A hacker broke into National Public Data's systems in December 2023 and spent four months quietly copying data before leaking 2.9 billion personal records to the dark web in April 2024. The breach potentially affects as many as 170 million people in the United States, United Kingdom, and Canada, according to Microsoft's Defender advisory.

For most of those 170 million people, this is the first they've heard of National Public Data — a company they've never done business with. That's because National Public Data is a data broker. Its job is to collect personal information from public records, court documents, and other sources, then package and sell that data to insurance companies, lenders, and other businesses. The exposed records include Social Security numbers, home addresses, dates of birth, and other identifying information that criminals can use to commit identity fraud, create fake identities, or target people with convincing phishing scams.

How the Breach Happened

The attacker's approach followed a familiar playbook that security experts see repeated over and over: get inside the system, stay quiet for months, explore the network to understand what's there, gain higher-level access, then copy as much data as possible at a leisurely pace. The four-month gap between December 2023 and the April leak shows this was a deliberate operation, not a quick smash-and-grab.

Data brokers present a special problem in the breach landscape. When a typical retailer or software company gets hacked, the damage is limited to their customers. A data broker's entire business model is to accumulate as much personal information as possible. That means their systems hold data on tens or hundreds of millions of people, most of whom have never agreed to be there. The 2.9 billion records figure likely contains the same person appearing multiple times across different datasets — that's why 2.9 billion records can correspond to 170 million unique individuals. Still, if your Social Security number is now in a criminal's hands, that number is just as exposed whether you appear once or ten times in the leaked data.

A Year of Record-Breaking Breaches

The National Public Data incident was not an isolated event. Analysis by NordLayer found that breaches in 2024 collectively exposed over one billion records. Even without counting National Public Data, the year showed how sustained and intense the threat has become.

The overall trend is sobering. The US hit a record 1,862 reported data breaches in 2021, according to UpGuard's tracking, and the numbers have not dropped since. More connected systems, richer databases of personal information, and professional criminal ransomware operations that steal and sell data have all kept the breach rate high.

The Passport Lesson from Marriott

The National Public Data breach calls to mind the 2019 Marriott breach, which exposed data on approximately 383 million hotel guests over a four-year span. That breach included unencrypted passport numbers for 5.25 million people and encrypted passport numbers for roughly 20.3 million more. Passport numbers combined with travel history are especially valuable to foreign government intelligence agencies; the US and UK governments later attributed the Marriott breach to Chinese state-sponsored hackers.

The comparison shows how the type of organization matters. Hotels hold travel patterns and identity documents. Data brokers hold the glue that binds identity together — the cross-referenced personal details that let an attacker build a detailed profile of someone without ever targeting that person directly.

History also offers a sobering reminder about how long breach damage can persist. When Yahoo's full breach came to light in 2016, it involved 3 billion compromised accounts — though that figure took years to emerge completely. For years afterward, criminals used those stolen passwords in "credential stuffing" attacks, trying the same email and password combinations on other websites where people had reused passwords. The broader context here is that the real danger from a breach often becomes clear only months or years later, as criminals use the stolen data in coordinated attacks. SSNs, home addresses, and birthdates do not change like passwords do — they are tools that work for attackers indefinitely.

What Organizations and Individuals Can Do

For security teams and IT professionals, the response toolkit is well known, though many organizations still lag in using it.

If your organization handles employee or customer personal data, identity monitoring and dark-web scanning should already be in place. These tools — including the identity protection features in Microsoft Defender — can alert you when employee credentials show up in leaked databases and flag unusual login patterns that might signal account takeover attempts based on stolen data. If the National Public Data breach is the first time your organization is considering these protections, that conversation is overdue.

For individuals, one powerful step costs nothing and works without much hassle: place a credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) in the US. A freeze prevents most forms of fraud because lenders cannot pull a credit report to open new accounts. It can be temporarily lifted when you need legitimate credit, and the protection is very difficult for criminals to circumvent. Security teams should be telling employees and customers about this option.

The harder problem is systemic. Data brokers collect information from public records and licensed sources, which means most people cannot fully opt out. US federal privacy law is fragmented and weak. Some states — California's CCPA and CPRA are the strongest examples — give people the right to delete information about themselves and opt out of data sales. But a national data broker can still legally collect and sell data about people in states with weaker protections.

The regulatory landscape here is not new — data brokers have operated in this gray zone for years. But breaches of this size do tend to get lawmakers' attention. What remains to be seen is whether that attention leads to real reform or follows the familiar pattern of hearings followed by inaction.

The Lasting Risk Ahead

The National Public Data breach exposed data that never expires. Unlike a stolen credit card, which a bank can cancel and replace, a Social Security number is permanent. That permanence makes the stolen data dangerous not just for immediate fraud but for years-long operations: criminals building fake identities, taking over accounts tied to your name, or using verified personal details to engineer their way past security questions or customer service representatives.

Organizations need to think through how this breach affects their security planning. The data is public now in criminal channels. The question for defenders is how sophisticated the attacks built on this data will become — and whether you have closed the security gaps that would let those attacks succeed.

The longer arc of technology history offers some grounds for measured hope. Over decades, the industry has steadily built better tools for protecting data, regulators have moved — slowly — toward stronger rules, and organizations have gradually improved their security practices. But the real harm happens in the years between when a breach occurs and when systematic improvements take hold. Shrinking that gap is where the urgent work lies.