National Public Data Breach: Full Breakdown + Privacy Guide

Security

Threats

10 min read

The 2024 National Public Data (NPD) breach was a catastrophic cybersecurity incident that exposed sensitive personal information from an estimated 2.9 billion records. Beginning in December 2023, the breach saw data sold on the dark web from April 2024, affecting hundreds of millions of people in the US, UK, and Canada.

This guide details the incident and its implications, providing essential protection strategies.

When Public Data Becomes Dangerously Public

The 2024 National Public Data breach exposed more than just usernames and passwords. It has exposed the digital foundations of one's identity. Consider the implications: data that facilitates loan approvals, background checks, hiring decisions, and even real estate applications is at risk.

The silent threat behind big data companies

Most people have no idea companies like National Public Data even exist. That’s part of the problem.

NPD isn’t a consumer-facing brand. You’ve probably never used their website. But they’ve used you. These firms work in the shadows, scraping data from public records, government databases, financial filings, social media, and any opt-in form you've ever clicked without reading.

Once it's collected, your data becomes a product that's sold to marketers, lenders, recruiters, and, in the worst cases, cybercriminals. The 2024 National Public Data breach showed a vulnerability, but there were other issues, too. It revealed that a whole industry exists, built on the legal harvesting and resale of one's life story.

What Is National Public Data (NPD)?

The business of data brokering: How NPD collects and sells personal info

To understand the National Public Data breach, you first need to understand what NPD is and what it does.

National Public Data (NPD) is a private data broker based in Coral Springs, Florida, U.S. It was founded by Salvatore Verini Jr. NPD collected and sold info from public sources like criminal records, addresses, and employment history, offering services via XML integration to clients such as private investigators, HR departments, and staffing agencies. The sheer amount of personal data that NPD has collected has made it a big target for cybercriminals, creating a single point of failure with far-reaching consequences.

How does it work?

Let’s say you recently bought a house. That transaction, including your name, address, and the property value, becomes public record. NPD scrapes that. You filed for a business license? Took out a loan? Appeared in a court record? It's all there. Now multiply that by every adult in America.

Then they package and sell this info to clients like credit bureaus, insurance firms, background check services, telemarketers, and more. The legal situation is pretty complicated: the data is technically public, but most people don't agree to its large-scale sharing.

2024 National Public Data Breach: What Happened?

The 2024 National Public Data breach impacted an estimated 2.9 billion records, affecting millions of people across the US, UK, and Canada. Class-action lawsuits claimed it "likely affected almost everyone with a Social Security number".

Timeline: How the breach unfolded

The 2024 National Public Data breach didn't happen overnight, but to the public, it felt like it did. Here's what happened:

Date	Event
December 2023	Malicious actors first gained unauthorized access to NPD's systems.
April 2024	Stolen data began to surface for sale on the dark web, with a hacker "USDoD" reportedly offering it for US$3.5 million.
Summer 2024	Data continued to be leaked and sold.
August 16, 2024	National Public Data publicly confirmed the breach.
October 2, 2024	National Public Data and its parent company, Jerico Pictures, Inc., filed for Chapter 11 bankruptcy due to overwhelming financial burden.
October 2024	The bankruptcy filing was dismissed.
December 2024	National Public Data officially ceased operations, displaying a closure notice on its website.

What was exposed and how much

The 2024 National Public Data breach saw a huge amount of data compromised, which is pretty shocking. We're talking about as many as 2.9 billion records apparently.

While there might be some duplicates in that huge number, the number of unique people affected is still estimated to be in the hundreds of millions – up to 170 million people across the US, UK, and Canada.

Revealed records included:

Full names and known aliases
Dates of birth
Current and previous addresses
Phone numbers (personal and work-related)
Employment and salary history
Education background
Political affiliations from voter records
Partial Social Security numbers
Criminal and civil case information
Real estate holdings

The leak is considered one of the most damaging non-financial data breaches in U.S. history due to the depth and permanence of the data. It's a digital fingerprint, but one that's been plastered all over the dark web.

Who’s affected

The reach of this National Public Data breach is almost universal. If you’ve held a job, voted, paid taxes, bought property, or used credit in the past 15 years, odds are you may be in the breach. This wasn’t just about average consumers and everyday citizens; this also affected:

Public figures and elected officials
CEOs and startup founders
Law enforcement personnel
Teachers, doctors, and government employees

Identified Security Lapses and Contributing Factors

NPD attributed the breach to a "security lapse" starting December 2023. Investigations by KrebsOnSecurity suggested the vulnerability was on NPD's sister site, RecordCheck.net, which allegedly published an archive file ("members.zip") containing plaintext administrator passwords and source code.

This allowed attackers to use these credentials to access NPD's systems. This points to catastrophic failures in basic cybersecurity, such as:

Lack of strong password policies
Use of weak encryption standards for backup archives
Unpatched vulnerabilities in NPD’s Apache servers
A lack of two-factor authentication for internal admin dashboards
Misconfigured cloud storage buckets with public access permissions

The incident also highlights a critical failure in third-party risk management, as a weakness in an affiliated entity led to a significant compromise.

Legal Repercussions: The National Public Data Breach Class Action Lawsuits

Legal action against National Public Data

Soon after the breach was made public, law firms all over the US started filing class-action lawsuits for people who were affected. The plaintiffs are saying:

Failure to adequately secure billions of records of private information.
Negligently storing databases in an unencrypted and unredacted manner, making them accessible to unauthorized individuals.
Permitting hackers to steal sensitive private information belonging to millions of individuals.
Breach of legal and equitable duties to protect Personally Identifiable Information (PII).

The core legal question: Can a company that legally gathers data still be held liable when it fails to secure it?

The plaintiffs sought various forms of compensation, including unspecified monetary payments for victims of data theft. In addition to financial redress, the lawsuits demanded that the court mandate NPD to:

Destroy all personal information belonging to class members.
Implement robust encryption and other data protection methods.
Establish comprehensive information security programs and employee training.
Engage third-party auditors and penetration testers to prevent future breaches.

Your rights if your data was compromised

If your data was part of the 2024 National Public Data breach, you have rights. While the specifics can vary by jurisdiction (US, UK, Canada), generally, these include:

Right to notification: Companies are legally obligated to inform you if your data has been compromised.
Right to seek damages: You may be entitled to compensation for actual financial losses, time spent mitigating the damage, and even emotional distress.
Right to identity protection services: Many breach settlements include free credit monitoring, identity theft protection, and restoration services for a period of time.
Right to data erasure/opt-out: While often difficult with data brokers, you may have the right to request your data be removed from their databases.

Related regulatory actions and fines

In addition to the private class-action lawsuits, the National Public Data breach prompted extensive regulatory scrutiny from the government across multiple jurisdictions.

State attorneys general: The company's bankruptcy filing revealed that regulatory agencies, including attorneys general from almost all US states and various US territories, had either filed legal claims or were actively investigating the breach.
Civil penalties: More than 20 states were reportedly levying civil penalties.
Federal Trade Commission (FTC): The FTC was also mentioned as potentially issuing fines.

In a separate but related action, the California Privacy Protection Agency (CPPA) ordered Jerico Pictures, Inc., doing business as National Public Data, to pay a $46,000 fine on May 8, 2025.

Reason for fine: This fine was imposed for NPD's failure to register as a data broker and pay an annual fee as mandated by California's Delete Act.

In short, the National Public Data breach is becoming a legal and regulatory flashpoint. Not just for NPD, but for every data broker working in the shadows of the internet.

Real Risks: What Hackers Can Do With Your Exposed Info

The aftermath of a data breach, particularly one as significant as the National Public Data breach, is about more than just statistics and lawsuits. It's about the very real, and often terrifying, consequences for individuals.

With the exposed information, hackers can:

Steal your identity: Using your full name, birthdate, address, and employment info to open bank accounts, apply for loans, or claim benefits.
Phish you smarter: They now know where you live, where you work, and even who you voted for. Expect sophisticated phishing emails that feel alarmingly personal.
Spam and scam you relentlessly: Your phone number and email are now on dozens of lists. Expect robocalls, SMS fraud, and fake tech support attacks.
Create synthetic identities: They combine real and fake data (yours and someone else’s) to build new people who borrow money they’ll never repay. Your data becomes the foundation for digital Frankenstein identities.
Make unauthorized purchases: Existing accounts may be compromised, leading to unauthorized purchases.
Tax and medical fraud: SSNs can be exploited for filing fraudulent tax returns or obtaining medical services in the victim's name.
Put you and your family at risk: In extreme cases, exposed addresses and employment details can lead to stalking, burglary, or even political intimidation.

How leaked emails become long-term security threats

Your email address isn't just a way to send messages. When your email is leaked in a breach like the 2024 National Public Data breach, it becomes a perpetual vulnerability.

Why? Because email addresses are:

The primary method for password resets on nearly every platform.
Used to link your identity across social, banking, medical, and government accounts.
Easy to spoof for impersonation attacks.

Once a hacker knows your email, they can monitor breach data from other leaks and wait. They’ll cross-reference you with password dumps, phishing records, and other data leaks until the door opens.

Compromised emails lead to:

Account takeovers
Blackmail using private conversations
Access to cloud storage and sensitive documents
Social engineering attacks on coworkers or family members

Business risks from data breaches are even higher, encompassing corporate espionage, severe reputation damage, and an inevitable loss of client trust.

Protect Yourself: What You Can Do Right Now

Breaches are commonplace in the today, but you're not powerless. Follow this guide to protect yourself before, during, and after a data breach.

Proactive measures

These steps are crucial for building a strong security posture before a breach occurs.

Robust Password Practices: Use strong, unique passwords or passphrases for all online accounts, ideally generated and managed by a reputable password manager. Regularly update passwords.
Enable Two-Factor Authentication (2FA): Activate two-factor authentication (or multi-factor authentication) on all accounts that offer it to add an essential layer of security beyond just a password.
Credit Freezes: Consider placing a credit freeze with the major credit bureaus. This prevents new credit accounts from being opened in your name without explicit authorization, a powerful preventative measure against identity theft.
Fraud Alerts: Place a fraud alert with the major credit bureaus, which requires businesses to verify your identity before extending credit.
Limit Data Sharing: Be mindful of the personal information you share online and with third-party services. Understand privacy policies and opt out of data collection where possible.

Detection and immediate response (when a breach occurs)

These actions are essential for swiftly identifying and responding to potential or confirmed data compromises.

Check Notifications: Did you receive an email or letter from a service provider informing you of a data breach? Be wary, though – phishing attempts often piggyback on major breaches. Always verify the source.
Confirm Exposure: Use reliable tools like HaveIBeenPwned.com to check if your email address or phone number has appeared in any known data breaches.
Monitor Financial Accounts: Continuously review all bank accounts, credit cards, and lines of credit for any suspicious or unauthorized transactions.
Change Compromised Passwords: Immediately change passwords for any accounts linked to exposed email addresses or that you suspect may have been compromised.
Beware of Phishing: Maintain extreme vigilance for phishing attempts delivered via email, text messages (smishing), and phone calls (vishing). Never share personal details with unknown contacts or click suspicious links in unexpected messages.

Long-term mitigation and recovery (after a breach)

These steps are for ongoing protection and recovery, especially when sensitive data like SSNs is compromised, leading to lifelong risks.

Identity Theft Monitoring Services: Consider subscribing to identity theft monitoring services. Services like Microsoft Defender for Individuals (included with Microsoft 365 personal or family subscriptions) offer features like credit monitoring, expert recommendations, and restoration support, providing an automated layer of defense and guidance. Microsoft also offers a free identity scan using Microsoft Defender to check if your personal data is exposed on the dark web.
Report Identity Theft: If you confirm identity theft, report it to the Federal Trade Commission (FTC) via IdentityTheft.gov. The FTC provides a personalized recovery plan.
Contact Relevant Authorities: If your Social Security Number was compromised, contact the Social Security Administration (SSA) directly for guidance. File a police report if you suspect criminal activity, as this may be required to dispute fraudulent charges or accounts.
Document Everything: Keep meticulous records of any suspicious activity and communications received, as well as all steps taken to resolve the situation. This documentation is crucial for reporting purposes and recovery efforts.

Why secure email matters

In almost every breach, the common denominator is compromised email. It’s the hub where attackers go first. If you’ve done everything above but still use a standard provider (yes, even Gmail or Yahoo), you're still exposed.

Your email must be your digital safe house. That’s where Atomic Mail is your premier choice.

Atomic Mail: Lock Down Your Inbox, Reclaim Your Privacy

Most email services weren’t built for the post-breach world. Atomic Mail was.

We designed every layer of our secure email platform with one question in mind:

What would email look like if it was built to withstand mass surveillance, data breaches, and modern cybercrime?

How Atomic Mail safeguards your communication

End-to-end encryption for internal and external emails – your messages stay encrypted even if intercepted.
Zero-access architecture – even we can’t read your inbox. That’s not a slogan, that’s a technical design.
Email aliases – use different emails for different services or for better organization.
Anonymous sign-up – no phone number, no invasive verification.
Self-destructing messages – set emails to vanish after a timer ends.

Why users are switching from Gmail, Yahoo, and even Proton Mail

Gmail users are frustrated with ads, data scanning, and no true end-to-end encryption.
Yahoo has been historically breached multiple times. Trust is hard to rebuild.
Proton Mail, while secure, lacks free aliases, easier onboarding, and some opt for a cleaner, faster UX.

Atomic Mail is fast, intuitive, and brutal on threats. It’s not just about security, it’s about control.