National Public Data 2024: the breach that bankrupted the broker that caused it.

National Public Data operated as a data broker: it aggregated personal records (names, addresses, dates of birth, Social Security numbers and phone numbers) scraped and purchased from non-public and public sources, then sold background-check and people-search lookups against that aggregate. The individuals in the database were never customers and in most cases had no idea the company held their data. That structural fact is what makes the incident distinct from a corporate breach: there was no customer relationship, no account list, and no pre-existing notification channel to the people exposed.

Intrusion attempts began as early as December 2023. The main exfiltration occurred around April 2024, when the threat actor using the handle USDoD posted a sales thread on the BreachForums criminal marketplace offering roughly 4 terabytes of data, described as 2.9 billion rows, for $3.5 million. Portions of the database circulated and were eventually leaked in full over the following months. National Public Data did not acknowledge the incident publicly until 16 August 2024, after class-action complaints had already been filed.

Independent analysis followed quickly. KrebsOnSecurity reported the leaked file contained about 272 million unique Social Security numbers, and security researcher Troy Hunt, who loaded the data into Have I Been Pwned, found roughly 134 million unique email addresses within it. The records covered individuals in the United States, the United Kingdom and Canada.

The headline figure quoted everywhere is 2.9 billion, and it is routinely misreported as 2.9 billion people, which would exceed the combined population of the US, UK and Canada several times over. It does not mean that. The 2.9 billion is a row count, and the file holds many rows per person: a separate row for each current and historical address attached to an identity. When researchers de-duplicated to unique identities, the picture changed sharply.

Two further caveats shrink the real exposure. A significant portion of the SSNs belonged to deceased individuals, with the average age of the people in the file estimated at around 70, and the SSN count of roughly 272 million is itself below the number of living people in the covered countries with an SSN-equivalent identifier. The widely-cited estimate of people meaningfully at risk is closer to 170 million than to 2.9 billion. The gap between the two numbers is exactly the kind of record-versus-person distinction that makes per-record breach cost unreliable at extreme scale: multiplying a $160 per-record figure across 2.9 billion rows would imply a cost approaching half a trillion dollars, which is nonsense. See the per-record cost analysis for why fixed-cost amortisation collapses the effective per-record figure on breaches this large.

There is no disclosed dollar cost for National Public Data, and there never will be a clean one, because the entity that incurred the cost ceased to exist. National Public Data was a thinly-capitalised broker, not a public company with reserves and an insurance tower. The single largest liability a breach of this kind generates is credit monitoring and identity-theft protection for the affected population, and at 170 million-plus people that liability runs into the billions before any settlement or regulatory penalty is counted. The company had no capacity to absorb it.

The result was insolvency rather than a balance-sheet charge. Facing more than a dozen lawsuits and potential liability for credit monitoring across hundreds of millions of people, the parent company Jerico Pictures, Inc. filed for Chapter 11 bankruptcy on 2 October 2024, and the operation wound down by December 2024. For a breached organisation with no ability to pay, bankruptcy is the cost: it transfers the unremediated exposure to the victims, who are left to absorb the fraud risk themselves, and to the credit bureaus and downstream services that field the fallout.

This is the same end-state seen in the 23andMe case, where a breach pushed an already-fragile company into bankruptcy, but the National Public Data version is more extreme: the people whose data was lost were never customers, never consented, and in most cases never knew the company existed until their SSN appeared on a leak forum. The recoverable cost for victims through litigation is constrained by what a bankrupt estate can pay, which is typically a fraction of the headline claim.

The first widely-reported complaint was a proposed class action filed on 1 August 2024 by California resident Christopher Hofmann in the US District Court for the Southern District of Florida (Fort Lauderdale), captioned Hofmann v. Jerico Pictures, Inc. It alleged that the company failed to adequately secure the data and failed to notify affected individuals promptly. Within weeks at least three class actions and more than a dozen federal complaints had been filed, and given that the breach affected nearly all US adults the proceedings were positioned for consolidation into multidistrict litigation in the Southern District of Florida.

The litigation faces the structural problem common to data-broker breaches: standing and the proof of concrete injury. A plaintiff must generally show actual or imminent harm rather than the mere fact of exposure, and with an SSN-heavy file circulating freely, attributing a specific instance of identity theft to this breach rather than to one of the many other leaks of the same data is difficult. Combined with the bankruptcy of the defendant, the practical recovery available to any individual class member is small, even though the aggregate exposure is one of the largest ever recorded.

A corporate breach exposes the data of an organisation's own customers, who have an account, a contract, and a notification channel. The breached company can notify them, offer monitoring, and is large enough to be sued and to pay. A data-broker breach inverts all three. The exposed individuals have no relationship with the broker, so there is no list to notify and no email or account to reach them through; the broker is typically small relative to the scale of data it holds, so it cannot pay the liability it has created; and because the same aggregated data is sold and resold across the broker industry, the marginal harm of any single broker's breach is hard to isolate.

The policy lesson the case sharpened is that the cost of holding sensitive data at population scale is wildly mismatched with the capital of the firms holding it. A broker can aggregate the SSNs of an entire country with a handful of employees and no meaningful security budget, yet generate liability measured in billions when that aggregate leaks. The breach intensified calls for broker registration, deletion rights, and minimum-security obligations under state privacy regimes; the CCPA and the newer state consumer-privacy acts are the most direct levers, alongside proposals to regulate data brokers federally.