About that massive breach at U.S. company National Public Data

Sensitive PII from millions of people (several billion line items) was stolen and eventually posted on the Dark Web.

Must be a huge corporation, right?

From The Register:

In the accounting document, the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home office using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000.

It lists $33,105 in a corporate checking account in New York as its assets, although the business pulled in $1,152,726 in the last financial year, and estimates its total assets are between $25,000 and $75,000 in total.

It also lists 27 domains with a value of $25 apiece. These include the corporate website - now defunct - as well as a host of other URLs including criminalscreen.com, RecordsCheck.net, and asseeninporn.com.

===

Now the company is declaring bankruptcy, because it can’t cover the pending liabilities - class action lawsuits, attorneys’ fees, responsibility for credit monitoring for potentially millions of people.

This jackass had such control over millions of people’s sensitive personal data?!

There’s something very wrong here.

4 Likes

Yes, there is, but in my opinion it is that any company, big or small, is allowed to collect private data without informed consent and justification.

For all the amusing details about the homespun operation with just 8 computers, the real question is not the number or size of computers but whether they are kept secure. In some respects, if you have too many computers, it becomes more difficult to keep them secure. Self evidently though, he didn’t keep at least one of his 8 computers secure.

4 Likes

In what could be considered sweet irony, it would appear that the guy’s actual home (business) address and previous address are listed in the accounting document that The Register linked to. (Unless they’re both mail drops.)

1 Like

LOL, yeah. That’s a private residence - and quite a nice one at that (as long as it doesn’t get blown away by Milton).

Residence also links to https://www.jericopictures.com/ which is “down for maintenance”. Given some of the other domains, you wonder what kind of “pictures” he is/was making. :wink:

3 Likes

Wayback Machine:

Jerico Pictures – Los Angeles | South Florida

3 Likes

Riddle me this, @amarok …

From that PDF

Do your lists or records include personally identifiable information of customers?
:heavy_check_mark: No

Isn’t the point of this company that “lists or records” under Intangibles and intellectual property includes a sh*tload of PII?

OK, maybe not of customers depending on who exactly the company’s customers are. And it is arguable that if all this data is “public” i.e. was scraped or otherwise from public sources then maybe it’s not IP of the company.

2 Likes

Yeah, I’m sure “customers” refers to the entities buying the personal data, whereas we are all just the unsuspecting “marks.”

His website: https://www.salvatoreverini.com/

He’s on IMDb, too.

And there’s this from Krebs Security:

NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

3 Likes

I think it’s a bug in the Chap 11 form. It hasn’t kept up with the times. The question should read:

Do your lists or records include personally identifiable information?

2 Likes

Hmmmm. did they get me or my legend?

1 Like