Has my Social Security number been stolen? Questions about the national data breach

You may not have heard of National Public Data, but your personal information may have been exposed in the company’s recent massive data breach.

The background check company, owned by Jericho Pictures, recently released details of the breach following a proposed class action lawsuit alleging that 2.9 billion personal details may have been exposed. Other reports have said the amount of information exposed could exceed 2.7 billion.

James E. Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit focused on reducing the risk of identity theft and theft, said in an official data breach notification filed in Maine that National Public Data indicated that 1.3 million records may have been exposed.

“It’s entirely possible that it’s less, but it’s entirely possible that it’s more,” Lee said of the number of people affected.

More information on personal finance:
Social Security’s cost-of-living adjustment could be 2.6% in 2025
Here is a breakdown of inflation for July 2024
US construction boom drives rents down

National Public Data said on its website that the exposed information may have included Social Security numbers, names, email addresses, phone numbers and mailing addresses.

The company said on its website that a third-party malicious actor may have hacked the data in December and that the information may have been leaked between April and this summer. National Public Data did not respond to a request for comment at the time of publication.

As cyber experts dig into the breached data, they’re finding that not all of it is accurate and that much of the information was already available. “The reality is, there’s nothing new in this data,” Lee said.

Still, experts say news of the breach is a big wake-up call to take steps to protect your personal information. Here, we’ve compiled answers to some of the most common questions consumers are asking right now.

Yes. National Public Data is a background check company that provides information through legitimate sources or by collecting it from the web, Lee said. Because the data is collected more casually, it may be collected without consumer permission and outside the scope of specific regulation. As a result, it may be inaccurate or out of date, Lee said.

Certain information, such as when you bought a home or when you paid your property taxes, is technically public record, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit organization focused on cybersecurity awareness and education. Companies can collect and aggregate publicly available data to glean personally identifiable information, he said.

“Companies have different levels of ability to protect the data they collect, and because the data is kind of public data in the first place, it may not be subject to data protection regulations,” Steinhauer said.

Some cyber groups have set up websites where individuals can search to see if their personal information was affected by a breach, Lee said. One site, NPDBreach.com, allows users to search by name, zip code, Social Security number and phone number. Another site, NPD.pentester.com, allows users to search by first name, last name, state and date of birth.

“I would never recommend entering your Social Security number on these sites,” Lee said.

If you enter a name, you may be able to see what information has been shared. Lee said the good news is that most people realize the leaked information is inaccurate.

If you find yourself the subject of a breach, the steps you need to take aren’t necessarily new.

“There’s nothing extra we need to do beyond what we’re already doing or what we know we need to do now,” Lee said.

A credit freeze should be at the top of that list: submit a request to each of the three major credit reporting agencies: Equifax, Experian, and TransUnion.

A freeze can help block bad actors from accessing your records, but keep in mind that you’ll need to lift the credit freeze, either temporarily or permanently, if you want to apply for a new credit card or car loan, for example.

When freezing your credit, be especially careful that you are visiting the credit reporting agency’s legitimate website and not a look-alike site designed to steal your identity.

Additionally, you should change all your passwords, especially if you use the same password on multiple websites. Ideally, you should enable multi-factor authentication on personal websites to keep your financial data safe. And never share personal information while using the public internet.

Besides freezing your credit, there are other ways to purchase additional protection.

Sites like National Public Data may allow individuals to opt out of data collection, but there are so many data brokers that it could be time-consuming for consumers to contact each one, Steinhauer said. Consumers can pay a data broker removal service to contact the website on their behalf.

Plus, our identity theft monitoring tools will let you know if someone tries to open an account using your personal information.

Dark web monitoring services can let you know if your information has been found in a data breach published on the dark web.

Lee said legal authorities have argued that financial compensation may be awarded to those affected by the leak, but that any amount ultimately paid out will likely be meaningless.

“You’re not going to get a lot of money,” Lee said.

For example, following the Equifax data breach in 2017, which affected more than 147 million consumers, damages received in lawsuits in late 2022 were reported to be less than $3 in some cases, while others were reported to be around $40.

The purpose of the solicitation is often to structure multi-state, multi-jurisdictional class actions and may consolidate multiple lawsuits.

But Lee said they would need to prove that the data breach caused actual harm, and that there have been so many data breaches before that it could be difficult to link specific data to this latest incident, he said.