National Public Data Breach Lawsuit 2026: What to Do If Your SSN Was Exposed by a Background-Check Data Broker
A Background-Check Company Got Hacked — Why Was Your Information Even There?
In 2024, news broke that National Public Data — a data broker that compiles background-check and identity-verification datasets — had suffered a major breach. For most people who heard about it, the first reaction was confusion: “I’ve never used this company. Why would my information be in their system?”
That confusion is exactly the point. National Public Data doesn’t sell subscriptions to consumers. It’s a back-end supplier — the kind of company that employers, landlords, and screening services quietly rely on to run background checks. Your name, address history, date of birth, and — based on widespread reporting — your Social Security number may have been compiled into a profile you never created and never agreed to.
This article walks through four things: how data brokers like this collect information about you in the first place, why an exposed Social Security number is fundamentally different from a leaked password or card number, what kinds of legal claims typically get raised against a data broker after a breach like this, and — most importantly — exactly what to do right now.
This article is for general informational purposes only and is not legal advice. For guidance specific to your situation, consult a licensed attorney or the official settlement administrator for any relevant case.
What Exactly Is a Data Broker, and Why Does It Have My Information Without My Consent?
“Data broker” might sound like an obscure term, but it describes a multi-billion-dollar industry operating largely behind the scenes in the United States. These companies build consumer profiles from sources that include:
- Public records — property deeds, court filings, marriage and divorce records, voter registration rolls, business licenses. All of this is, by law, accessible to anyone.
- Commercial transaction data — loyalty program sign-ups, warranty card registrations, catalog purchases — much of which gets resold to third parties under terms buried in privacy policies.
- Online and social activity — public profiles, posts, and location data scraped or licensed from platforms.
- Resale between brokers — one broker’s dataset gets sold to another, then another, making it nearly impossible to trace who actually holds your information at any given time.
These compiled profiles feed into pre-employment background checks, tenant screening, insurance underwriting, and marketing. The result is that simply by living in the U.S. — buying a home, appearing in a court record, registering to vote — your information can end up in a data broker’s database without you ever signing a form.
What made the National Public Data incident especially concerning is that reporting indicated the exposed dataset included Social Security numbers — a category of government-issued identifier that, in most contexts, should never be part of a routine background-check data product in the first place.
Why an Exposed SSN Is a Different Category of Problem Than a Card Number Leak
If your credit card number leaks, you call the issuer, the card gets canceled, a new one arrives in the mail, and the old number becomes useless. The problem is largely solved within days.
A Social Security number doesn’t work that way. It’s a lifelong identifier — getting a new one is exceptionally rare and reserved for extreme circumstances. Once an SSN is out, the exposure window isn’t measured in days. It’s measured in years.
Types of Harm That Can Stem From SSN Exposure
| Harm Type | What It Looks Like |
|---|---|
| New-account fraud | Credit cards or loans opened in your name, with statements sent to an address you don’t control — often invisible until collections calls start |
| Tax refund interception | A criminal files a tax return using your SSN before you do, claiming your refund |
| Medical identity fraud | Someone uses your SSN and insurance details to receive treatment, contaminating your medical records |
| Synthetic identity fraud | A real SSN gets paired with a fabricated name and date of birth to build an entirely new “person” with credit history — can take years to detect |
| Government benefits fraud | Unemployment benefits, Social Security benefits, or other government payments diverted to someone else |
Synthetic identity fraud deserves special attention because it’s so hard to catch. Because the fraudster isn’t impersonating you directly — they’re creating a new identity that merely borrows your SSN as a building block — the activity often won’t show up on your existing credit report at all. That’s part of why ongoing monitoring matters even if nothing looks wrong today.
What Legal Claims Typically Apply to a Data Broker Breach Like This?
Lawsuits filed after large-scale breaches at companies like National Public Data tend to follow a recognizable pattern of legal theories. The important caveat: which of these claims actually survives in court, and what damages are recoverable, depends entirely on the specific facts, the jurisdiction, and how the litigation unfolds — none of this should be read as a guarantee of any particular outcome.
- Negligence — the argument that the company failed to implement reasonable security measures (encryption, access controls, timely patching of known vulnerabilities) that could have prevented or limited the breach.
- Breach of implied contract — the argument that by collecting and storing personal information, the company implicitly agreed to protect it with reasonable safeguards, and breached that understanding.
- State consumer protection and breach notification statute violations — many states have specific laws governing how companies must handle, secure, and disclose breaches involving personal data.
- Invasion of privacy / unjust enrichment — arguments centered on the unauthorized collection, retention, or sale of personal information in the first place, independent of the breach itself.
A key threshold issue in these cases is whether plaintiffs can show a “concrete injury” — courts increasingly require more than “my data was exposed” and look for evidence of actual harm: fraudulent charges, tax refund theft, time and money spent on credit monitoring, or documented identity theft. This is precisely why documenting any unusual activity (covered below) matters, both for your own protection and for any potential legal claim.
Three Scenarios — How This Plays Out in Practice
These are illustrative hypotheticals, not descriptions of real individuals or actual cases.
Scenario 1: “I got a notice, but nothing seems wrong”
Maria received a breach notification letter in the mail. Her credit card statements look normal, nothing seems off, so she sets the letter aside.
What this misses: the absence of visible problems today doesn’t mean the data isn’t being held for later use, or that it isn’t already being used in ways that won’t surface for months — particularly with synthetic identity fraud. Placing a credit freeze now costs nothing and takes about 10–15 minutes per bureau. It’s the rare security step that’s both free and high-impact, and it doesn’t interfere with daily life as long as you know how to temporarily lift it when you actually need new credit.
Scenario 2: “I got a text about an account I didn’t open”
David received a text message confirming a new credit card application. He hadn’t applied for anything. He logged into his bank and confirmed: a new account had, in fact, been opened in his name.
What to do: This has crossed from “exposure” into “active fraud.” Report it immediately to the financial institution involved, place a fraud alert and/or freeze with all three credit bureaus if you haven’t already, document every communication and transaction with screenshots and dates, and file a report at IdentityTheft.gov. At this stage, consulting an attorney about whether you have an individual claim — separate from any class action — is also worth doing, especially if you’ve incurred out-of-pocket costs.
Scenario 3: “I’ve gotten notices from multiple breaches this year”
Jennifer received a notice about the National Public Data incident, and separately, a notice about an unrelated breach at a different company months earlier. She isn’t sure which one might be responsible if something goes wrong.
What to do: Treat each breach as a separate matter with its own official settlement process and claims deadline. You don’t need to determine “which breach caused it” before taking protective action — credit freezes and monitoring address the risk from any of these exposures simultaneously. Keep both notices on file, since you may need to file separate claims for each if and when settlements are reached.
The Credit Freeze Checklist: All Three Bureaus, No Exceptions
If there’s one action this entire article boils down to, it’s this: freeze your credit file at all three major bureaus. Freezing only one leaves the other two wide open for someone to use your SSN to open new accounts.
| Bureau | How to Freeze | Cost |
|---|---|---|
| Equifax | Online portal or phone request; identity verification required, freeze applies immediately | Free under federal law |
| Experian | Create an online account, request freeze; applies immediately | Free |
| TransUnion | Online portal or phone request; applies immediately | Free |
Credit freeze action checklist:
- Placed a freeze with Equifax, Experian, AND TransUnion — all three, separately
- Saved the PIN or password needed to lift each freeze in a secure password manager
- Know how to temporarily lift a freeze before applying for new credit (usually instant online)
- Checked whether a minor’s credit file (for any children) needs a protective freeze too
- If already enrolled in credit monitoring, kept it active alongside the freeze (the two are complementary, not redundant)
Warning Signs of Identity Theft — Act Immediately If You See These
If any of the following happen, you’ve likely moved from “potential exposure” to “active harm,” and the response needs to escalate accordingly.
- You receive approval or denial notices for credit you never applied for
- Your credit report shows accounts or hard inquiries you don’t recognize
- The IRS notifies you that a tax return has already been filed under your SSN — before you’ve filed
- You receive medical bills for services you never received
- Your credit score drops sharply without an obvious cause
- Mail starts arriving addressed to you at an unfamiliar billing address
If you notice any of these, file a report at IdentityTheft.gov (run by the U.S. Federal Trade Commission), which generates a personalized recovery plan and can help you contact creditors and bureaus directly.
Fraud Alerts, Credit Locks, and Freezes — Don’t Mix These Up
The terminology around credit protection tools gets confusing fast, and that confusion sometimes leads people to think they’ve done more than they actually have.
- Fraud alert — a flag on your credit file that tells lenders to take extra steps to verify your identity before extending credit. An initial fraud alert lasts about a year and is free; an extended fraud alert (for confirmed identity theft victims) lasts longer. A fraud alert doesn’t block anything — it just adds a verification step, which a determined fraudster can sometimes get around.
- Credit lock — a feature offered by some bureaus, often bundled with paid monitoring products, that functions similarly to a freeze but is governed by the bureau’s terms of service rather than the federal freeze statute. Locks can sometimes be toggled faster through an app, but the legal protections aren’t identical to a freeze.
- Credit freeze — the strongest option, governed by federal law, free at all three bureaus, and the one this article recommends as the priority action.
If you’re choosing between these, a freeze at all three bureaus is the baseline. A fraud alert can be a reasonable add-on if you want lenders to double-check identity even after you’ve temporarily lifted a freeze for a legitimate application — but don’t let a fraud alert give you a false sense of having “handled it” if you haven’t also frozen your files.
What About Your Other Accounts — Email, Banking Logins, Two-Factor Authentication?
A data broker breach centered on background-check information is different from a breach of an email provider or bank, but that doesn’t mean your online accounts are irrelevant here. Two reasons to think about them anyway:
- Information from this breach can fuel other attacks. If your address history, date of birth, and SSN are circulating, that’s exactly the kind of information used to answer “security questions” or convince a call-center representative to reset a password on your behalf. A breach like this raises the baseline risk for account-takeover attempts elsewhere, even on accounts that were never directly breached.
- Now is a reasonable time for a general security check-up. Reviewing which accounts use SMS-based two-factor authentication (weaker, because phone numbers can be ported via “SIM swap” attacks) versus an authenticator app (stronger), and updating recovery email addresses and phone numbers to ones you actually control, is good hygiene regardless of this specific breach — but a major SSN exposure is a reasonable trigger to actually go do it.
None of this replaces the credit freeze as priority one. But if you’re already taking an afternoon to deal with this, a quick pass through your most important accounts (primary email, banking, and anything tied to your SSN like tax software) is a reasonable use of that same afternoon.
How Class Action Settlements Actually Work — and When Claims Get Filed
Large breaches like the National Public Data incident often generate multiple lawsuits filed in different jurisdictions around the same time. These cases generally move through a predictable sequence:
- Filing and consolidation — similar lawsuits filed in different courts are sometimes consolidated into a single proceeding (multidistrict litigation, or MDL) for efficiency.
- Discovery and negotiation — both sides exchange evidence and, often, begin settlement talks.
- Settlement agreement and preliminary approval — if a deal is reached, the court grants preliminary approval before anything is final.
- Notice to the class — affected individuals receive notice by mail or email describing the settlement terms.
- Claims filing window — class members submit claim forms within a specified deadline through an official site.
- Final approval and distribution — once the court grants final approval, payments (or other benefits, like monitoring services) are distributed.
This entire process commonly takes years from the original breach to actual payouts. Be skeptical of any source right now claiming to know specific settlement amounts, per-person payout estimates, or exact filing deadlines for this breach — verify directly through official court filings (publicly searchable via court electronic records systems) or, once one exists, the official settlement administrator’s website referenced in your notice.
I Never Got a Notice — How Do I Know If I Was Affected?
Because data brokers like National Public Data don’t have a direct relationship with consumers, notices can easily go to an outdated address or simply not reach everyone who was affected. Some practical steps:
- Check the official settlement administrator site (once a court-approved settlement exists) using your information
- Pull your free credit reports from Equifax, Experian, and TransUnion and look for accounts or inquiries you don’t recognize
- Confirm your mailing address on file with major institutions is current — notices sent to a previous address won’t reach you
Avoid entering your SSN into third-party “check if you were breached” tools of unknown provenance. These tools can themselves be data-harvesting or phishing operations, and feeding them your SSN defeats the purpose of trying to protect it.
A Few More Practical Notes
- If you’ve already received notices for other breaches (a healthcare provider, a genetic testing company, etc.), treat each one as independent. The protective steps — freeze, monitor, document — overlap, but the claims processes don’t.
- Should you pay for a premium identity protection service? Many of the core protections — credit freezes, fraud alerts, free annual credit reports — are free by law. Paid services typically add convenience (faster alerts, identity restoration assistance) but aren’t a substitute for the free freeze.
- When does this clearly need a lawyer? If you can document actual financial loss tied to identity theft — fraudulent accounts, intercepted refunds, time and money spent on recovery — that’s the point where individual legal consultation becomes worthwhile, separate from whatever a class settlement might eventually offer.
Related Reading
If you’ve been affected by this or other recent data breaches, these guides may help:
- 23andMe Genetic Data Breach Class Action Guide
- Data Breach Class Action Settlements — How to File a Claim
- Change Healthcare Data Breach Lawsuit Guide
- Browse all Legal category posts
This article is for general informational purposes only and does not constitute legal advice. For guidance specific to your situation, consult a licensed attorney or the official settlement administrator for any relevant litigation.
I've never heard of National Public Data. Why would my information be in their system?
National Public Data is a data broker that compiles background-check and identity-verification datasets for employers, landlords, and screening companies — it doesn't sell directly to consumers. Data brokers build profiles from public records (property deeds, court filings, voter registrations), commercial transaction data, and information purchased from other brokers. You don't have to sign up for anything: if you've ever bought property, been a party to a lawsuit, or registered to vote in the U.S., your name, address history, date of birth, and potentially your Social Security number may already sit in a broker's database without your direct knowledge.
How many people were affected by the National Public Data breach?
The 2024 breach was widely reported as one of the larger data exposure incidents involving Social Security numbers in recent years. That said, the exact number of affected individuals, the precise scope of records exposed, and final figures can shift as litigation and court filings progress, so this article deliberately avoids citing a specific count. The most reliable way to find out if you personally were affected is through an official breach notification letter or a court-approved settlement administrator site — not third-party 'breach checker' sites of unknown origin.
Why is SSN exposure worse than a credit card number leak?
A credit card number can be canceled and reissued within days. A Social Security number is a lifelong identifier that almost never changes. Once exposed, it can be used for years to open fraudulent credit accounts, file fake tax returns to intercept refunds, commit medical identity fraud, or — most insidiously — create a 'synthetic identity' by combining a real SSN with a fabricated name and date of birth. Synthetic identity fraud can take years to surface because it doesn't show up on your existing credit file the way a stolen-card charge would.
What legal claims typically arise against a data broker after a breach like this?
Lawsuits against data brokers following large breaches commonly raise: (1) negligence claims, arguing the company failed to maintain reasonable security safeguards (encryption, access controls, patching); (2) breach of implied contract, arguing the company implicitly promised reasonable data protection in exchange for collecting the information; (3) violations of state consumer protection and data breach notification statutes; and (4) invasion of privacy or unjust enrichment claims tied to unauthorized collection and resale of personal data. Which claims actually survive motions to dismiss and proceed depends heavily on the specific facts, the court, and applicable state law — this is general background, not a prediction of outcomes in any specific case.
How do I check whether my SSN was part of this breach?
The most trustworthy sources are an official notification letter or email from the breached entity, or — if a class action settlement has been court-approved — the official settlement administrator website named in that notice. Avoid third-party 'check if you were breached' sites that ask you to enter your SSN or other sensitive details; these can themselves be phishing operations. If you never received a notice but are concerned, regularly pull your free credit reports from Equifax, Experian, and TransUnion and look for accounts or inquiries you don't recognize.
What's the difference between a credit freeze and credit monitoring?
A credit freeze blocks credit bureaus from releasing your credit file in response to new credit applications, which means no one — including you — can open a new account in your name until you temporarily lift the freeze. It's a preventive block on new fraudulent accounts. Credit monitoring, by contrast, alerts you after something has already changed — a new account opened, a hard inquiry made, a balance change. Both have value, but for SSN exposure specifically, a credit freeze is the higher-priority, more proactive defense.
Is a credit freeze free, and does it hurt my credit score?
Under U.S. federal law (the Economic Growth, Regulation, and Consumer Protection Act of 2018), credit freezes and unfreezes are free at all three major bureaus — Equifax, Experian, and TransUnion. Placing a freeze does not affect your credit score or alter the information already in your credit file. You'll just need to temporarily lift the freeze (a quick online or phone process) whenever you legitimately apply for new credit.
A lawsuit was filed — does that mean I'll get compensated soon?
No. A filed complaint and an approved settlement with actual payouts are very different stages, often separated by years. The general path runs: complaint filed (sometimes consolidated with similar suits into a multidistrict litigation, or MDL) → discovery and negotiation → settlement agreement and preliminary court approval → notice sent to class members → claims filing window → final approval → distribution. Be skeptical of anything right now claiming to know exact settlement amounts, per-person payouts, or filing deadlines — verify only through official court documents or the settlement administrator's site once one exists.
What's the single most important thing I should do right now?
If your Social Security number may have been exposed, the highest-priority single action is placing a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion. Canceling cards and updating passwords matter for other types of breaches, but for SSN exposure specifically, a credit freeze is the most direct way to block someone from opening new accounts in your name. You must freeze your file at all three bureaus separately; freezing just one leaves the other two open.
Can a child's SSN be exposed in a data broker breach like this?
In principle, yes. Minors' SSNs are rarely used, which means fraud involving a child's identity can go undetected for years — sometimes not surfacing until the child applies for their first credit card or student loan as a young adult. If you're concerned a family member's information, including a minor's, may have been part of this or any broker dataset, contact the credit bureaus about placing a protective freeze on a minor's credit file, which most bureaus support through a dedicated process.
Do I need a lawyer to file a claim in a class action settlement?
For a court-approved class settlement, class members can typically file a claim form directly through the official settlement website without hiring an attorney. You should consider consulting a lawyer if (1) you've suffered documented financial harm — fraudulent accounts, intercepted tax refunds, out-of-pocket recovery costs — that may exceed what a class settlement offers, or (2) you're weighing whether to opt out of the class to pursue an individual claim. This article is general information, not legal advice for your specific situation.
I already got notices from other breaches, like 23andMe or Change Healthcare. Is this a different thing?
Yes, these are separate incidents involving different companies, different types of data, and different legal proceedings. If you've received multiple breach notices, you'll need to check your exposure and, if applicable, file claims separately for each one through that breach's specific official settlement site. A claim filed for one breach does not cover or substitute for another.
Should I sign up for the free credit monitoring often offered after a breach?
Free monitoring offered through a breach notice or settlement can be a useful supplement, but it shouldn't replace a credit freeze. Monitoring tells you after a new account or inquiry appears; a freeze is designed to prevent that account from being opened in the first place. If you're offered free monitoring, it's reasonable to enroll — just don't treat it as a substitute for freezing your files at all three bureaus.
관련 글
Ticketmaster/Live Nation Data Breach Class Action: What Affected Users Need to Know in 2026
Change Healthcare Data Breach Lawsuit: What the 2024 Ransomware Attack Means for Your Medical Privacy
23andMe Data Breach Class Action MDL 3098: $30M Settlement, Bankruptcy & Claims 2026
Social Casino and Sweepstakes App Lawsuits: What Consumers Need to Know
AT&T Data Breach Lawsuit MDL 3114: $177M Settlement & Claims Guide 2026
