back to article National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected

The Florida business behind data brokerage National Public Data has filed for bankruptcy, admitting "hundreds of millions" of people were potentially affected in one of the largest information leaks of the year. In June, the hacking group USDoD put a 277.1 GB file of data online that contained information on about 2.9 billion …

  1. Anonymous Coward
    Anonymous Coward

    Bankruptcy shouldn't be an escape clause for accountability

    In this case it would only matter for the first few people in line before the owners assets were depleted, but accountability for business related misbehavior should be harder to escape than student loan debt, not easier. That should especially apply to the big boys too.

    Also the free credit reporting thing should also be criminal offense. It's cheap, useless, bordering on a scam itself, and the companies selling it spend most of their take lobbying congress. Should be banned like Ponzi schemes and pyramid scams.

    1. Doctor Syntax Silver badge

      Re: Bankruptcy shouldn't be an escape clause for accountability

      Time was people could be banged up for debt until they cleared it. Perhaps there's an argument for in in particularly egregious cases.

      1. ChoHag Silver badge

        Re: Bankruptcy shouldn't be an escape clause for accountability

        Too small to succeed?

        1. JoeCool Silver badge

          Re: Bankruptcy shouldn't be an escape clause for accountability

          too greedy to care?

        2. MachDiamond Silver badge

          Re: Bankruptcy shouldn't be an escape clause for accountability

          "Too small to succeed?"

          That's hard to say. It was a business without a lot of overhead, work from home and mostly automated so it could be operated part-time with no employees. If your life goals didn't include collecting luxury yachts, you could do ok. The barrier to entry doesn't seem all that great either. Makes me want to learn a lot more programming.

      2. O'Reg Inalsin

        Re: Bankruptcy shouldn't be an escape clause for accountability

        As if the first incarcerated wouldn't be "sickos" who had failed to make payments on their medical bills.

      3. herman Silver badge

        Re: Bankruptcy shouldn't be an escape clause for accountability

        The Mafia and various smaller outfits will still bang people up till all debt is settled.

    2. veti Silver badge

      Re: Bankruptcy shouldn't be an escape clause for accountability

      That's literally the whole point of bankruptcy. And it's credited, no pun intended, with creating an economy in which ordinary people can start whatever business they want to try. Otherwise, there would be a huge deterrent to anyone who wasn't already personally a billionaire.

      Not to defend this douche, credit brokers deserve flogging even if their business is going gangbusters, but this is the system working exactly as intended. And not for any nefarious reason, either.

  2. Anonymous Coward
    Anonymous Coward

    Blood / Pound of flesh

    Some people would accept blood or a pound of flesh as payment, if not enough money is provided.

    Anon, obvious

  3. Doctor Syntax Silver badge

    "The debtor’s insurance has declined coverage."

    Standard operating procedure.

    1. Gene Cash Silver badge

      I'm actually glad to see that.

      That sort of thing should NOT be covered unless you actually have some sort of security implemented.

      1. Richard 12 Silver badge

        No, absolutely not

        It should be illegal for corporate insurers to decline coverage after an event.

        They should be fully, 100% liable, on the basis that the insurer should have checked whether the insured party was taking reasonable steps before underwriting.

        If they can't be arsed to do that, then the insurer has to go down too.

        Otherwise they just take money for nothing whatsoever.

        1. Christoph

          Re: No, absolutely not

          That's liable to mean "We don't have to worry too much about security because our insurers have to pay out anyway".

          And everybody else's insurance premiums will massively increase to cover the loss.

          1. Richard 12 Silver badge

            Re: No, absolutely not

            No, it means "nobody will insure us because we're useless", which very quickly means "nobody will buy anything from us"

        2. flayman

          Re: No, absolutely not

          Insurers can decline coverage when the insured has violated the terms of the policy.

        3. Zippy´s Sausage Factory

          Re: No, absolutely not

          That's not really how insurance works, though. You agree what you're insuring for beforehand, not after something happens, and clearly they didn't read the small print.

          For example, If I have pet insurance, it won't cover my new kitten until I change the policy to explicitly add Meowzilla The Great, and I can't claim for the four hundred quid of vet's bills because he decided next door's dog needed to be taught a lesson in violence* if it happened before he was covered.

          It's the same as if you insure your Honda Accord and then buy a BMW, that won't be covered until you change the insurance. And if you never put any oil in your BMW and the engine explodes, there's almost certainly a clause about regular maintenance and due care and attention (or something like that) that means they're not going to cover you anyway.

          * yes, this is an Exodus reference. I do enjoy a bit of 80s thrash.

          1. Mythical Ham-Lunch

            Re: No, absolutely not

            Wrong example, the engine will explode no matter what you put in and the insurers know it :)

          2. MachDiamond Silver badge

            Re: No, absolutely not

            "It's the same as if you insure your Honda Accord and then buy a BMW, that won't be covered until you change the insurance. "

            Most insurance has a grace period that covers new vehicles in a limited way to give you time to notify them of the new car and they have the time to figure out how much more you will be charged.

            I expect you could get coverage that includes failing to do maintenance and the engine exploding, but it would be very expensive.

            I live out in the desert so I'm not covered if a tree falls on my car, floods, tornadoes, sinkholes, etc. There might be a tree that could fall on my car at some of my destinations, but I'll risk it.

            1. Zippy´s Sausage Factory

              Re: No, absolutely not

              That's true, but a lot of car dealers will sell you a seven day policy anyway, as those grace periods tend to restrict your coverage quite severely (or at least they did with the insurers I've encountered in the past).

        4. MachDiamond Silver badge

          Re: No, absolutely not

          "It should be illegal for corporate insurers to decline coverage after an event."

          Unless the insurance company has people monitoring their insured closely and regularly, all they can do is rely on their coverage terms. Have you read all of the fine print for your auto insurance. There's more outs than you can shake a lawyer at. You may expect something is covered, but it may not and assuming won't help. Public opinion won't help.

      2. JoeCool Silver badge

        Why are you "glad" that the sham business bought sham insurance to skirt sham regulations, and no one is interested in suing the insurer to fullfill their policy? credit monitoring is the absolute minimum here.

        1. MachDiamond Silver badge

          "credit monitoring is the absolute minimum here."

          Everybody raise their hands that already has extensive credit monitoring.

          The ten at the back that didn't raise their hands must live under a rock, in Wyoming.

    2. Michael Strorm Silver badge

      > "The debtor’s insurance has declined coverage." Standard operating procedure.

      Vicar: It's about this letter you sent me regarding my insurance claim.

      Devious: Oh, yeah, yeah - well, you see, it's just that we're not, as yet, totally satisfied with the grounds of your claim.

      Vicar: But it says something about filling my mouth in with cement.

      Devious: Oh well, that's just insurance jargon, you know.

      Vicar: But my car was hit by a lorry while standing in the garage and you refuse to pay my claim.

      Devious: (rising and crossing to a filing cabinet) Oh well, Reverend Morrison, in your policy... in your policy... (he opens the drawer of the filing cabins and takes out a shabby old sports jacket; he feels in the pocket and pulls out a crumpled dog-eared piece of paper then puts the coat back and shuts the filing cabinet).... here we are. It states quite clearly that no claim you make will be paid.

      Vicar: Oh dear.

      Devious: You see, you unfortunately plumped for our 'Neverpay' policy, which, you know, if you never claim is very worthwhile, but you had to claim, and, well, there it is.

      Vicar: Oh dear, oh dear.

  4. Tron Silver badge

    A wild west ... making billions of dollars per year you say?

    I'll fetch my stetson.

  5. Anonymous Coward
    Anonymous Coward

    Protecting Your Personal Data in this Environment

    ... is virtually impossible. Thus, to effectively protect one's privacy, one must provide false data which does not lead back to oneself.

    Yet using forged identity documents is a crime.

  6. GrouchyOldMan

    I assume he has no assets. Hopefully the companies from which he gets our data will be held liable for not doing their due diligence on him because his setup sounds like a joke.

    "In the accounting document [PDF], the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home office using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000."

    1. Jellied Eel Silver badge

      I assume he has no assets. Hopefully the companies from which he gets our data will be held liable for not doing their due diligence on him because his setup sounds like a joke.

      Unlikely. Like the article says, this 'industry' is largely unregulated, so the due diligence probably only extended to whether the funds cleared, or not.

      How to regulate is a whole different can of worms. Others have mentioned insurance, which might be one way. So NPD may have insured their tin, had DOI cover and should have had some public liability insurance as well. Regulators could try and say that liability cover should be say, $10 per record but that pushes the burden to insurers who can just decline cover anyway. I've insured projects before, and that can be a FUN! experience. So either submitting designs or having to comply with insurer's security requirements for things like physical security, along with systems security like firewalls, intrusion detection, log auditing etc. Comply, and should be covered but insurers can try to find ways to decline paying out. Luckily I've never had to test that.

      Then there's the incorporation issue, ie if the company had limited liability, there isn't a lot that can be done, unless fraud or negligence can be proven. But then that just exposes DOI cover or the owners assets, which would be insufficient to cover any losses.

  7. Ali Dodd

    "although the business pulled in $1,152,726 in the last financial year"

    So what were the costs of a one man band to runt his business as he obviously wasn't spending it on equipment or security? Where has a million dollars gone Mr Verini?

    1. Brewster's Angle Grinder Silver badge

      The company seems to be Jerico Pictures Inc. So it's incorporated. And it's the business that's gone bankrupt. (Chapter 11, according to other reports.)

      So I imagine most of that money was going in salary/dividends to Mr. Verini and is untouchable thanks to incorporation.

      1. Groo The Wanderer Silver badge

        Maybe in the US, but not in Canada where those "dividends" are treated as the proceeds of criminal activity and seized.

        1. Brewster's Angle Grinder Silver badge

          What criminal offence has he profited from?

          I can't speak for Canada, but in the UK we have a proceeds of crime act and I can't see how it would apply - even with GPDR. Because a shoddy security is not (yet) a criminal matter.

      2. MachDiamond Silver badge

        "So I imagine most of that money was going in salary/dividends to Mr. Verini and is untouchable thanks to incorporation."

        The danger of being a one-man-band is that the "corporate veil" is much more easily pierced. Certain things can be excluded such as a home and an auto, but more liquid assets might be in danger. Being a single person operation, I would guess that it's an "S" corp rather than a "C" corp. The latter would offer more protection, but there are more costs and there needs to be more people involved occupying defined roles.

  8. flayman

    Mr Verini can rest assured that his own personal bankruptcy data will now be safe.

  9. Anonymous Coward
    Anonymous Coward

    So, this data was *for sale*, presumably *to every bidder* and the problem is that some entity posted it _for free_?

    Wha?

    1. Brewster's Angle Grinder Silver badge

      And it's likely most of that data was freely available already. The only function of the company seems to be to aggregate in one place and make it easy to use.

      1. MachDiamond Silver badge

        "The only function of the company seems to be to aggregate in one place and make it easy to use."

        That's what I was thinking. The product is the gateway and UI. The former to make sure people have paid and the latter to make the system easy to use.

    2. spuck

      If I were a lawyer, and obviously IANAL, I might try that tactic:

      "Your Honor, I move to dismiss on the grounds that my client is being charged with losing control of data which was freely collected from public sources online."

  10. John Smith 19 Gold badge
    WTF?

    1 Guy. 2.9 *billion" individual records

    2 home PCs

    Looks like those corporate clients did zero due diligence on who was handling this.*

    Which means all those people could have a case against both him and the companies that employed his company with the usual we-outsource-all-that-to-a-subcontractor-so-it's-not-our-fault BS.

    I smell class-action lawsuit

    *I mean literally f**k all.

    1. Anonymous Coward
      Anonymous Coward

      Re: 1 Guy. 2.9 *billion" individual records

      Those affected should sue the makers of the computers for providing the tools for him to do this.

    2. Anonymous Coward
      Anonymous Coward

      Re: 1 Guy. 2.9 *billion" individual records

      Perhaps he was using Kaspersky to protect his PCs, so it's now the US Government's fault?

      (Joke alert)

    3. MachDiamond Silver badge

      Re: 1 Guy. 2.9 *billion" individual records

      "2 home PCs"

      ... and a few servers.

      My iMac was bought for $25 (2012 27" 5K Retina). The glass is cracked and that would be a fortune to replace, but it works a treat. Serving up database via subscription isn't a monstrous task.

      I've had an idea for a similar sort of business, but not involving PII and there would be no problem running the whole thing on Ferris Bueller's dad's old PC (got it at an estate sale).

    4. veti Silver badge

      Re: 1 Guy. 2.9 *billion" individual records

      What I want to know is, how he got to 2.9 billion people.

      That's the entire population - every last adult, child and baby - of North and South America, Europe and about a third of Asia. Or some equivalent distribution. I can't even imagine what a patchwork of data protection laws apply in all those countries.

      The number - doesn't really pass the smell test, for me. I kinda suspect that about 2.5 billion of those "people" are the same people under slightly different names.

      1. MachDiamond Silver badge

        Re: 1 Guy. 2.9 *billion" individual records

        "What I want to know is, how he got to 2.9 billion people."

        You just plonk down for the "Big Data Starter Kit".

        I think that it's 2.9bn "records" rather than people. Corporations are often considered as if they are a person for many legal situations.

        Even though the world is pushing 8bn peoples, more than 2/3rds won't be worth tracking unless/until they have enough money to open an account at a proper bank. The two big hurdles will be the money and the also the need to use a bank.

  11. rivimey
    WTF?

    At what point do people start taking information security seriously?

    I used to think that once big companies started losing big money the shoddy practices would cease, but apparently not: here we are. I also think that software developers need to be (more) regulated, such that a developer asked to (or under time pressure) create shoddy or ill-tested code has the backing to say no, in just the same way a civil engineer asked to create an unsafe building must say no. However, I don't see that happening soon either.

    What, then? When will people with clout (e.g. business owners, regulators, investors) say enough is enough and do something to stop the plague of crap code and crap security practices? (excuse the french, please :)

    1. Caver_Dave Silver badge
      Unhappy

      Software development and security in its wider forms could be regulated.

      In the UK, for instance, if you want to be an accountant you have to be chartered, and the same in many other professions.

      There is a Chartered IT Professional qualification, but this proof of competency and ongoing CPD, is not required before you can practice as a SW Engineer. (Look up SIFA for the sort of competencies people can be measured against across the wider IT realm.)

      But a larger factor is the fact that corporate finance departments don't want to pay for qualified individuals to produce quality, but just the bare minimum working botch from some offshore sweat house.

      Caver_Dave CITP MBCS MIEEE

      1. heyrick Silver badge

        "but just the bare minimum working botch from some offshore sweat house"

        <cough> Horizon </cough>

        1. nobody who matters Bronze badge

          ....except that Horizon was home-grown, not from some offshore sweat house ;)

  12. Groo The Wanderer Silver badge

    Well, seeing as he's "broke", I guess they'll have to seize his car, his home, and all his other personal assets. Declaring a "business" bankruptcy should not let you keep any of the profits at all.

    1. Twilight

      Actually it does. It is a corporation so technically a completely different entity from Verini. Unless gross negligence (or a few other very specific things) can be proven, Verini's assets are protected in the case of the corporation going bankrupt.

      1. Groo The Wanderer Silver badge

        Well, in Canada taking the money from the corporation is considered "gross negligence" by corporate management and they LOSE what they effectively stole from the business.

        1. nobody who matters Bronze badge

          Neither he, nor his company is in Canada though ;)

        2. MachDiamond Silver badge

          "Well, in Canada taking the money from the corporation is considered "gross negligence" by corporate management and they LOSE what they effectively stole from the business."

          The "taking" could have been in the form of a regular salary plus a dividend from profits. That's not gross negligence. Even if you are a one person show, you should set your company up to pay you a regular salary once it's on a good enough footing.

          1. Anonymous Coward
            Anonymous Coward

            It can be clawed back in the UK too - as I recall if you've neglected your obligations as a director or you've paid out dividends when insolvency was forseeable. Don't recall the exact details - turns out corporate law is interesting, but not interesting enough for an entire Masters - but I know taking a massive dividend then immediately declaring bankruptcy is not necessarily the end of the story. However not sure either of that applies here, gross negligence is more than just being incompetent. A good thing too or the jails would be even more full.

            1. Brewster's Angle Grinder Silver badge

              "...paid out dividends when insolvency was forseeable."

              Any dividends he paid out after the hack - fair enough. But unless he colluded with the hackers, nobody is going to claim the particular hack was foreseeable.

              Anyway, as we all know, the trick is to take our a massive dividend and then sell it on to some schmuck as going concern for £1 and leave them to run it into the ground.

  13. Anonymous Coward
    Anonymous Coward

    Suggestion to Mr Verini

    If you have a boat sir, sell it or at least don't sail in it, if you don't have a boat, don't buy one.

  14. rcx141

    I think this is him

    I believe this to be the man himself

    https://www.salvatoreverini.com/

    1. spuck

      Re: I think this is him

      Careful, you've released publicly available data into the wild!

  15. Chairman of the Bored

    BOHICA

    I got popped in this one and reported the issue to my company's security officer, per procedure.

    She looked at the documents and said, "Damn! They got everything but your sperm count"

    One week later, I got the notice from Change Healthcare that all my medical records are up for grabs.

    So, yeah, I guess someone DID get my sperm count after all...

  16. herman Silver badge
    WTF?

    How do you “lose” data that was already public?

    1. MachDiamond Silver badge

      "How do you “lose” data that was already public?"

      Was it? That might depend on what data sources were used in this company's database. I see the opaqueness of data as a big problem with some of these companies. If you buy information from the dark web that was obtained in a non-standard way and incorporate it into your database, the data's origin is hard to ascertain in many cases unless it only lived in one place.

      The aggregation and organizing of the data makes it much more valuable. I could comb public sources of information on people, but it would be a pain so most people are safe. If all it takes is a subscription or a small one time payment, that's a big difference. I have all of the chemicals I would need to make some explosives (most people do), but it's not until I mix them together (without losing a hand) and have something ready to go boom, it's not an issue.

      1. spuck

        Well, according to the Wikipedia article:

        Their primary service is collecting information from public data sources, including criminal records, addresses, and employment history, and offering that information for sale.

        1. MachDiamond Silver badge

          "Their primary service is collecting information from public data sources, including criminal records, addresses, and employment history, and offering that information for sale."

          Plenty of other businesses sell their lists too. UPS, DHL, FedEx, etc just to name some shipping firms. If you get good at merging the data and also having a way to note the number of times certain bits of data are reinforced, the more your confidence bar goes up on that data/person/entity.

  17. Dostoevsky Bronze badge

    And the name of the CISO...

    ...is Mr. Ho Lee Fuk.

  18. CosmicTourist

    Way past time for mandatory universal encryption of all personal data

    All personal data stored in computer systems globally should be encrypted. Period.

  19. Grinning Bandicoot

    Banhrupt ??

    This filing may possibly be a ploy to force the insurance underwriters into court and have at the taxpayers' expense explain way they are not liable. The direct suit against the insurance company would end up at the heat death and everybody but the insurance being broke.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like