The National Public Data breach exposed 270 million users – now the company has filed for bankruptcy

Binary code and digital lock icons in glowing blue and orange
(Image credit: Getty Images)

Data broker National Public Data has filed for bankruptcy, claiming it cannot sustain the mounting financial and reputational damage associated with a major data breach it suffered in December 2023.

The background-checking service filed for bankruptcy in Florida under its parent company Jerico Pictures Inc, and explicitly cited the 2023 data breach as a direct contributor to its downfall.

NPD identified four key pressures that made recovering from the attack impossible. The first of these were class action lawsuits, which at the time of filing, NPD said there were already over a dozen.

Compounding this pressure were the ongoing investigations from law enforcement and data protection agencies, which it says were demanding a substantial amount of attention and resources to respond to. In the aftermath of the incident, many individuals had remarked they weren’t even aware their personal data had been collected by the organization.

NPD also referred to the reputational damage the breach had incurred, stating that the exposure caused by the incident had driven customers away.

Filings by the background-checking service stated that according to various state laws, NPD was likely liable to obligations to notify affected individuals and provide them with credit monitoring services.

Ultimately, the company said it didn’t believe it doesn’t have the substantial resources required to provide these services for those who had their PII leaked.

What happened in the National Public Data breach?

On 8 April 2024, the threat actor USDoD listed a 277.1 GB cache of data linked to 270 million people, 2.9 billion records in total, stolen from National Public Data (NPD) on the underground hacking forum Breached, offering access to the information for $3.5 million.

The stolen data was said to include social security numbers, full names, family information, as well as current and previous addresses.

USDoD, who acted as the middleman for the breach, was arrested by Brazilian authorities last week, but the threat actor responsible for stealing the data, referred to as ‘SXUL’ is still at large.

This marks potentially the most significant instance of an organization admitting it had been forced out of business as the direct result of a cyber attack, providing something of a cautionary tale for businesses around the world.

RELATED WHITEPAPER

One similar case to that of NPD came in 2014, when cloud-hosting services company Code Spaces, which was making waves in the IaaS space, was hit with a crippling ransomware attack.

The firm was initially targeted with a DDoS attack, but shortly afterward threat actors were able to gain access to the company’s Amazon EC2 control system, and from there they wrought havoc.

After trying to investigate the issue, Code Spaces observed that the attacker had used their access to the control panel to partially or totally delete most of the organization’s data, backups, machine configurations, and offsite backups.

This proved to be a fatal blow for what was a very promising tech company, who had to shut down operations shortly after the attack, posting the following message to their website.

“As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.