National Public Data: 2.9 Billion Records and the Death of Background Check Security
In 2024, a background check company leaked 2.9 billion records including Social Security numbers of virtually every American. When the data broker is the breach, the entire identity model collapses.
The Breach
In early 2024, National Public Data — a data broker that sells background checks — suffered a breach that exposed approximately 2.9 billion records containing Social Security numbers, names, addresses, and family relationships of virtually every person with a U.S. credit file. The company (operated by Jerico Pictures Inc.) subsequently filed for bankruptcy.
The Impact
- 2.9 billion records — including SSNs of nearly every American (multiple records per person)
- Full names, current and previous addresses, family member associations
- Data appeared on dark web forums for as little as $3.5 million
- SSNs are used as quasi-authentication for credit, loans, and government services
- Company filed for Chapter 11 bankruptcy
The Fundamental Problem
This breach exposes the absurdity of using Social Security numbers as identity verification. SSNs were designed in 1936 as accounting numbers for the Social Security program — not as authentication credentials. Yet they're used to verify identity for:
- Credit applications
- Bank account openings
- Tax filing
- Medical records access
- Government benefits
When a background check company can leak every American's SSN, the entire model of "prove your identity by knowing a number" collapses.
How KAVI Protocol Renders This Breach Meaningless
Knowledge-Based Authentication Is Obsolete
KAVI replaces "something you know" (passwords, SSNs, mother's maiden name) with "something you are in real-time" — your behavioral signature. An attacker armed with your SSN, address, and family history still cannot replicate your Surprise Signature.
Stolen Static Data Has Zero Authentication Value
Under KAVI, knowing someone's SSN is irrelevant to authentication. The system doesn't ask "what number do you know?" — it measures "are you behaviorally consistent with the person you claim to be?" All 2.9 billion stolen records become useless for impersonation.
Identity That Cannot Be Leaked by Third Parties
The National Public Data breach happened at a third-party data broker — an entity users never knowingly interacted with. Under KAVI, your authentication exists only in the moment of your interaction. No third party stores your behavioral identity, so no third party can leak it.
Conclusion
The National Public Data breach is the logical endpoint of knowledge-based authentication. When the "secrets" used for identity verification are held by data brokers you've never heard of, and those brokers can leak everything, the entire paradigm is broken beyond repair. KAVI's behavioral identity can't be stored in a database, can't be sold by a data broker, and can't be breached by a company you've never heard of.
References & Citations
- Bloomberg Law (2024). "National Public Data Breach Exposes Millions of Social Security Numbers."
- U.S. District Court, Southern District of Florida (2024). Class Action Filing: Hofmann v. Jerico Pictures Inc.
- Troy Hunt (2024). "National Public Data breach analysis." Have I Been Pwned Blog.
Related Posts
Colonial Pipeline: How a Single Stolen Password Shut Down America's Fuel Supply
In May 2021, a single compromised VPN password led to the largest fuel pipeline shutdown in U.S. history. DarkSide ransomware demanded $4.4 million. KAVI Protocol would have made this attack structurally impossible.
3 Billion Accounts: The Yahoo Breach That Proved Passwords Cannot Scale
The largest data breach in history exposed every single Yahoo account — 3 billion credentials. Bcrypt couldn't save them. KAVI's zero-storage model means there's nothing to breach.
LastPass: When the Password Manager Itself Gets Breached
In 2022, LastPass — trusted by 33 million users to protect their passwords — was breached. Encrypted vaults were stolen. The guardian of secrets became the single point of failure.