Anatomy of a Breach

Anatomy of a Breach: National Public Data — 2.9 Billion Records Including Social Security Numbers from a Data Broker You Never Heard Of

> series: anatomy_of_a_breach —— part: 188 —— target: national_public_data —— records: 2,900,000,000 —— data: ssns_addresses_dobs —— awareness: you_never_heard_of_them<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2024 13 min read
national-public-data data-broker 2-9-billion ssn background-check consent series
Breach #188

2.9 billion records. SSNs. From a company you never heard of. That had your data anyway.

In August 2024, approximately 2.9 billion records were posted on a hacking forum — stolen from National Public Data (NPD), a Florida-based company operating in the background check and people-search industry. The leaked data included names, addresses, Social Security numbers, dates of birth, and phone numbers for hundreds of millions of individuals, primarily in the United States but also including records from the UK, Canada, and other countries.

NPD had acquired the data through scraping publicly available records, aggregating data from multiple sources, and compiling comprehensive personal profiles — all without the knowledge or consent of the individuals whose data it held. Most affected individuals had never heard of National Public Data, never interacted with the company, and had no idea it held their Social Security numbers. The breach exposed the fundamental privacy problem of the data broker industry: companies you have never heard of hold your most sensitive data, acquired without your consent, and secured to whatever standard they choose. NPD's parent company, Jerico Pictures, filed for bankruptcy shortly after the breach.

The Data Broker Problem
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Companies you never consented to hold data you never knew they had.

Invisible Data Holders
NPD held billions of records compiled without individual consent — most affected people had never heard of the company. Under GDPR and UK data protection law, this type of data aggregation without consent or lawful basis would be unlawful. For UK organisations, <a href="/cyber-essentials">Cyber Essentials</a> and GDPR compliance require that data processing is lawful and transparent.
2.9 Billion Records
The scale — 2.9 billion records — exceeded even <a href="/blog/anatomy-of-a-breach-2016-year-review">Yahoo's three billion</a> (2013/2016) and approached the size of <a href="/blog/anatomy-of-a-breach-collection-1">Collection #1-5</a> (2.2 billion, 2019). Data brokers hold enormous aggregated datasets that, when breached, expose data at population scale.
Bankruptcy After Breach
NPD's parent company filed for bankruptcy following the breach — the same fate that befell <a href="/blog/anatomy-of-a-breach-23andme">23andMe</a> after its 2023 breach. For smaller companies holding large datasets, a major breach can be an extinction event. For UK organisations, <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the security investment that reduces breach risk and regulatory exposure.
Data You Cannot Control
Individuals cannot control what data brokers hold about them — and cannot prevent breaches at companies they have never interacted with. The only systemic defence is regulation: GDPR-style requirements for lawful basis, consent, and security standards for all data processors. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> alerts when your data appears in breach datasets.
Lessons

Data brokers hold the data. When they are breached, everyone is affected.

The NPD breach demonstrated the systemic risk of the data broker industry: companies holding population-scale data, acquired without consent, with security standards that may be inadequate — and whose breach affects hundreds of millions of people who never knew the company existed. For UK organisations that use background check services, data enrichment providers, or people-search tools, the security of those providers is part of your risk surface. Cyber Essentials addresses data processing security. Our penetration testing assesses third-party data provider security. SOC in a Box monitors for credential and data exposure. And UK Cyber Defence provides incident response when third-party breaches affect your organisation.

Third-Party Data Risk

2.9 billion records from a company most people never heard of. Do you know who holds your data?

<a href="/cyber-essentials">Cyber Essentials</a> addresses data processing security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for data exposure. <a href="/penetration-testing">Penetration testing</a> assesses provider security.

Commission a Security Assessment Next: Transport for London
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 March 2018

Anatomy of a Breach: Cambridge Analytica — 87 Million Facebook Profiles and the Weaponisation of Personal Data

Breach #111. In March 2018, The Guardian, The New York Times, and Channel 4 News revealed that Cambridge Analytica — a British political consulting firm — had harvested the personal data of up to 87 million Facebook users without their consent, using a personality quiz app to collect data on users and their friends. The data was used to build psychological profiles for political advertising during the 2016 US presidential election and the EU referendum. Facebook's share price dropped $37 billion. CEO Mark Zuckerberg was summoned to testify before the US Congress and the European Parliament. The scandal redefined how the world thinks about data privacy, consent, and the power of platform companies.

cambridge-analytica facebook
14 min read
All Posts Get in Touch