NPD (National Public Data) files for bankruptcy

We talked about this breach when it became public knowledge on August 12, 2024. (https://actsmartit.com/data-breach-national-public-data/) The breach occurred in December 2023 and exposed approximately 2.9 billion records.

Last Wednesday, The Register reported that the massive data leaker, National Public Data, aka “NPD”, the organization that collected the personal data on pretty much everyone, had their collected data stolen, sold on the dark web and finally released publicly, has, not surprisingly, filed for bankruptcy.

The Register writes:
The Florida business behind the data brokerage National Public Data has filed for bankruptcy, admitting “hundreds of millions” of people were potentially affected in one of the largest information leaks of the year. [To recap] Last June, the hacking group USDoD put a 277.1 GB file of data online that contained information on about 2.9 billion individuals and asked $3.5 million for it. The data came from National Public Data- a data brokerage owned by Jerico Pictures- which offered background checks to corporate clients via its API. NPD confirmed it had been hacked in an attack on December 2023 and initially said just 1.3 million people had lost personal details, such as “name, email address, phone number, social security number, and mailing address(es).” But in the court documents filed for bankruptcy, the business concedes the total is much higher.

The bankruptcy petition from Jerico Pictures states: “The debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals. As the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations. The debtor’s insurance has declined coverage.”

According to the filing, the organization is facing more than a dozen class-action lawsuits over the data loss and potential “regulatory challenges” from the FTC and more than 20 US states. Any plaintiffs will have a hard time getting any money out of Jerico since the documents state the business has very limited physical assets.

In the accounting document, the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000.

It lists $33,105 in a corporate checking account in New York as its assets, although the business pulled in $1,152,726 in the last fiscal year, and estimates its total assets are between $25,000 and $75,000 in total. It also lists 27 Internet domains with a value of $25 each. These include the corporate website- now defunct- as well as a host of other URLs including criminalscreen.com and RecordsCheck.net.

So once again, we see that legislation is running far behind the consequences of technology.
At some point it’s going to become clear that the aggregation of large quantities of personal data, along with its merging into comprehensive profiles, itself presents an inherent danger. But today there is no regulation covering this. Anyone who wishes to can amass such data to create a latent data bomb. On the one hand it’s free enterprise and capitalism which no one wants to stifle. But allowing a fly-by-night operation of this sort to do this is clearly a big problem. The solution may be to require any such information aggregator to have a substantial bond posted, plus a verifiably effective insurance policy in place to cover the losses and lawsuits that would follow any breach of responsibility. This would nicely serve to “privatize” the risk so that the investors who would be required to create and post the bond, and the insurance company who would be collecting insurance premiums and be on the hook for loses, would be motivated to assure that the enterprise’s IT staff, procedures and security are adequate to protect their investment.

I think it’s time that the US follows the lead of the European Union, and it’s GDPR legislation, in order to help protect its citizens.

https://www.theregister.com/2024/10/09/national_public_data_bankrupt/