National Public Data, the Hacked Data Broker That Lost Millions of Social Security Numbers and More, Files For Bankruptcy (techcrunch.com) 20
An anonymous reader shares a report: A Florida data broker that lost hundreds of millions of Social Security numbers and other personally identifiable information in a data breach earlier this year, has filed for Chapter 11 bankruptcy protection as the company faces a wave of litigation.
Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."
Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."
And nothing of value was lost (Score:2)
I is one of those companies.
Re: (Score:3)
Unfortunately, the company isn't going out of business, just restructuring its debt.
Re: (Score:3)
and not even the parent company
Re: (Score:3, Insightful)
Unfortunately, the company isn't going out of business, just restructuring its debt.
And, importantly to the owners, protecting their future revenue by substantially restricting claims against the company for their past failures. All pending lawsuits for the breach will now be suspended, and any future payouts are likely to be minimal.
They can sell their assets in bankruptcy (Score:3)
Assets like your social security number.
Re: (Score:3, Funny)
Re: (Score:2)
so pretty much everybody
Re: (Score:2)
Re: (Score:3)
Incompetent companies eventually go out of business. Incompetent government agencies just get bigger budgets.
Re: (Score:3)
let me ask you this question in a few after this company deals with c11 protections and resumes selling your info again, and the parent company gets scott free.
Re:Good thing this was private industry (Score:4, Informative)
Truth. Privatize the profits and socialize the losses.
DEI is played out so now that it's peak hurricane season FEMA is the new boogey man. Imagine the headlines if Biden said fuck Florida, you aint getting shit. https://www.politico.com/news/... [politico.com]
Re: (Score:2)
Credit monitoring? (Score:3)
Data mills... (Score:5, Insightful)
"According to the bankruptcy filings, Verini valued the companyâ(TM)s stolen database of Social Security numbers at $1 million. The filing also lists several other databases the company maintains as assets, but did not provide corresponding valuations. Those datasets pertain to individuals licensed by the Drug Enforcement Administration to write prescriptions for controlled substances; those with permits to carry concealed weapons; and banks of data containing public records, such as marriages, divorces, bankruptcy filings, and international financial sanctions; among others."
I'm wondering if this is a case where piercing the corporate veil would be appropriate. The guy running the business is using corporate bankruptcy as a way of dodging the liabilities he accrued while running this data mill. There's no guarantee that he won't do the exact same things with those "assets" (the information of private citizens) as last time.
The question is this: can debtors in this instance go after his personal assets to satisfy the corporate debt, since arguably if he's unable to secure these databases, they're more liability than asset (he was unable to secure insurance after the breach), and thus the company is undercapitalized and he should not deserve the protection that a corporation normally would afford for liability.
Along those lines... regulation makes business more expensive, and creates a barrier to entry. While I hate the big (4) credit bureaus, I'm hard pressed to list any regulations that specifically mandate how they are supposed to handle personal information, and any punishments that might accrue for failure. Equifax is the most infamous one, and they didn't get a corporate death penalty. Instead they settled without admitting wrongdoing. Compare that to penalties for violating HIPAA regulations, which can include prison time.
https://www.consumerfinance.go... [consumerfinance.gov]
But finally, we come to the crux of the matter: our systems should not be designed such that the breach of one of these data mills (or any business, including one of the big credit bureaus) should threaten individuals with the specter of identity theft. Medicare fraud, tax fraud, account takeovers - none of these would be possible save for the fact that we've failed to modernize these systems, or deliberately engineered backdoors in the name of convenience that can be abused.
And then we built incredibly shitty systems on top of that - for example, systems that mandate that you give them your mobile phone number so they can "verify" you. Now those same systems are vulnerable to the minimum wage clerk working at the local Verizon store, doing a sim swap number port of your phone number. Seriously, how stupid can you be to build a requirement like that into your sysem when NIST itself deprecated SMS as a 2FA channel back in 2016?
https://www.schneier.com/blog/... [schneier.com]
Can we please name and shame all the companies that enforce the use of mobile phone numbers for 2FA without giving people the option to switch to hardware keys or TOTP tokens, so folks can make an informed choice to stop doing business with these ticking time bombs? Waiting for their cybersecurity insurers to jack up their premiums to force them to change clearly isn't working....
Re: (Score:2)
The biggest problem we face in protection of PII is that SSNs are not protected with the same fervency as FTI. If you got them from somewhere other than the IRS, and you didn't get them as part of "tax info" then they are barely protected at all. Divulging SSNs needs to be taken with the same seriousness as divulging someone's whole ass tax return. Instead it's accepted and even expected.
SSN is not a secret (Score:3)
It's the industry's fault for abusing the SSN as key information for authorization. There should be a general law putting responsibility on any business using insecure way to protect privacy, not on the users. But they always scream: "it's bad for business". Well - too bad. Same for allowing abuse of 'no call'.
If only... (Score:2)
Now if only all the other "Data Brokers" would go under....
Re: (Score:2)
Indeed. Bravo to whoever was behind this hack (and I say that as one of the millions whose info was in the compromise -- I've got a ton of debts, if anyone wants my identity, they can have it), and may they carry on until "Data Broker" is no longer a viable industry.
I wish it were possible to achieve this end without innocent people having to deal with account compromises and such, but its the bed we've made, and now we have to lie in it. There's a cost to be paid for simultaneously treating the SSN as a