In the summer of 2024, a background check company called National Public Data suffered what may be the largest data breach ever recorded by number of records. A threat actor published a dataset claiming to contain 2.9 billion rows of personal information: Social Security numbers, full names, addresses, and family member relationships — scraped and aggregated from public records and other sources.

National Public Data is a data broker. Most people have never heard of it. That is precisely the problem. Data brokers collect, aggregate, and sell personal information without any direct relationship with the individuals whose data they hold. There is no signup, no terms of service, no notification when your data is included. And when they are breached, you find out from a news headline.

The company filed for bankruptcy following the breach. Multiple class action lawsuits were filed. For the individuals whose information was exposed, the practical result is that Social Security numbers and addresses tied to family trees are now widely available to anyone willing to look.

The National Public Data case is an argument for federal data broker regulation that the US has not yet passed. In its absence, the data broker industry continues to operate with minimal accountability, accumulating sensitive data on hundreds of millions of people who have limited ability to opt out.