Decipher Files: National Public Data and the 2.9 Billion-Record Background-Check Database Leak That Reframed Data-Broker Risk

The disclosure trajectory was unusual. The dataset was first offered for sale on BreachForums on April 8, 2024 by a threat actor using the handle "USDoD" with an asking price of $3.5 million. Researchers initially could not attribute the source; the dataset's structure (background-check record format) narrowed the source set to data brokers in the background-check industry but no specific company claimed or denied the breach. On August 6, 2024, plaintiff Christopher Hofmann filed a class-action complaint in the US District Court for the Southern District of Florida naming National Public Data as the source. The complaint cited the records' structure, content, and metadata as identification of NPD's database.

The data scope as documented in the court filings: name, mailing address, Social Security Number, date of birth, and prior-address history for an estimated 2.9 billion records. The records covered most US adults, a substantial fraction of UK adults, and an estimated millions of Canadian residents. The SSN coverage made the dataset the most extensive single Social Security Number exposure of all time.

NPD's regulatory posture and breach-disclosure timeline drew specific criticism. The company did not file a formal breach notification with state attorneys general until the class-action complaint forced disclosure, roughly 17 weeks after the dataset first appeared for sale. Multiple state attorneys general (including Texas, Massachusetts, California, and Maine) opened investigations citing failure-to-disclose under state breach-notification statutes. The Federal Trade Commission opened a parallel investigation into NPD's data-handling practices.

NPD filed for Chapter 11 bankruptcy on October 2, 2024 in the US Bankruptcy Court for the Southern District of Florida. The bankruptcy filing listed approximately $1 million in assets against estimated liabilities exceeding $10 million from pending litigation and regulatory action. The filing effectively ended NPD's operations as a going concern.

The case crystallized several systemic risks. First, the data-broker sector operates with minimal regulatory oversight relative to the sensitivity of the data they hold. SSN, date-of-birth, and address combinations are sufficient for identity-theft and synthetic-identity fraud at scale; the dataset's exposure makes downstream fraud risk a multi-year condition for most US adults. Second, breach-notification statutes that depend on the breached entity's voluntary disclosure leave large gaps when the entity is a low-public-profile broker. Third, the bankruptcy outcome means the regulatory and civil-litigation pressure on NPD does not translate into actual customer compensation; the affected individuals have limited recovery options.

For cybersecurity practitioners the case anchors several program-level lessons. Privacy-engineering programs at organizations that purchase or integrate data-broker feeds must now include data-broker due diligence as a contract requirement. Identity-theft-protection vendor selection for employee benefits programs is reshaped by the dataset's broad SSN exposure. Threat-intelligence programs tracking dark-web data sales now reference USDoD's listing as a canonical pricing data point ($3.5M asking, no documented sale closure). Credit-monitoring offered to affected individuals shifted from optional benefit to expected employer benefit at many large employers in late 2024.