Big Breach Sends National Public Data to Bankruptcy

The burden of litigation and costs associated with a data breach pushed this data broker to file for bankruptcy protection. Earlier this year, National Public Data (NPD) experienced a significant data breach. A hacker stole and posted for sale a database that allegedly contained data from 2.9 billion individuals. NPD, a data broker that collects information used in background checks, became subject to class action lawsuits, as well as state and federal government investigations. On. Oct. 2, Jerico Pictures, Inc., doing business as National Public Data, filed for Chapter 11 bankruptcy.  

“The combined burden of cooperating with these investigations and addressing the various expectations of regulators has overwhelmed the company and lead the enterprise to seek Chapter 11 bankruptcy protection. We anticipate that the Chapter 11 process will provide the best opportunity to determine how best to address the impact to the affected individuals and provide the greatest visibility in that process,” according to an emailed statement from a spokesperson for the company. 

While NPD and the individuals impacted by the breach navigate the fallout, data breaches continue to be a regular occurrence. As other companies face breaches that involve millions and even billions of records, could we see bankruptcy as the outcome again?  

Related:Lessons from Banking on the Role of the Chief Risk Officer

Financial Fallout 

NPD’s general liability policy will not provide any coverage, which means full financial responsibility falls to the data broker. It faces an onslaught of class action lawsuits in several states. The US House Committee on Oversight and Accountability is investigating the breach.  

There is also the question of notifying the individuals impacted by the breach and offering credit monitoring, another substantial expense.  

“There is a factor called take rate, which is the percentage of people who actually sign up if you offer it. And take rates are typically very low and going lower because so many people already have credit monitoring from another breach,” David White, cofounder and president of Axio, a cyber management software company, explains. “I suspect their big cost is really going to be the class action suits.” 

The company has $33,105 in a checking account and office equipment worth $5,445, according to the bankruptcy petition. With so few assets and considerable liability, it is unlikely the company will remain in business.  

More Breaches, More Bankruptcies?  

This year has been a big one for data breaches. The cyberattack on Change Healthcare rocked the health care industry. Major data breaches piled up following the theft of Snowflake credentials. The average global cost of a data breach in 2024 is $4.88 million, a 10% jump from last year, according to IBM.  

Related:Why Are Organizations Still Getting Hacked?

Many large companies can absorb the costs of data breaches: the investigation, the remediation, the lawsuits, the crisis communication, the lost revenue, the brand damage. It would not be surprising to see smaller, less prepared companies buckle under the weight of that hefty price tag. 

Data breaches can take their toll on big-name companies, too. Last year, hackers stole data on millions of 23andMe customers. The genetic testing company agreed to pay $30 million to settle a class action lawsuit.  

Now, the future of 23andMe is murky. It once had a $6 billion valuation, but the beleaguered company has recently seen a mass board resignation and drop in share prices, according to The New York Times. Questions about the business’s continuing viability and what it means for the genetic data it has amassed abound.  

Could more companies find themselves in financial precarity following big breaches? “I think yes, we're going to see more and more cases where companies can't survive such a breach,” Steve Cobb, CISO at SecurityScorecard, a cybersecurity ratings, response, and resilience company, tells InformationWeek.  

Related:Why the Demand for Cybersecurity Innovation Is Surging

Doing Business in the Age of Data Breaches 

Choose your metaphor: data is the new oil, data is king, etc. Today, data is big business for companies, and for threat actors, too. How can enterprise leaders continue to collect and leverage that valuable, sensitive data when a single successful breach could spell financial disaster?  

The answers lie in risk management and mitigation. White emphasizes the importance of quantifying cyber risk to best understand an organization’s resilience to a cybersecurity incident.  

“It's really the only way that they [organizations] can test their resilience to an event: by understanding whether they have the financial reserves necessary to live [and] fight another day,” he shares.  

Once a leadership team quantifies organizational cyber risks, they can mitigate them with the right controls, like an incident response plan.  

“If you have an … incident response [plan] in place, many times you can have shortcuts to give you a better outcome: [better] negotiation with threat actors, better discovery, better understanding [of] what controls you [have in] place, better understanding of what data is where,” says Cobb.  

Quantifying cyber risk is also essential for organizations to understand what kind of insurance coverage they need and how much. Cobb encourages enterprise leaders to pull their cyber insurance policies, examine them for potential gaps, and start discussions with their insurance brokers.  

“The right type of policy here could potentially save a company and give them at least some type of financial cushion where they can have a response that doesn't completely wipe them out and require a claim for bankruptcy,” he says.