National Public Data Breach: How 2.9 Billion Records Were Exposed

In August 2024, National Public Data (NPD), a major data broker specializing in background checks and personal record aggregation, suffered one of the largest data breaches in history. Cybercriminals stole and leaked 2.9 billion records, exposing Social Security numbers, addresses, phone numbers, and other personal details. The massive breach led to multiple lawsuits, regulatory investigations, and ultimately, NPD’s bankruptcy.

This incident highlights the significant risks posed by data brokers, whose extensive databases make them prime targets for cybercriminals. With identity theft, fraud, and cybercrime on the rise, this breach underscores the urgent need for stronger data security policies.

Inside the National Public Data Breach

How the Attack Unfolded

Investigations revealed that the breach began in December 2023 when hackers infiltrated NPD’s servers. However, the company failed to detect the intrusion for months, allowing attackers to collect and exfiltrate massive amounts of personal data.

The breach first became public in April 2024, when a hacker known as “USDoD” listed the stolen data on dark web forums for $3.5 million. Despite early warnings, NPD did not confirm the breach until August 2024, after cybersecurity researchers and law enforcement linked the leaked records back to the company.

What Data Was Compromised?

The stolen database contained:

• Full names and residential addresses
• Social Security numbers (272 million unique SSNs)
• Phone numbers (600 million unique entries)
• Dates of birth and email addresses
• Employment history and credit risk scores

The exposure of such sensitive information significantly increases the risk of identity theft, fraud, phishing scams, and financial crimes.

National Public Data’s Response & Bankruptcy

After confirming the breach in August 2024, NPD announced that they were cooperating with law enforcement to track down the attackers, notifying affected individuals, and offering free credit monitoring services. New cybersecurity measures were being implemented to prevent future breaches.

However, this response was too little, too late. By October 2024, over a dozen class-action lawsuits had been filed against NPD, and regulatory investigations were launched by the Federal Trade Commission (FTC) and more than 20 U.S. states. With mounting legal costs and a tarnished reputation, NPD’s parent company, Jerico Pictures, Inc., filed for Chapter 11 bankruptcy on October 2, 2024. By December 2024, NPD had officially shut down.

Arrest of the Hacker Behind the Breach

In a surprising turn of events, Brazilian Federal Police arrested “USDoD,” the hacker responsible for the breach, in October 2024. The arrest highlighted international law enforcement cooperation but did little to undo the damage caused by the leak.

The Fallout: Lessons Learned

This breach serves as a critical warning for data brokers, corporations, and individuals alike. Key takeaways include:

• For Businesses & Data Brokers: Implement stronger security controls, improve threat detection with real-time monitoring and AI-driven tools, and act swiftly to inform affected users.
• For Individuals: Regularly check if your data was leaked using services like Have I Been Pwned, freeze your credit, and be vigilant against phishing scams.

Final Thoughts: Why Stronger Data Privacy Laws Are Needed

The National Public Data breach exposes a fundamental flaw in the data brokerage industry—massive amounts of personal information are being collected and stored with minimal oversight or security protections. Without stronger data privacy laws, breaches like this will continue to occur, putting millions at risk of fraud and identity theft.

Protect Your Personal Data with Nexanet

Cybercriminals are constantly exploiting stolen personal data. Nexanet provides real-time dark web monitoring, identity protection, and cybersecurity solutions to help individuals and businesses stay secure.