The Breach That Changed the Identity Verification Landscape
In December 2023, National Public Data — a background check and data aggregation service used by financial institutions, employers, and other organizations — suffered one of the most significant data breaches in recorded history. NPD did not publicly confirm the incident until August 2024. By then, the data had been offered for sale on dark web forums, and the scale of the exposure was clear: 2.9 billion records containing full names, dates of birth, addresses, phone numbers, and Social Security numbers for individuals across the United States, United Kingdom, and Canada.
The root cause was not a sophisticated cyberattack. A publicly accessible file containing plain-text usernames and passwords — including administrator credentials — had been left exposed. The breach that compromised an estimated 60% of all historical Social Security numbers ever issued by the IRS was, at its core, a basic access control failure.
For lenders, the NPD breach is a compliance case study as much as a security incident. It directly tested the vendor oversight provisions of the GLBA Safeguards Rule, raised fundamental questions about the integrity of identity verification data, and created a lasting expansion of the raw materials available for synthetic identity fraud.
Lenders using LASER's COMPLY pillar have vendor oversight documentation and incident response workflows built directly into their Salesforce environment. Schedule a Compliance Discussion to assess your program against current Safeguards Rule requirements.
What the NPD Breach Exposed
The scale of the NPD breach requires context to understand its implications for lending institutions:
| Data Category Exposed | Fraud Risk Created |
| Social Security Numbers (272M+ Americans) | Foundation for synthetic identity creation; tax fraud; new-account fraud |
| Full Names and Dates of Birth | Combined with SSNs to build complete synthetic identity profiles |
| Addresses (current and historical) | Address verification bypass; mail intercept for account takeover |
| Phone Numbers | SIM swap preparation; account recovery bypass |
The breach did not directly compromise lenders' own systems. But it expanded the available inventory of identity data that fraudsters can use to construct synthetic identities — identities that then appear at lenders' front doors as credit applicants.
As detailed in our analysis of how synthetic fraud works, synthetic identities are built from real PII elements like those exposed in the NPD breach. The combination of a real Social Security number with fabricated supporting details creates an identity that passes standard KYC document verification and builds a legitimate-looking credit profile over time. The NPD breach materially lowered the cost and difficulty of constructing these identities.
The Vendor Risk Compliance Failure
The NPD breach is a direct illustration of what the GLBA Safeguards Rule's vendor oversight provisions are designed to prevent — and why those provisions place the compliance burden on the financial institution, not on the vendor.
Under 16 CFR Part 314, covered financial institutions must:
- Select and retain service providers that maintain appropriate safeguards for customer information
- Require by contract that service providers implement and maintain appropriate safeguards
- Monitor service providers' safeguards on an ongoing basis, not just at initial selection
NPD's access control failure — a publicly accessible credentials file — is exactly the type of basic safeguard that financial institutions' vendor contracts should have required and their ongoing oversight should have verified. Institutions that had not included specific, contractual security requirements in their NPD vendor relationships were left with limited recourse and heightened regulatory exposure.
The Safeguards Rule does not transfer responsibility to vendors. GLBA compliance obligations remain with the financial institution regardless of where in the vendor ecosystem a failure occurs. As covered in our analysis of what lenders need to know about third-party risk, this means vendor breaches trigger the institution's own incident response and potentially its own FTC notification obligations.
The FTC Notification Requirement: A Compliance Clock
Effective May 2024, the FTC Safeguards Rule requires covered financial institutions to notify the FTC when a notification event affects 500 or more customers. A notification event is defined as unauthorized acquisition of unencrypted customer information — or encrypted information where the encryption key was also acquired.
The notification must occur as soon as possible and no later than 30 days after discovery. The 30-day clock starts at discovery — not at confirmation, not at completion of investigation. For lenders whose customer information was held by NPD, the discovery date question became a live compliance issue the moment the breach was publicly confirmed in August 2024.
Institutions whose incident response plans had not been updated to reflect the May 2024 notification requirement — or whose plans did not clearly define the discovery-to-notification timeline — faced gaps in their compliance posture at exactly the moment they needed clarity.
What the NPD Breach Means for Identity Verification
Beyond the immediate compliance implications, the NPD breach has lasting effects on the reliability of identity verification for lenders. The exposed data includes the foundational elements that identity verification systems use to confirm applicants are who they claim to be — SSNs, dates of birth, names, and addresses.
When this data is available in bulk on dark web markets, fraudsters can construct identity packages that pass document verification, credit file checks, and basic KYC procedures. The verification systems that were designed to catch fraudulent applications are now operating against a threat that holds the same data those systems use to verify legitimacy.
The practical response for lenders is layered verification — not relying on any single data element, but cross-referencing identity across multiple sources, using behavioral signals alongside document and data verification, and maintaining sequenced compliance controls that treat every identity as unverified until the full CIP process is complete.
Building Vendor Risk Management That Holds Up Under Examination
The NPD breach revealed the specific provisions of vendor risk management programs that regulators will evaluate after a major third-party incident:
- Contract specificity — Did vendor agreements include specific security requirements, or general language about "industry-standard" practices?
- Ongoing oversight — Was there evidence of periodic vendor security reviews, not just initial due diligence?
- Incident response integration — Was the vendor required to notify the institution promptly of security events? Was that notification timeline defined contractually?
- Data inventory accuracy — Did the institution know which of its customer data categories were held by which vendors?
Institutions that can answer yes to each of these questions are demonstrating the kind of vendor risk program that the Safeguards Rule requires and that examiners expect to see following a major third-party breach.
What This Means for Your Institution
The National Public Data breach is not a historical incident — its effects on the identity fraud landscape are ongoing. The data exposed in that breach continues to circulate in fraud ecosystems and continues to be used in synthetic identity construction and account fraud schemes that arrive at lenders' front doors every day.
The compliance response is not primarily technical. It is programmatic: vendor contracts that require specific safeguards, incident response plans with defined discovery-to-notification timelines, board-level information security reporting as required by the Safeguards Rule, and an identity verification program that treats the NPD-era threat environment as the baseline — not the exception.
Schedule a Compliance Discussion to review your GLBA Safeguards Rule vendor oversight provisions and incident response program against the compliance requirements the NPD breach brought into focus.