National Public Data SSN breach
A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.
- Victim
- National Public Data (Jerico Pictures, Inc.)
- records
- 2.90B
In August 2024, the obscure background-check data broker National Public Data β operated by the Florida company Jerico Pictures, Inc. β confirmed that a stolen copy of its master database had been leaked. The database held roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and current and past addresses, much of it aggregated without the knowledge or consent of the people described. It became one of the largest and most widely-circulated exposures of U.S. Social Security numbers ever recorded.
What happened
National Public Data scraped and aggregated personal information from public records, court filings, and commercial sources, then resold it to background-check sites, investigators, and other data buyers. According to the company's own statement, a malicious actor gained access to its systems as early as December 2023.
On 8 April 2024, a threat actor using the handle USDoD advertised a dataset labelled "National Public Data" on the Breached cybercrime forum, claiming 2.9 billion records and demanding $3.5 million. Over the following months portions circulated among criminals, and by August 2024 a near-complete copy β roughly 2.7 billion rows in a multi-gigabyte text dump β was posted for free, making the records available to anyone.
Impact
- The leaked corpus contained an estimated 2.9 billion records, although the number of distinct individuals is far lower because the file contained many duplicate and historical address entries. Independent analysis (Troy Hunt) found large volumes of records and confirmed real Social Security numbers, while cautioning that the "3 billion people" framing was misleading.
- Exposed fields included names, Social Security numbers, dates of birth, and current and prior addresses; some records also carried phone numbers.
- Because the data was harvested rather than volunteered, many affected people had never heard of National Public Data, complicating notification and remediation.
- More than a dozen class-action lawsuits and numerous state attorney-general inquiries followed.
Aftermath
Facing potential liability for credit monitoring across hundreds of millions of people, Jerico Pictures, Inc. filed for Chapter 11 bankruptcy on 2 October 2024, and National Public Data wound down operations by the end of the year. The company never paid the advertised ransom; by the time it confirmed the breach, the data was already public.
Why it matters
The National Public Data breach is the canonical case for the systemic risk of unregulated data brokers. The most sensitive identifiers in American life β Social Security numbers that cannot be reissued at will β were aggregated by a company most victims had never interacted with, secured poorly, stolen, and ultimately given away for free. It intensified U.S. policy debate over data-broker oversight (including the CFPB's proposed rulemaking) and underscored that an individual's exposure no longer depends on their own security hygiene, but on every third party that has quietly collected their records.
Financial impact
Reported costs in USD
Timeline
A malicious actor first gains unauthorized access to National Public Data's systems, according to the company's later statement.
The threat actor 'USDoD' advertises a database labelled 'National Public Data' for sale on the Breached cybercrime forum, claiming 2.9 billion records and asking $3.5 million.
Class-action lawsuits are filed after security researchers begin confirming the authenticity of samples; the data is referenced in a complaint filed in Florida.
A near-complete copy of the database (about 2.7 billion rows) is leaked for free on cybercrime forums, making the records widely available.
National Public Data publicly confirms the breach and posts a notice acknowledging the exposure of names, Social Security numbers, addresses, and dates of birth.
Jerico Pictures, Inc., the Florida company operating National Public Data, files for Chapter 11 bankruptcy, citing liability for credit monitoring of hundreds of millions of people.
National Public Data ceases operations; its website goes offline as litigation and state attorney-general inquiries continue.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/2024_National_Public_Data_breach
- prnewswire.comhttps://www.prnewswire.com/news-releases/privacy-alert-national-public-data-under-investigation-for-data-breach-of-over-2-9-billion-records-302220370.html
- support.microsoft.comhttps://support.microsoft.com/en-us/defender/national-public-data-breach-what-you-need-to-know
- troyhunt.comhttps://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/