News: 1728502215

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected

(2024/10/09)


The Florida business behind data brokerage National Public Data has filed for bankruptcy, admitting "hundreds of millions" of people were potentially affected in one of the largest information leaks of the year.

In June, the hacking group USDoD put a [1]277.1 GB file of data online that contained information on about 2.9 billion individuals, and asked $3.5 million for it. The data came from National Public Data - a data brokerage owned by Jerico Pictures - which offered background checks to corporate clients via its API.

NPD [2]confirmed it had been hacked in an attack on December 2023 and initially said just [3]1.3 million people had lost personal details, such as "name, email address, phone number, social security number, and mailing address(es)." But in the court documents filed for bankruptcy, the business concedes the total is much higher.

[4]

"The debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals," the [5]bankruptcy petition [PDF] from Jerico Pictures states.

[6]

[7]

"As the debtor’s schedules indicate, the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations. The debtor’s insurance has declined coverage."

[8]National Public Data tells officials 'only' 1.3M people affected by intrusion

[9]That cyber-heist of 2.9B personal records? There's a class-action lawsuit looming for that

[10]Crooks threaten to leak 3B personal records 'stolen from background check firm'

[11]TransUnion reckons big dump of stolen customer data came from someone else

According to the filing, the organization is facing more than a dozen class-action lawsuits over the data loss and potential "regulatory challenges" from the FTC and more than 20 US states. Any plaintiffs will have a hard time getting any money out of Jerico, however, since the documents state the business has very limited physical assets.

In the [12]accounting document [PDF], the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home office using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000.

It lists $33,105 in a corporate checking account in New York as its assets, although the business pulled in $1,152,726 in the last financial year, and estimates its total assets are between $25,000 and $75,000 in total.

[13]

It also lists 27 domains with a value of $25 apiece. These include the corporate website - now defunct - as well as a host of other URLs including criminalscreen.com, RecordsCheck.net, and asseeninporn.com.

This isn't the first time a data brokerage has been hacked and it won't be the last, we're told.

The National Public Data incident shows the need for clear state and local laws on data privacy Lena Cohen, staff technologist for the EFF, told The Register . "The data broker industry is the wild west of unregulated surveillance," she said. "It's a vast, interconnected, opaque industry with 100s of companies people have never heard of making billions of dollars per year. Without strong privacy legislation individuals face an uphill battle sorting things out in cases like this."

[14]

Without strong privacy laws, companies in the sector have every incentive to collect as much personal data as possible and very little to actually protect it, she commented. These would be useful on a federal level but even those states with privacy laws in statute books have difficulty enforcing them.

There was no comment from Mr. Verini at the time of publication. ®

Editor's note: This story was amended post-publication with comment from the EFF.

Get our [15]Tech Resources



[1] https://www.theregister.com/2024/08/05/national_public_data_lawsuit/

[2] https://www.theregister.com/2024/08/05/national_public_data_lawsuit/

[3] https://www.theregister.com/2024/08/19/national_public_data_breach/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zwb9BlPLBgOPLAjC-o4JlQAAAEE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://regmedia.co.uk/2024/10/09/npd.pdf

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwb9BlPLBgOPLAjC-o4JlQAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwb9BlPLBgOPLAjC-o4JlQAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/08/19/national_public_data_breach/

[9] https://www.theregister.com/2024/08/05/national_public_data_lawsuit/

[10] https://www.theregister.com/2024/06/03/usdod_data_dump/

[11] https://www.theregister.com/2023/09/21/transunion_data_dump/

[12] https://regmedia.co.uk/2024/10/09/npd2.pdf

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwb9BlPLBgOPLAjC-o4JlQAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwb9BlPLBgOPLAjC-o4JlQAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://whitepapers.theregister.com/



Bankruptcy shouldn't be an escape clause for accountability

Anonymous Coward

In this case it would only matter for the first few people in line before the owners assets were depleted, but accountability for business related misbehavior should be harder to escape than student loan debt, not easier. That should especially apply to the big boys too.

Also the free credit reporting thing should also be criminal offense. It's cheap, useless, bordering on a scam itself, and the companies selling it spend most of their take lobbying congress. Should be banned like Ponzi schemes and pyramid scams.

Re: Bankruptcy shouldn't be an escape clause for accountability

Doctor Syntax

Time was people could be banged up for debt until they cleared it. Perhaps there's an argument for in in particularly egregious cases.

Blood / Pound of flesh

Anonymous Coward

Some people would accept blood or a pound of flesh as payment, if not enough money is provided.

Anon, obvious

Doctor Syntax

"The debtor’s insurance has declined coverage."

Standard operating procedure.

It isn't an optical illusion. It just looks like one.