National Public Data, the Hacked Data Broker That Lost Millions of Social Security Numbers and More, Files For Bankruptcy (techcrunch.com)
- Reference: 0175250361
- News link: https://it.slashdot.org/story/24/10/14/1657230/national-public-data-the-hacked-data-broker-that-lost-millions-of-social-security-numbers-and-more-files-for-bankruptcy
- Source link: https://techcrunch.com/2024/10/14/national-public-data-the-hacked-data-broker-that-lost-millions-of-social-security-numbers-and-more-files-for-bankruptcy/
> A Florida data broker that [1]lost hundreds of millions of Social Security numbers and other personally identifiable information in a data breach earlier this year, has [2]filed for Chapter 11 bankruptcy protection as the company faces a wave of litigation.
>
> Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."
[1] https://yro.slashdot.org/story/24/08/17/0024202/national-public-data-confirms-breach-exposing-social-security-numbers
[2] https://techcrunch.com/2024/10/14/national-public-data-the-hacked-data-broker-that-lost-millions-of-social-security-numbers-and-more-files-for-bankruptcy/
They can sell their assets in bankruptcy (Score:3)
Assets like your social security number.
Re: (Score:3, Funny)
Good luck to them getting anyone to pay for it when earlier they were just giving it away for free!
Re: (Score:2)
hundreds of millions of them
so pretty much everybody
Re: (Score:2)
I signed up for Aura identity services after this incident. They annually request all data brokers to purge any information they have on you.
Re: (Score:3)
I don't care where my private data leaks from, it's still an issue. I would like to it's that when the government does so that they can't be sued out of existence for incompetence and that any payouts they make ultimately come out of my pocket anyway.
Incompetent companies eventually go out of business. Incompetent government agencies just get bigger budgets.
Re: (Score:3)
let me ask you this question in a few after this company deals with c11 protections and resumes selling your info again, and the parent company gets scott free.
Re:Good thing this was private industry (Score:4, Informative)
Truth. Privatize the profits and socialize the losses.
DEI is played out so now that it's peak hurricane season FEMA is the new boogey man. Imagine the headlines if Biden said fuck Florida, you aint getting shit. [1]https://www.politico.com/news/... [politico.com]
[1] https://www.politico.com/news/2024/10/03/helene-trump-politics-natural-disaster-00182419
Re: (Score:2)
I'd guess a huge number of retired Ds in Florida would never vote D again (admittedly they're retired but 20 years of no "D" votes would do the D party in). So , yeah, bring it on.
Credit monitoring? (Score:4, Insightful)
Does anyone actually believe credit monitoring is worth a damn? It's like carbon credits for data breaches. Besides, everyone already has credit monitoring from the last 6 breaches.
Data mills... (Score:5, Insightful)
"According to the bankruptcy filings, Verini valued the companyĆ¢(TM)s stolen database of Social Security numbers at $1 million. The filing also lists several other databases the company maintains as assets, but did not provide corresponding valuations. Those datasets pertain to individuals licensed by the Drug Enforcement Administration to write prescriptions for controlled substances; those with permits to carry concealed weapons; and banks of data containing public records, such as marriages, divorces, bankruptcy filings, and international financial sanctions; among others."
I'm wondering if this is a case where piercing the corporate veil would be appropriate. The guy running the business is using corporate bankruptcy as a way of dodging the liabilities he accrued while running this data mill. There's no guarantee that he won't do the exact same things with those "assets" (the information of private citizens) as last time.
The question is this: can debtors in this instance go after his personal assets to satisfy the corporate debt, since arguably if he's unable to secure these databases, they're more liability than asset (he was unable to secure insurance after the breach), and thus the company is undercapitalized and he should not deserve the protection that a corporation normally would afford for liability.
Along those lines... regulation makes business more expensive, and creates a barrier to entry. While I hate the big (4) credit bureaus, I'm hard pressed to list any regulations that specifically mandate how they are supposed to handle personal information, and any punishments that might accrue for failure. Equifax is the most infamous one, and they didn't get a corporate death penalty. Instead they settled without admitting wrongdoing. Compare that to penalties for violating HIPAA regulations, which can include prison time.
[1]https://www.consumerfinance.go... [consumerfinance.gov]
But finally, we come to the crux of the matter: our systems should not be designed such that the breach of one of these data mills (or any business, including one of the big credit bureaus) should threaten individuals with the specter of identity theft. Medicare fraud, tax fraud, account takeovers - none of these would be possible save for the fact that we've failed to modernize these systems, or deliberately engineered backdoors in the name of convenience that can be abused.
And then we built incredibly shitty systems on top of that - for example, systems that mandate that you give them your mobile phone number so they can "verify" you. Now those same systems are vulnerable to the minimum wage clerk working at the local Verizon store, doing a sim swap number port of your phone number. Seriously, how stupid can you be to build a requirement like that into your sysem when NIST itself deprecated SMS as a 2FA channel back in 2016?
[2]https://www.schneier.com/blog/... [schneier.com]
Can we please name and shame all the companies that enforce the use of mobile phone numbers for 2FA without giving people the option to switch to hardware keys or TOTP tokens, so folks can make an informed choice to stop doing business with these ticking time bombs? Waiting for their cybersecurity insurers to jack up their premiums to force them to change clearly isn't working....
[1] https://www.consumerfinance.gov/about-us/newsroom/cfpb-ftc-states-announce-settlement-with-equifax-over-2017-data-breach/
[2] https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
Re: (Score:2)
The biggest problem we face in protection of PII is that SSNs are not protected with the same fervency as FTI. If you got them from somewhere other than the IRS, and you didn't get them as part of "tax info" then they are barely protected at all. Divulging SSNs needs to be taken with the same seriousness as divulging someone's whole ass tax return. Instead it's accepted and even expected.
SSN is not a secret (Score:3)
It's the industry's fault for abusing the SSN as key information for authorization. There should be a general law putting responsibility on any business using insecure way to protect privacy, not on the users. But they always scream: "it's bad for business". Well - too bad. Same for allowing abuse of 'no call'.
Re: (Score:2)
All for the need of a unique identifier. Something which American citizens get all up in arms about.
I might get modded down for this but:
It would really be nice if the State properly handed digital identification including both the the public and private aspects of it. The State already handles property titles and deeds (to protect the owners of property in a capitalist system) , birth and death certificates (to know who is in existence at a given time) , and criminal records (to blacklist those who may be
If only... (Score:2)
Now if only all the other "Data Brokers" would go under....
Re: (Score:2)
Indeed. Bravo to whoever was behind this hack (and I say that as one of the millions whose info was in the compromise -- I've got a ton of debts, if anyone wants my identity, they can have it), and may they carry on until "Data Broker" is no longer a viable industry.
I wish it were possible to achieve this end without innocent people having to deal with account compromises and such, but its the bed we've made, and now we have to lie in it. There's a cost to be paid for simultaneously treating the SSN as a
Cause a leak of this magnitude: (Score:2)
The corporate veil is pierced. Management gets prosecuted and goes to prison.
But a law like this would never see the light of day in the United States which is a corporate oligarchy/s
Sort of like a corporate death penalty. (Score:2)
Works for me, we need more of this for companies who's entire business model is secretly hoarding citizen's data and failing miserably to secure it.
And nothing of value was lost (Score:2)
I is one of those companies.
Re: (Score:3)
Unfortunately, the company isn't going out of business, just restructuring its debt.
Re: (Score:3)
and not even the parent company
Re: (Score:3, Insightful)
> Unfortunately, the company isn't going out of business, just restructuring its debt.
And, importantly to the owners, protecting their future revenue by substantially restricting claims against the company for their past failures. All pending lawsuits for the breach will now be suspended, and any future payouts are likely to be minimal.