US data broker declares bankruptcy after data leak
Earlier this year personal data belonging to “hundreds of millions” of people was stolen from US data broker National Public Data. The company admitted to the scope of the theft in a bankruptcy filing. Several outlets are reporting on the story.
National Public Data is a company based in Florida that conducts background checks. Its clients include employers seeking to investigate potential new hires.
In August the company confirmed that it had been the victim of a data breach. An announcement on National Public Data’s website stated that “a third-party bad actor” attacked the company’s database in December 2023. In “April and summer 2024,” data was stolen from the database.
Social Security numbers stolen
National Public Data had at first indicated that the stolen data included names, addresses, email addresses, telephone numbers and social security numbers. It remained unclear however how many people had been affected by the theft. In its announcement, the company gave no information as to the scale of the breach – while in a data breach notification submitted to the Maine attorney general’s office, the company claimed that 1.3 million people were affected.
Now, however, in its bankruptcy filing, National Public Data’s parent company Jerico Pictures admits that there are “hundreds of millions of potentially impacted individuals.” According to the news site TechCrunch, security experts estimate the number of stolen Social Security numbers to be around 270 million.
Of all the information stolen, the Social Security numbers are considered especially sensitive, because they can be used as proof of identity – meaning criminals could potentially use the information to commit identity theft. The Social Security Administration warns that each year, millions of US citizens are victims of identity theft. Criminals can also use Social Security numbers to gather information about potential victims.
The cybersecurity site BleepingComputer reported in August that the stolen data had been put up for sale on a “hacking forum.”
Investigations and class action lawsuits
According to court documents, the company filed for bankruptcy because the Federal Trade Commission (FTC) and more than 20 states are currently investigating the breach and could potentially impose fines. Individuals impacted by the data breach have also filed lawsuits; “more than a dozen” class action lawsuits have already been filed. National Public Data “cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations.” The company worked primarily with institutional clients – and was run by its owner from his home office.
According to TechCrunch, after the bankruptcy filing, it’s unlikely that people impacted by the data theft will receive compensation.
In the announcement on its website concerning the data breach, National Public Data now claims to have stopped its data brokering activities entirely: “We have opted out ALL personal data and are not selling your personal information through our services.”
Call for regulation
Lena Cohen of the Electronic Frontier Foundation (EFF), a civil liberties group, told the news site The Register that the case shows how important data privacy laws are. “The data broker industry is the wild west of unregulated surveillance,” said Cohen. Companies are making billions of dollars per year selling personal data. “Without strong privacy legislation,” data brokers will not sufficiently protect that data.
Cliff Steinhauer of the National Cybersecurity Alliance told CBS News in August that companies like National Public Data were able to collect and sell data “because there’s no national privacy law in the US – there is no law against them collecting this data against our consent.”
The FTC has taken action against data brokers before, even prohibiting some from selling data – in these cases, however, the prohibition applies only to location data. (js)