What National Public Data's 2.7 billion-record breach means for banks

On Tuesday, personal data broker National Public Data acknowledged a data breach that involves 2.7 billion pieces of personal information, including names, addresses and Social Security numbers, in one of the largest known data breaches in terms of records leaked.

The records affect a currently unknown number of U.S. victims, including six people who have filed class action lawsuits against National Public Data, which is also known as Jerico Pictures. The plaintiffs in the lawsuits allege that National Public Data acted negligently in its failure to protect their personally identifiable information, or PII.

When it publicly acknowledged the breach, National Public Data said the incident involved "a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024," according to a statement on its website.

The company confirmed in the statement that the breached data includes names, email addresses, phone numbers, Social Security numbers and mailing addresses.

National Public Data did not respond to a request for additional comment.

The company advertises that its customers include "private investigators, consumer public record sites, human resources, staffing agencies and more." The company says customers can search "billions of records with instant results."

National Public Data said on its website it obtains information "from various public record databases, court records, state and national databases and other repositories nationwide."

Cybersecurity news outlet BleepingComputer reported this week that, while some of the records are accurate, others are not, according to people whose names and addresses appear in the database. Similarly, TechCrunch said its review of a sample of 5 million records found personal information that matches public records and information that appears inaccurate.

According to the anonymous owner of the social media account for vx-underground, an online collection of malware samples, some individuals in the database have also been dead for nearly 20 years, and the database also does not contain information from "individuals who use data opt-out services."

However, it was unclear which opt-out services would have protected individuals, as there are numerous such services, all of which offer data privacy services of varying kinds. National Public Data itself has opt-out procedures.

Each of the 2.7 billion breached records is a row in a spreadsheet. Multiple rows can reference the same person, with each row containing a different address associated with that person. Because of this, it is not immediately clear exactly how many individuals are affected by the breach.

Timeline of breach and disclosures

On April 7, cybercriminal group USDoD advertised the sale of a four-terabyte trove of stolen data on the illicit data marketplace BreachForums. The listing claimed the database contained 2.9 billion records, accounting for "the entire population" of the U.S., U.K. and Canada. USDoD's asking price was $3.5 million.

On June 1, the vx-underground account said it had learned USDoD intended to leak the database. The account added that threat actor SXUL was the one that had compromised the National Public Data database, and data broker USDoD was the one looking to sell it.

Between Aug. 1 and Aug. 5, alleged victims of the data breach filed at least five class action lawsuits against National Public Data, all in the Southern District of Florida, where the Coral Springs company is based. One of the lawsuits names two individuals.

On Aug. 6, a BreachForums user named Fenice posted 277 gigabytes of data for anyone to freely download. The posted data included 2.7 billion records. The user claimed it was the "full database" from the SXUL breach of National Public Data.

How banks can help customers protect themselves

Banks and credit unions looking to help their customers protect themselves against potential fallout from the data breach can provide information about what to do next.

As two examples, Fulton Bank and City National Bank (a subsidiary of Royal Bank of Canada) provide guides to customers on what to do if their personal information is stolen. The Federal Trade Commission also publishes a consumer guide on what to do if one's information is exposed. The guide is one resource provided through identitytheft.gov, which includes other advice and information.

One key step for consumers is implementing free credit file freezes through the three major credit bureaus. The U.S. General Services Administration provides information and links to the procedures, as do many state attorneys general.

Consumer advocacy publication Consumer Reports provides a free guide to data opt-out services. Nonprofit public interest group World Privacy Forum also provides a comprehensive guide to other kinds of opt-out services.

Finally, cybersecurity technology platform Pentester provides a free tool for checking whether a person's data appears in the National Public Data breach.

American Banker independently confirmed that the tool provides true data on some individuals. The publication could not independently verify that individuals who get no match do not appear in the leaked database. In other words, even if someone finds no match with the Pentester tool, their data might still appear in the breach.