Today, Congressman Ritchie Torres (NY-15) released “An Investigative Report on The National Public Data Breach.” The full report can be found here. See graphics breaking down the numbers below.

An excerpt of the report reads:

“A cybercriminal gang, operating under the alias of USDoD, stole a massive database from National Public Data (NPD), and then on April 8th, 2024, the cyber gang published it on a Dark Web forum entitled ‘Breached.’ USDoD, which may have breached National Public Data as far back as December 2023, offered to sell 2.9 billion rows of records for $3.5 million. 

“National Public Data is a private company that aggregates data in order to run background checks. A company like NPD is known as a data aggregator or data broker. National Public Data had a massive database stolen, a database containing 2.9 billion rows of private records. Among those private records are the social security numbers of millions of Americans. I write not only as a United States Congressman but as a victim of the NPD breach. I am among the millions of Americans whose social security number has been stolen…

“The conduct of National Personal Data has been so egregious that it all but rises to the level of corporate malfeasance. In early August, a class action lawsuit was filed against Jericho Pictures, which owns and operates NPD. Only after the lawsuit did National Public Data finally admit there had been a breach as far back as December and a leak in both April and August. If the breach dates as far back as December and the leak as far back as April, why would National Public Data go four to eight months without disclosing the breach to the general public? Why would it go four to eight months without disclosing the breach to the victims whose social security numbers were stolen? Why would NPD leave millions of Americans wide open to identity theft? NPD has some explaining to do.

“The NPD data breach is as definitive a sign as any that data aggregators and brokers cannot be trusted to police themselves. What is needed, now more than ever, is a federal data privacy law that brings law and order to the lawlessness and disorder of cyberspace.

“In a properly functioning world, Congress would pass a law establishing comprehensive federal standards of data privacy, as it came close to doing before falling short.  At a bare minimum, Congress should pass a law prohibiting data aggregators and data brokers from collecting social security information whose leakage has put millions of Americans at risk of identity theft.  As George Santayana once said, ‘Those who fail to learn from history are doomed to repeat.’  The time has come for Congress to legislate lessons learned.”