "name, email address, phone number, social security number, and mailing address(es)." But in the court documents filed for bankruptcy, the business concedes the total is much higher.

"The debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals," the bankruptcy petition [PDF] from Jerico Pictures states.

"As the debtor’s schedules indicate, the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations. The debtor’s insurance has declined coverage."

• National Public Data tells officials 'only' 1.3M people affected by intrusion
• That cyber-heist of 2.9B personal records? There's a class-action lawsuit looming for that
• Crooks threaten to leak 3B personal records 'stolen from background check firm'
• TransUnion reckons big dump of stolen customer data came from someone else

According to the filing, the organization is facing more than a dozen class-action lawsuits over the data loss and potential "regulatory challenges" from the FTC and more than 20 US states. Any plaintiffs will have a hard time getting any money out of Jerico, however, since the documents state the business has very limited physical assets.

In the accounting document [PDF], the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home office using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000.

It lists $33,105 in a corporate checking account in New York as its assets, although the business pulled in $1,152,726 in the last financial year, and estimates its total assets are between $25,000 and $75,000 in total.

It also lists 27 domains with a value of $25 apiece. These include the corporate website - now defunct - as well as a host of other URLs including criminalscreen.com, RecordsCheck.net, and asseeninporn.com.

This isn't the first time a data brokerage has been hacked and it won't be the last, we're told.

The National Public Data incident shows the need for clear state and local laws on data privacy Lena Cohen, staff technologist for the EFF, told The Register. "The data broker industry is the wild west of unregulated surveillance," she said. "It's a vast, interconnected, opaque industry with hundreds of companies people have never heard of making billions of dollars per year selling your personal data. Without strong privacy legislation individuals face an uphill battle sorting things out in cases like this."

Without strong privacy laws, companies in the sector have every incentive to collect as much personal data as possible and very little to actually protect it, she commented. These would be useful on a federal level but even those states with privacy laws in statute books have difficulty enforcing them.

There was no comment from Mr. Verini at the time of publication. ®

Editor's note: This story was amended post-publication with comment from the EFF.