National Public Data files for bankruptcy, citing fallout from cyberattack

A background check giant that was hacked earlier this year has filed for bankruptcy, claiming in court documents that dozens of states have filed legal claims against it. 

Jerico Pictures, the parent company of National Public Data, filed for Chapter 11 in the bankruptcy court for the Southern District of Florida on October 2. 

Its president Salvatore Verini, Jr., who made the filing, said that in addition to federal and state-level investigations, several class action lawsuits have been filed since news emerged this summer that hackers stole millions of Social Security numbers. 

National Public Data is one of the biggest background check companies, allowing its customers to search billions of records with instant results. In a case management summary submitted alongside the bankruptcy filing, the company said “a large portion” of their business “serves healthcare institutions” that “prohibit entry of individuals with background issues.”

The company admitted in August that a late December 2023 data breach was the source of personal information that was sold on the dark web in April 2024 and again throughout the summer. 

Names, Social Security numbers, phone numbers, addresses and dates of birth were included in the leaked database. At the time, National Public Data said it had “cooperated with law enforcement and governmental investigators” examining the incident but has not provided an update since then. 

The bankruptcy filing comes months after the company said in a data breach notice sent through regulators in Maine that 1.3 million people had information leaked in the cyberattacks. 

On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The bankruptcy filing explicitly names USDoD, noting that the hacker “has had a great deal of success breaching other institutions including the FBI, Airbus, and TransUnion.”

Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate. Hunt estimated that the database included about 899 million unique SSNs, likely of both living and deceased people. 

Identity theft protection services were not offered to victims and the company has not responded to requests for comment about why their filing does not match the findings of security researchers who went through the leaked databases. 

‘Hundreds of millions of potentially impacted individuals’

“This data breach caused a massive exposure of this data, and the release of this information is relatively ubiquitous within the hacking community,” Jerico Pictures said in the court filing last week. 

“Law enforcement, including the FBI and a wide range of state and federal regulatory agencies have responded to the breach in force. Unfortunately, the exposure of this information creates a wide range of liabilities upon the Debtor.”

In the court filing, the company says it has between 50 and 99 creditors, and the vast majority of those listed in the bankruptcy filing are attorneys general from almost all 50 states, Guam, Puerto Rico, American Samoa, the Virgin Islands, the North Mariana Islands and the District of Columbia. The filing does not say how much is owed to each state. 

Another part of the filing says the company has liquidated debts worth less than $3 million. Only Missouri has come forward publicly to say it is investigating the breach. 

But the bankruptcy document said regulatory agencies are currently investigating and “demanding substantial attention and resources to respond.” More than 20 states are levying civil penalties for the breach and the Federal Trade Commission may issue fines, according to the company. 

“The reputational impact has driven customers from the Debtor. The Debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals,” the company added. 

“As the debtor’s schedules indicate, the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention, defend the lawsuits and support the investigations. The Debtor’s insurance has declined coverage.”

Jerico Pictures “maintains no dedicated physical offices” and Verini runs the company out of his home in Pompano Beach, Florida, using independent data centers to house much of the company’s infrastructure. 

It claims to have $39,225 worth of assets held in a Flagstar bank account and about $5,400 worth of technology equipment — mostly Dell computers, cameras and servers.

Verini said the company owns dozens of domain names, many of which related to National Public Data’s background check work but some of which appear tangential, including “asseeninporn.com.”

Jerico Pictures reported gross revenue in 2022 of $746,088, $1.15 million in 2023 and about $431,000 from January 1 to the date of the filing. 

The company acknowledged it is facing multiple class action lawsuits by people who believe their information was leaked during the cyberattack. 

It declared losses from the "enterprise wide data breach against social security database" and valued the property lost as worth $1 million.