Facepalm: One of the biggest data breaches disclosed in 2024 is coming to an abrupt conclusion. A company that provided background checks to corporate clients is going out of business, overwhelmed by a surge of lawsuits and limited financial resources to weather the legal storm.
Jerico Pictures, the data brokerage company operating as National Public Data, recently filed for bankruptcy in the Southern District of Florida. The organization was compromised by a cybercriminal group known as "USDoD," which listed a massive trove of personal information for sale on the dark web at the discounted price of $3.5 million.
The hackers claim the 277.1 GB archive they are offering includes data from 2.9 billion records, featuring full names, current and past addresses, social security numbers, birthdates, and phone numbers. Jerico's NPD later confirmed the breach, stating that attempts to infiltrate its servers began in December 2023, with the attack ultimately succeeding in April 2024.
The USDoD hackers spent several months collecting this data, gathering around three billion records tied to individuals in the US, UK, and Canada. Initially, the data broker estimated that the breach affected only 1.3 million individuals, but acknowledged uncertainty about the actual figures as it continued to collaborate with law enforcement.
According to court documents, NPD now estimates that hundreds of millions of individuals have been "potentially" impacted by the breach. The company is currently facing over a dozen lawsuits, including various class actions and state-sponsored initiatives. With its insurance company refusing to get involved, NPD lacks the financial resources to address the lawsuits or the "extensive" potential liabilities they bring.
The Federal Trade Commission and more than 20 US states have also become involved, adding "regulatory challenges" to NPD's legal woes. In accounting documents submitted to the Florida bankruptcy court, Jerico Pictures listed its assets, which include $33,105 in a corporate bank account, two HP desktop PCs, an old ThinkPad laptop, and a few Dell servers.
The company's total value is estimated to be between $25,000 and $75,000, despite its reported revenue of $1,152,726 last year. Salvatore Verini, Jr., the sole owner and operator of NPD, was effectively running the company from his home office with minimal equipment and a handful of low-value domains. NPD's official website remains operational, still offering access to the "greatest level of public information retrieval available on the Internet" through its specialized API.
Lena Cohen of the Electronic Frontier Foundation stated that the NPD incident highlights the unregulated nature of the data brokerage industry. "It's a vast, interconnected, opaque industry with hundreds of companies people have never heard of making billions of dollars per year selling your personal data," Cohen said. She emphasized the need for stronger privacy legislation to protect individuals' data online.