Decipher File · Late 2023 breach, April 2024 public exposure

National Public Data 2024: 2.9 Billion Records Including SSNs Posted on Hacking Forums

The National Public Data incident is the cybersecurity data-broker case study that exposed how a single small company aggregated 2.9 billion records of US, UK, and Canadian residents, then lost the entire dataset. The breach occurred in late 2023. Public exposure came through an April 2024 class-action complaint filed against Jerico Pictures Inc. (doing business as National Public Data) after threat actor USDoD listed the dataset for sale on BreachForums. Jerico Pictures filed Chapter 11 bankruptcy on October 1, 2024. The dataset included names, addresses, historical residence history, and Social Security numbers.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078 Valid Accounts (suspected initial access vector)T1213 Data from Information Repositories T1567 Exfiltration Over Web Service

Incident summary

National Public Data was the consumer-facing brand of Jerico Pictures Inc., a Coral Springs, Florida data broker that aggregated public-record data including names, addresses, prior residence history, date of birth, family relationships, and Social Security numbers. The company sold access to that dataset for background checks, skip tracing, and people-search applications via its nationalpublicdata.com and recordscheck.net properties. Per the class-action complaint, Jerico Pictures had no consumer-facing relationship with the people in its dataset. Records were aggregated from public sources and third-party data brokers without consumer notification or consent.

Per the Hofmann v. Jerico Pictures complaint filed August 1, 2024 in the Southern District of Florida, threat actor USDoD listed the dataset for sale on BreachForums in April 2024 for $3.5 million. The listing claimed 2.9 billion records covering US, UK, and Canadian residents. A separate actor using the handle Sing released a partial sample in April 2024 confirming SSN inclusion. The full dataset was released for free on a hacking forum in August 2024.

National Public Data acknowledged the breach via a notice on its website in August 2024 attributing initial access to attempts in late December 2023 with leaks in April 2024 and through summer 2024. The company did not file a timely notification with state attorneys general in most jurisdictions. Jerico Pictures Inc. filed Chapter 11 bankruptcy in the Southern District of Florida bankruptcy court on October 1, 2024, listing the breach class-action exposure as the principal cause of insolvency.

Attack technique

Public attribution and technical detail are limited because National Public Data did not publish a root cause analysis and did not retain incident response forensics from a recognized firm. The most credible technique mapping is T1078 (Valid Accounts) for the initial intrusion (the most likely access path given the small operational footprint of the target), T1213 (Data from Information Repositories) for collection from the broker's internal data warehouse, and T1567 (Exfiltration Over Web Service) for bulk transfer of the dataset.

Brian Krebs' August 2024 reporting on the case tied the National Public Data leak to USDoD, a threat actor with a history of public-record-aggregator targeting. Krebs' analysis also surfaced that Jerico Pictures had previously been called out by independent researchers for exposing data via unauthenticated APIs on its recordscheck.net property. The pattern of small data brokers with weak operational security holding large aggregated personal-data datasets is the structural condition. The case study value is not in technique novelty. It is in the business model.

The legal-disclosure technique is also worth noting. Jerico Pictures did not voluntarily disclose the breach in April 2024 when the dataset was first listed for sale. Public exposure came from the class-action complaint filed in August 2024 after the dataset's free release made suppression impossible. State breach-notification statutes typically require notification within 30 to 60 days of discovery, but the discovery date itself is gameable when the data broker is the breach victim. The eventual notification listed late December 2023 as the breach start, more than seven months before any public disclosure.

Impact and consequences

Per the Hofmann v. Jerico Pictures complaint, the dataset contained approximately 2.9 billion records. The class-action complaint estimated approximately 272 million unique individuals affected after deduplication, primarily in the US with smaller UK and Canadian populations. Per Troy Hunt's August 2024 intake of the dataset into Have I Been Pwned, approximately 134 million unique email addresses were confirmed present. The discrepancy between record count and individual count reflects the data broker's product design: each individual had multiple historical address, family, and employment records aggregated into the dataset.

Identity theft and credit-fraud impact is the dominant downstream consequence. Per the FTC's 2024 annual report and Identity Theft Resource Center 2024 quarterly reports, the disclosed SSN-inclusion of the National Public Data leak materially raised the supply of usable SSNs in identity fraud markets. The dataset's free public release in August 2024 made remediation impossible: SSNs cannot be revoked, and the data broker's product was specifically designed to correlate SSN to current address and family relationships, which is the exact data structure that defeats most identity-verification questions used by financial institutions.

Jerico Pictures Inc. filed Chapter 11 bankruptcy on October 1, 2024, listing the class-action exposure as the principal cause of insolvency. The bankruptcy filing valued the company's assets at less than $1 million and listed unliquidated class-action and state regulatory liabilities. Multiple state attorneys general opened investigations in late 2024 under state breach-notification statutes that require timely disclosure. The bankruptcy filing functionally caps individual class-member recovery to a fraction of the underlying claim.

The regulatory consequence is broader than the company itself. The National Public Data case fed congressional and FTC interest in data broker oversight through late 2024. The Consumer Financial Protection Bureau issued a proposed rule in December 2024 to bring data brokers under Fair Credit Reporting Act jurisdiction, citing the National Public Data breach as a specific reason. State-level data broker registration laws in California, Vermont, Oregon, and Texas saw amendment proposals in early 2025 to add minimum-security-standard requirements for registered brokers.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Dataset listed for sale by threat actor USDoD on BreachForums in April 2024 for $3.5 million
› File naming convention nationalpublicdata.com and recordscheck.net referenced in the leaked dataset's metadata
› Earlier partial dataset leak by threat actor Sing posted on BreachForums in April 2024 with sample data confirming SSN inclusion
› Free public release of the full dataset on a hacking forum in August 2024, confirming previous samples
› Dataset structure with name, current address, prior addresses, date of birth, SSN, and family relationships, matching the National Public Data product offering
› Approximately 134 million unique email addresses cross-referenced in Have I Been Pwned after disclosure

Lessons for defenders

Data broker risk is third-party risk that you cannot mitigate via vendor management. Your customers' data sits in data broker datasets whether or not you have a contract with the broker. Vendor management programs cover contracted vendors. They do not cover data brokers that aggregate from public sources or buy data from other brokers downstream. The defensive posture is to assume that any data point you would treat as an identity verification factor is already in a public dataset.

SSNs are not an authentication factor. The National Public Data leak made this point unavoidable for institutions that still rely on knowledge of SSN as a step in customer identity verification. Move identity verification to verifiable government-issued ID with image and liveness checks, ITIN-equivalent step-up authentication, or out-of-band confirmation through previously-enrolled channels. Knowledge-based authentication using SSN, prior addresses, and family-tree questions is now defeated at scale.

Breach notification timelines are gameable when the breach victim is the data broker. The seven-plus-month gap between the December 2023 breach start and the August 2024 public exposure shows that small private companies can run out the clock on state breach-notification statutes by disputing the discovery date. Defensive programs that depend on receiving timely notification of breaches affecting your customers are misaligned with reality. Operate on the assumption that you will not get timely notification.

Frontline identity-fraud detection beats notification-driven response. Account-opening fraud, credit-application fraud, and synthetic identity fraud are the operational consequences of large SSN-inclusive data broker breaches. Investment in fraud detection model retraining, device fingerprinting, behavioral biometrics, and out-of-wallet authentication on the high-fraud-risk channels (online account opening, credit applications, tax filings) is the practical defense. The October 2024 IRS guidance on identity protection PINs for taxpayers in affected geographies is a related defensive recommendation.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What is the National Public Data breach?

Per the August 2024 Hofmann v. Jerico Pictures class-action complaint, threat actor USDoD listed a dataset of approximately 2.9 billion records aggregated by data broker National Public Data (operated by Jerico Pictures Inc.) for sale on BreachForums in April 2024. The dataset included names, current and prior addresses, dates of birth, family relationships, and Social Security numbers. The full dataset was released for free on a hacking forum in August 2024, after which Jerico Pictures filed Chapter 11 bankruptcy on October 1, 2024.

How many people were affected by the National Public Data breach?

The dataset contained approximately 2.9 billion records, but the records per-individual structure of data broker datasets inflates that count. Per Troy Hunt's Have I Been Pwned intake in August 2024, approximately 134 million unique email addresses appeared in the dataset. The class-action complaint estimated approximately 272 million unique individuals affected after deduplication, primarily in the US with smaller UK and Canadian populations.

Were Social Security numbers exposed in the National Public Data breach?

Yes. Per the Hofmann v. Jerico Pictures class-action complaint and corroborating samples published by independent researchers, the dataset included Social Security numbers for a substantial portion of the affected US records. The data broker's product design relied on SSN-to-identity correlation as the value proposition, so SSN presence in the dataset is structurally consistent with the company's business model.

What happened to National Public Data after the breach?

Jerico Pictures Inc. doing business as National Public Data filed Chapter 11 bankruptcy in the Southern District of Florida bankruptcy court on October 1, 2024, listing the class-action exposure as the principal cause of insolvency. The bankruptcy filing valued company assets at less than $1 million. Multiple state attorneys general opened investigations in late 2024 under state breach-notification statutes. The bankruptcy filing functionally limits individual class member recovery to a fraction of the underlying claim.

When did the National Public Data breach actually occur?

Per National Public Data's own August 2024 website notice, initial access began in late December 2023, with leaks in April 2024 and through summer 2024. Public exposure did not occur until April 2024 when threat actor USDoD listed the dataset for sale on BreachForums, and full public release did not happen until August 2024. The seven-plus-month gap between breach start and public exposure highlights how breach notification timelines can be gamed when the breach victim is the data broker.

What can individuals do after the National Public Data breach?

Per recommendations from the FTC, IRS, and state attorneys general following the breach: place a credit freeze on the three major credit bureaus (Equifax, Experian, TransUnion), enroll in an IRS Identity Protection PIN program if eligible, monitor credit reports through AnnualCreditReport.com, and enable fraud alerts at the bureaus. SSNs cannot be revoked. The dataset is now public and cannot be removed. The practical defensive posture is shifting authentication and credit-application decisions away from SSN-knowledge-based verification.

Sources

Hofmann v. Jerico Pictures Inc. d/b/a National Public Data (S.D. Fla., Case 0:24-cv-61383) · Original class-action complaint filed in the Southern District of Florida in August 2024 with the 2.9 billion records claim
Krebs on Security: The Not-So-Secret Network Access Broker x999xx · Brian Krebs' August 2024 reporting tying USDoD and the dataset to National Public Data
Jerico Pictures Inc. Chapter 11 Bankruptcy Filing (S.D. Fla. Bankr., Case 24-19611) · Federal bankruptcy court filing on October 1, 2024 confirming financial collapse following the breach
Federal Trade Commission: FTC Data Brokers Annual Report 2024 · FTC framing of data broker business model and risk that bears on the NPD case
Maine Attorney General Data Breach Notification (NPD) · Maine AG data breach notification per Maine breach notification statute confirming the scope and scale
Have I Been Pwned: National Public Data Breach Entry · Troy Hunt's intake of the dataset into HIBP with 134 million unique email addresses

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.