National Public Data, the Hacked Data Broker That Lost Millions of Social Security Numbers and More, Files For Bankruptcy (techcrunch.com) 28
An anonymous reader shares a report: A Florida data broker that lost hundreds of millions of Social Security numbers and other personally identifiable information in a data breach earlier this year, has filed for Chapter 11 bankruptcy protection as the company faces a wave of litigation.
Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."
Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."
And nothing of value was lost (Score:2)
I is one of those companies.
Re: (Score:3)
Unfortunately, the company isn't going out of business, just restructuring its debt.
Re: (Score:3)
and not even the parent company
Re: (Score:3, Insightful)
Unfortunately, the company isn't going out of business, just restructuring its debt.
And, importantly to the owners, protecting their future revenue by substantially restricting claims against the company for their past failures. All pending lawsuits for the breach will now be suspended, and any future payouts are likely to be minimal.
They can sell their assets in bankruptcy (Score:4, Funny)
Assets like your social security number.
Re:They can sell their assets in bankruptcy (Score:5, Funny)
Re: (Score:2)
so pretty much everybody
Re: (Score:2)
Good thing this was private industry (Score:1, Flamebait)
Imagine how upset all the right-wingers would be if this had been the government. Since it's private industry you won't hear a peep from them.
Re: (Score:3)
Incompetent companies eventually go out of business. Incompetent government agencies just get bigger budgets.
Re: (Score:3)
let me ask you this question in a few after this company deals with c11 protections and resumes selling your info again, and the parent company gets scott free.
Re:Good thing this was private industry (Score:4, Informative)
Truth. Privatize the profits and socialize the losses.
DEI is played out so now that it's peak hurricane season FEMA is the new boogey man. Imagine the headlines if Biden said fuck Florida, you aint getting shit. https://www.politico.com/news/... [politico.com]
Re: (Score:2)
Credit monitoring? (Score:5, Insightful)
Re: (Score:3)
Just one day after I got the letter for this breach, I got a notice from a credit monitoring service I have only due to different breach that my SSN was found in this breach.
lmaosob
Re: (Score:1)
Data mills... (Score:5, Insightful)
"According to the bankruptcy filings, Verini valued the companyâ(TM)s stolen database of Social Security numbers at $1 million. The filing also lists several other databases the company maintains as assets, but did not provide corresponding valuations. Those datasets pertain to individuals licensed by the Drug Enforcement Administration to write prescriptions for controlled substances; those with permits to carry concealed weapons; and banks of data containing public records, such as marriages, divorces, bankruptcy filings, and international financial sanctions; among others."
I'm wondering if this is a case where piercing the corporate veil would be appropriate. The guy running the business is using corporate bankruptcy as a way of dodging the liabilities he accrued while running this data mill. There's no guarantee that he won't do the exact same things with those "assets" (the information of private citizens) as last time.
The question is this: can debtors in this instance go after his personal assets to satisfy the corporate debt, since arguably if he's unable to secure these databases, they're more liability than asset (he was unable to secure insurance after the breach), and thus the company is undercapitalized and he should not deserve the protection that a corporation normally would afford for liability.
Along those lines... regulation makes business more expensive, and creates a barrier to entry. While I hate the big (4) credit bureaus, I'm hard pressed to list any regulations that specifically mandate how they are supposed to handle personal information, and any punishments that might accrue for failure. Equifax is the most infamous one, and they didn't get a corporate death penalty. Instead they settled without admitting wrongdoing. Compare that to penalties for violating HIPAA regulations, which can include prison time.
https://www.consumerfinance.go... [consumerfinance.gov]
But finally, we come to the crux of the matter: our systems should not be designed such that the breach of one of these data mills (or any business, including one of the big credit bureaus) should threaten individuals with the specter of identity theft. Medicare fraud, tax fraud, account takeovers - none of these would be possible save for the fact that we've failed to modernize these systems, or deliberately engineered backdoors in the name of convenience that can be abused.
And then we built incredibly shitty systems on top of that - for example, systems that mandate that you give them your mobile phone number so they can "verify" you. Now those same systems are vulnerable to the minimum wage clerk working at the local Verizon store, doing a sim swap number port of your phone number. Seriously, how stupid can you be to build a requirement like that into your sysem when NIST itself deprecated SMS as a 2FA channel back in 2016?
https://www.schneier.com/blog/... [schneier.com]
Can we please name and shame all the companies that enforce the use of mobile phone numbers for 2FA without giving people the option to switch to hardware keys or TOTP tokens, so folks can make an informed choice to stop doing business with these ticking time bombs? Waiting for their cybersecurity insurers to jack up their premiums to force them to change clearly isn't working....
Re: (Score:2)
The biggest problem we face in protection of PII is that SSNs are not protected with the same fervency as FTI. If you got them from somewhere other than the IRS, and you didn't get them as part of "tax info" then they are barely protected at all. Divulging SSNs needs to be taken with the same seriousness as divulging someone's whole ass tax return. Instead it's accepted and even expected.
Re: (Score:2)
The biggest problem we face in protection of PII is that SSNs are not protected with the same fervency as FTI. If you got them from somewhere other than the IRS, and you didn't get them as part of "tax info" then they are barely protected at all. Divulging SSNs needs to be taken with the same seriousness as divulging someone's whole ass tax return. Instead it's accepted and even expected.
IMO the biggest problem is that SSNs are treated as private when all these data breaches means it's probably (I wouldn't know) jut as easy to find as your name.
Re: (Score:2)
IMHO, the biggest problem is that SSNs are kind of treated like private data when in many situations they are public data. My SSN identifies me uniquely (or it should), but it cannot prove that the person with it is me. But often companies use the SSN to do the latter, which is where the problem comes in. Of course, they do that because they don't have something else that could be used. So various institutions need to trust that someone that has my SSN is me, even though there's no way to know that for
SSN is not a secret (Score:3)
It's the industry's fault for abusing the SSN as key information for authorization. There should be a general law putting responsibility on any business using insecure way to protect privacy, not on the users. But they always scream: "it's bad for business". Well - too bad. Same for allowing abuse of 'no call'.
Re: (Score:3)
All for the need of a unique identifier. Something which American citizens get all up in arms about.
I might get modded down for this but:
It would really be nice if the State properly handed digital identification including both the the public and private aspects of it. The State already handles property titles and deeds (to protect the owners of property in a capitalist system) , birth and death certificates (to know who is in existence at a given time) , and criminal records (to blacklist those who may be
If only... (Score:3)
Now if only all the other "Data Brokers" would go under....
Re: (Score:2)
Indeed. Bravo to whoever was behind this hack (and I say that as one of the millions whose info was in the compromise -- I've got a ton of debts, if anyone wants my identity, they can have it), and may they carry on until "Data Broker" is no longer a viable industry.
I wish it were possible to achieve this end without innocent people having to deal with account compromises and such, but its the bed we've made, and now we have to lie in it. There's a cost to be paid for simultaneously treating the SSN as a
Cause a leak of this magnitude: (Score:2)
The corporate veil is pierced. Management gets prosecuted and goes to prison.
But a law like this would never see the light of day in the United States which is a corporate oligarchy/s
Sort of like a corporate death penalty. (Score:2)
CRIMINAL PENALTIES (Score:1)
...are what's needed.
The mitigations available for consumers - credit monitoring, credit alerts & freezes - only protect credit ratings, not other aspects of identity theft, so it's time to make executives criminally liable for breaches over a certain size & impact that are shown to be due to negligence (i.e. anything that wasn't a zero day). The message should be clear: if you can't maintain a standard of security for personal data, don't get into the business.