Essential Lessons Businesses Should Learn From The NPD Breach

Cybersecurity incidents are growing in scale as the volume of sensitive personal data held online increases. One of the clearest examples of this is the 2024 breach of National Public Data (NPD), which exposed almost three billion records, making it one of the largest data breaches in history.

NPD may have been a particularly tempting target because, as a data broker, it would be expected to have large amounts of sensitive information on hand. However, the lessons extend far beyond that sector. Any business that collects, stores or processes sensitive personal data faces comparable risks and consequences if that data is inadequately protected. The NPD breach serves as a critical case study in what can go wrong and what every organization should do to avoid being the next victim.

NPD was a Florida-based data broker operated by Jerico Pictures, Inc. The company aggregated personal information from public sources including criminal records, court filings and property transactions, before packaging and selling it on. Its clients typically included background check providers, private investigators and HR departments.

As a result, NPD held a huge volume of highly sensitive personal data. What’s more, because of the nature of its business model, this information related to individuals who had never directly interacted with the company – meaning the impact went far beyond the firm’s direct customers.

In December 2023, an unauthorized third party gained access to NPD’s systems. By April 2024, a group known as USDoD was offering a database of 2.9 billion records for sale on a dark web forum for $3.5 million. The stolen data affected an estimated 170 million individuals across the US, UK and Canada.

Among the sensitive information exfiltrated from the business and offered for sale were:

• Full names
• Current and past addresses
• Social Security numbers
• Dates of birth
• Telephone numbers
• Email addresses

Although the breach occurred in 2023 and the data was first offered for sale in April 2024, NPD did not publicly acknowledge the incident until August – by which time the full dataset had been leaked for free and compensation claims were already being filed.

The NPD breach unfolded over several months, showing how a security incident can escalate from a quiet intrusion into a major legal and financial crisis. It also shows how the fallout from a breach rarely ends with the initial attack. It often continues through public exposure, delayed disclosure, lawsuits and long-term financial consequences.

• December 2023: Unauthorized access is gained to NPD systems and data begins to be exfiltrated.
• April 8th, 2024: USDoD lists the stolen database for sale on a dark web forum for $3.5 million.
• July 2024: 2.9 billion records are leaked publicly online.
• August 1st, 2024: A class action lawsuit is filed against Jerico Pictures after a victim discovers their data on the dark web via an identity theft protection service.
• August 12th, 2024: NPD publicly confirms the breach for the first time.
• October 2nd, 2024: Jerico Pictures files for Chapter 11 bankruptcy citing over a dozen active lawsuits.
• December 2024: NPD shuts down entirely.

The NPD breach was not the result of a particularly sophisticated attack. It was enabled by a series of fundamental security failures that left the organization vulnerable. For instance, a sister website, RecordsCheck.net, hosted a publicly accessible file containing plaintext administrator credentials, effectively handing attackers the keys to NPD’s systems.

Sensitive data was stored without encryption, meaning that once accessed, it was immediately usable. There was also no meaningful capability to detect or block the large-scale exfiltration of data that followed the intrusion.

The consequences were catastrophic. Tens of millions of individuals were left exposed to identity theft and fraud, in many cases without ever knowing NPD held their data. The resulting lawsuits also proved devastating to the business. Within months of the breach becoming public, parent company Jerico Pictures had filed for bankruptcy and NPD had ceased operations entirely.

The NPD breach shows how serious the consequences of basic security failures can be when large volumes of sensitive personal data are involved. It also highlights how poor communication after an incident can deepen reputational damage, regulatory scrutiny and legal exposure. For businesses handling personally identifiable information, there are clear lessons: weak controls and a delayed response can turn a breach into a long-term crisis.

To avoid a similar incident, enterprises should focus on the following key steps:

• Audit what data is held and why: Minimize the personal data that is collected and retained, which reduces exposure in the event of a breach.
• Enforce strong credential policies: All administrative credentials must be strong, unique and securely stored, with no use of default or plaintext passwords.
• Encrypt sensitive data at rest: Unencrypted data gives attackers everything they need the moment they gain access.
• Invest in exfiltration detection: The ability to identify and block unusual outbound data movement is essential.
• Disclose promptly and transparently: Delayed notification worsens legal exposure and destroys customer trust.

No technology stack is impenetrable, but a defense-in-depth approach that combines robust security tools, strong internal policies and a tested data breach response plan gives businesses the best possible chance of containing damage when an incident occurs.

What type of personal information was leaked in the NPD breach?
The breach exposed full names, current and past addresses, Social Security numbers, dates of birth and telephone numbers – all highly sensitive data with significant potential for identity theft, fraud and financial crime.

How did hackers gain access to National Public Data systems?
Attackers exploited plaintext administrator credentials stored in a publicly accessible file on a sister website. This basic security failure gave the USDoD cybercriminal group unauthorized access to NPD’s systems from December 2023 onward.

How many people were affected by the NPD breach?
The breach exposed 2.9 billion records, affecting an estimated 170 million unique individuals across the US, UK and Canada. Many victims had no prior knowledge that NPD held their personal data.

What risks do individuals face after a breach like the NPD incident?
Exposed Social Security numbers and personal details create significant risks of identity theft, fraudulent account creation, financial fraud and phishing attacks. Given the permanent nature of the compromised data, these dangers persist indefinitely.

What steps and learnings should businesses take from the NPD breach?
Audit data holdings, enforce strong credential policies, encrypt sensitive data at rest, invest in exfiltration detection tools and ensure a tested data breach response plan is in place before an incident occurs.