National Public Data: 2.9 Billion Records, and the Company That Lost Them Went Bankrupt
A Florida data broker most people had never heard of was sitting on billions of personal records. When it got hacked, Social Security numbers for hundreds of millions of Americans hit the open internet. Then the company filed for bankruptcy and disappeared.
Jerico Pictures Inc. operated out of Coral Springs, Florida under the name National Public Data. Unless you worked in background checks or skip tracing, you’d never heard of them. They scraped court records, public filings, property records, and voter registrations, stitched it all together into searchable profiles, and sold access to anyone willing to pay. Names, addresses, phone numbers, dates of birth, Social Security numbers — packaged and monetized at scale.
Most people whose data they held never knew the company existed. They never consented. They were never notified. That’s how the data broker industry works.
In April 2024, a hacker operating under the alias “USDoD” infiltrated National Public Data’s systems and walked out with 2.9 billion records. Full names. Current and historical addresses. Social Security numbers. Dates of birth. Phone numbers. The dataset covered individuals across the United States, United Kingdom, and Canada.
The 2.9 billion figure includes duplicate entries — multiple records per person reflecting different addresses over time. But strip out the duplicates and you’re still looking at hundreds of millions of unique individuals whose most sensitive identifiers were now in criminal hands.
$3.5 Million Ask. Zero Buyers. Then It Went Free.
USDoD listed the full dataset on a dark web forum for $3.5 million. Nobody paid. The price was too high for a single buyer when the data’s value was speculative — how much of it was current, how much was already circulating from prior breaches, how much could actually be weaponized.
So in August 2024, the entire dataset was dumped for free on Breach Forums — one of the most active public hacking communities on the internet. No paywall. No negotiation. Just a download link and 2.9 billion records available to anyone with a browser and a BitTorrent client.
Social Security numbers for a meaningful percentage of the U.S. population, sitting on the open internet.
The Company Disappeared
The lawsuits came fast. More than a dozen class-action suits landed against Jerico Pictures within weeks of the breach becoming public. Plaintiffs argued what was obvious: the company had aggregated extraordinarily sensitive personal data and failed to implement adequate security measures to protect it.
On October 2, 2024, Jerico Pictures filed for Chapter 11 bankruptcy in the Southern District of Florida. The filing revealed a company with minimal assets and no realistic path to resolving the litigation against it. By December 2024, National Public Data was gone entirely — website dark, operations ceased, no forwarding address.
The people whose data was stolen got nothing. No notification from the company (most never knew NPD had their data in the first place). No credit monitoring offer. No settlement. The company that created the risk simply ceased to exist, and the damage became permanent.
The Data Broker Problem
National Public Data wasn’t an outlier. It was an example.
The Vermont Data Broker Registry — one of the only state-level attempts to track this industry — had over 640 data brokers registered as of 2024. Vermont is one of the few states that requires brokers to register at all. Most states have no such requirement. There is no federal law requiring data brokers to disclose that they hold your information, to let you see what they have, or to delete it when asked.
These companies operate in a regulatory vacuum. They collect data from public records, purchase histories, app usage, location tracking, and social media scraping. They build profiles. They sell them. And when their security fails — which it inevitably does — the consequences land entirely on the people whose data was compromised.
The pattern repeats. Equifax, 2017: 147 million Americans had their Social Security numbers, birth dates, and addresses stolen because of an unpatched Apache Struts vulnerability the company knew about for months. Equifax eventually paid a $700 million settlement — roughly $4.75 per person affected. The company survived. The data is still out there.
National Public Data couldn’t even manage that. Too small to absorb the legal costs, too negligent to have prevented the breach, too broke to compensate anyone. The data broker model concentrates risk in entities that can’t bear it and distributes consequences to people who never agreed to participate.
| NPD (2024) | Equifax (2017) | |
|---|---|---|
| Records exposed | 2.9 billion | 147 million |
| SSNs included | Yes | Yes |
| Settlement | $0 (bankrupt) | $700M |
| Company survived | No | Yes |
| Victim compensation | $0 | $4.75 avg |
What Credit Freezes Don’t Fix
The standard advice after a breach like this is predictable: freeze your credit, sign up for monitoring, check your statements. And yes — credit freezes work for preventing new accounts from being opened in your name. Everyone should have them in place with all three bureaus.
But freezes and monitoring address symptoms. They don’t touch the underlying problem: your personal data is already out there, held by companies you’ve never heard of, protected by security you can’t evaluate, governed by regulations that barely exist.
A credit freeze doesn’t prevent someone from using your Social Security number to file a fraudulent tax return. Monitoring doesn’t stop an attacker from combining your SSN, date of birth, and mother’s maiden name to social-engineer their way past a bank’s phone verification. The data is loose. It doesn’t expire. And every company still holding your information — the ones you know about and the hundreds you don’t — is a potential National Public Data.
Taking Control
Nobody is coming to fix this. Not the regulators — the CFPB rule that would have treated data brokers as what they are got lobbied into uncertainty. Not the companies — the ones that survive breaches pay a fine and move on. Not law enforcement — they can’t even keep up with the ransomware gangs, much less the data brokers who operate legally.
The only person who can reduce your exposure is you.
Every account you create, every form you fill out, every service that stores your name and address and phone number — that’s another node in the network, another company whose security failure becomes your problem. You can’t claw back what’s already been leaked. But you can stop feeding the machine.
Minimize accounts. Minimize shared data. Use email aliases so breaches at one service don’t cascade to others. Keep your primary identity — your real name, your real phone number, your actual email — out of every system that doesn’t absolutely require it. Understanding which systems hold your data and why they hold it is the first step to taking it back.
The Privacy Starter Kit exists because this problem is structural, not behavioral. It’s not about being more careful online. It’s about deciding that your personal information belongs to you — and building habits and using tools that enforce that decision, because no institution is going to enforce it for you.
National Public Data collected 2.9 billion records and couldn’t keep them safe. They’re not the last company that will fail this way. They’re just the one that made it obvious.