National Public Data (NPD), a Florida-based background check firm, is at the center of a major data breach scandal that has raised significant concerns over the scale of compromised personal information. The company, which conducts criminal background checks for employers and investigators, confirmed last week that it had been hacked by cybercriminals who accessed sensitive data, including Social Security numbers, names, addresses, and phone numbers. Despite initially reporting that ‘only’ 1.3 million individuals were affected, evidence suggests that the actual number may be far higher.
The breach, which occurred in December 2023, became public knowledge after leaks began to surface in April 2024. The cybercriminal group known as USDoD claimed responsibility for the attack, stating they had stolen a database containing 2.9 billion lines of data. This data allegedly included information on citizens from the United States, Canada, and the United Kingdom. The group offered the database for sale on the dark web for $3.5 million, sparking fears that millions of people could be at risk.
Troy Hunt, a well-known cybersecurity expert and creator of the HaveIBeenPwned website, analyzed the leaked data and identified 134 million unique email addresses, suggesting that the breach could have impacted far more people than NPD has acknowledged. Additionally, Atlas Data Privacy, a firm specializing in data removal from brokerages, discovered 272 million unique Social Security numbers among the leaked data. These findings cast doubt on NPD’s initial estimate of the breach’s scope.
In response to the breach, NPD has been hit with multiple class-action lawsuits filed in the U.S. District Court of Fort Lauderdale. Plaintiffs in these lawsuits argue that the company failed to adequately protect their personal information and is downplaying the extent of the breach. NPD, which operates under the name Jerico Pictures Inc., has stated that it is cooperating with law enforcement and has implemented additional security measures to prevent future breaches.
Despite these assurances, the company has faced criticism for not disclosing the full extent of the compromised data. In its filings with Maine’s attorney general, NPD reported that 1.3 million individuals were affected, but it did not provide a comprehensive breakdown of the data types exposed. The company’s statements have also been criticized for failing to include crucial information, such as the 70 million criminal records identified by Hunt.
The data leak has had significant implications, particularly because NPD’s services are widely used by employers, staffing agencies, and private investigators. The breach has highlighted vulnerabilities in the data security practices of companies that handle sensitive personal information, and it underscores the growing risks associated with cybercrime.
Expanded Coverage: