National Public Data, a data-broker firm aggregating personal-information records on approximately 2.9 billion individuals (with substantial duplication across the records, but with the unique-individual-population estimated at approximately 170 million), has had its complete data holdings published in stages through July and August (Bleeping Computer reporting on the NPD disclosure, August 6, confirming press release from NPD parent Jerico Pictures, August 12). The disclosed data includes Social Security numbers, full names, address histories, dates of birth, and various aggregated personal-information records. The data-broker-industry exposure is, in scale and sensitivity, unprecedented.
The technical content. The compromise mechanism, on the limited public information, was credential-compromise of a National Public Data administrative account, with the operator subsequently exfiltrating the company's complete database holdings. The publication has been progressive — initial smaller subsets in April-May, broader publication in June-July, and the complete database publication in early August. The aggregate exposure across the affected population is, in personal-data-protection terms, substantial; the affected-population includes substantially every adult in the United States plus significant non-US populations whose personal-data NPD had aggregated.
The data-broker-industry structural question. National Public Data is a data-broker firm — an organisation in the business of aggregating personal-information from various sources (public records, commercial-data partnerships, scraped-and-purchased datasets) and selling access to the aggregated data to customer organisations for various purposes (background-check services, marketing-analytics, identity-verification, credit-services). The broader US-and-international data-broker-industry includes hundreds of comparable firms with substantial aggregated personal-data holdings. The structural critique of the data-broker industry — that it concentrates the most sensitive personal-information about substantial population scopes into private commercial firms with limited regulatory oversight, that the affected individuals have not consented to the aggregation in any meaningful sense, and that the sectoral defensive posture is, on average, less mature than the customer-facing-platform sector — has been articulated by privacy advocates for many years. The NPD case is the worked example of why the structural critique is correct.
The post-Equifax-2017 parallel. The 2017 Equifax disclosure (143-million-US-record exposure) was, at the time, the worked example of credit-bureau-industry structural exposure. The 2024 NPD disclosure is, in scale, an order of magnitude larger, in a sector with weaker regulatory oversight than the credit-bureau industry. The aggregate effect of the two cases on US-side personal-data-protection regulatory conversation is going to be substantial through 2024-2025; the various US-side state-level privacy-legislation initiatives that have been progressive since CCPA (California Consumer Privacy Act) are likely to be reinforced by the post-NPD environment.
For the customer-portfolio briefings, the NPD case has produced two specific conversations. First, the customer-organisation use of data-broker-industry services for various business purposes — background-check services, identity-verification, credit-decisioning — needs to be reviewed against the post-NPD-environment risk profile. The customer-organisation procurement-and-vendor-management posture for data-broker-industry vendors is being tightened across the customer portfolio. Second, the broader question of customer-organisation customer-data-aggregation posture — the categories of customer-organisation that operate as data-aggregators in their own business models, and the structural exposure of those models — is part of the broader customer-organisation strategic conversation.
The wider strategic point. The post-LinkedIn-2012-resurfaced (May 2016), post-Yahoo-3-billion (October 2017), post-Collection-1 (January 2019), post-NPD-2024 sequence demonstrates that the aggregate exposed-credential-and-PII population continues to grow. The customer-organisation defensive posture has to assume that, for any given individual in a substantial population, identifying personal-information is in adversary hands. The defensive controls that respond to this — comprehensive MFA-coverage, transaction-monitoring against synthetic-identity-fraud, customer-verification-procedures that do not rely on knowledge-of-personal-data — are operationally tractable and are now, post-NPD, more substantively prioritised across the customer portfolio.
I will return to this. The NPD situation will continue to produce regulatory and class-action consequences.