Social Security numbers are extremely personal data for Americans. SSNs are considered a primary type of personally identifiable information (PII) and should be kept secure and private.
National Public Data disclosed a massive data breach in August 2024, which included the Social Security numbers of nearly every American. The leaked data also included names, phone numbers, and current and past addresses.
The total number of leaked records is estimated at 2.9 billion, totaling 277GB of data. It is unclear whether the records are all unique or, as some cybersecurity experts suspect, duplicates. The records include information on people living in the US, UK, and Canada.
The cybercrime group known as USDoD is allegedly behind the data breach, which initially tried to sell all the data on dark web forums for around $3.5 million in cryptocurrency.
What is National Public Data?
National Public Data (NPD) is a data brokerage company based in Coral Springs, Florida. The company was founded in 2008 by Salvatore Verini and is technically part of the company known as Jerico Pictures.
The company provides background check services to a variety of clients, including employers, private investigators, and other businesses that need to check individuals’ backgrounds. The company’s services include criminal history, birth record, and Social Security number searches.
NPD’s database is designed to help you make informed decisions about hiring, renting, and other personal valuations.
What information was stolen?
The NPD data breach included:
- full name. A person’s full name, essential for identity verification.
- address. Current and past addresses spanning up to 30 years provide a comprehensive history of an individual’s residence.
- social security number. This is important personal information used for many official purposes such as obtaining a loan or credit card, making it very useful for identity theft.
- telephone number. Contact information that may be used for phishing or other fraudulent activities.
- date of birth. It is essential for verifying identity and is often used in combination with other data to commit fraud.
- Information about relatives. Data about people’s families (parents, siblings, aunts, uncles, cousins, etc.).
- Criminal history. Because NPD offers background check services that include criminal history searches, this breach could also include criminal records.
Did NPD warn consumers about the breach?
NPD did not immediately warn consumers about the breach.
The company first acknowledged that it had been the victim of a data breach in a breach disclosure notice published on its website on August 15, 2024.
In its disclosure, NPD acknowledged that a third-party threat actor attempted to hack into NPD data in December 2023, with possible breaches in April 2024 and summer 2024.
How to identify a data breach you were involved in
There are several ways individuals can determine if their personal information has been exposed in this or any other data breach. Consider the following:
- I was Pwned. HIBP was created by researcher Troy Hunt as a free service that allows users to enter their email address to see if it has been implicated in any known data breaches.
- Credit monitoring services. Many credit monitoring services, including those offered by Equifax, Experian and TransUnion, will alert you to suspicious activity on your credit report that could be a sign of a data breach.
- Monitor your financial accounts. The NPD’s official statement advises individuals to closely monitor their financial accounts for any fraudulent activity.
- Pay attention to notifications. Although not always reliably, companies sometimes notify individuals when there has been a data breach, but in this case, NPD did not initially provide widespread notice.
What could bad actors do with this personal information?
Bad actors may use stolen personal information for a variety of malicious purposes, including:
- Opening fraudulent credit card accounts. Bad actors use stolen personal information to open new lines of credit.
- Applying for a loan. If loans are taken out in the victim’s name, the victim will be left with a financial burden.
- Commit tax evasion. Stolen identity allows bad actors to file false tax returns and claim refunds.
- Access to existing financial accounts. This allows unauthorized access to your bank account.
- Create a false identity. This is often done for illegal activities.
How to protect yourself
There are steps you can take to protect yourself from this and similar data breaches:
- Monitor your account. Closely monitor your financial accounts and contact your financial institution immediately if you notice any unauthorized activity.
- Get your credit reportYou can contact the three U.S. credit reporting agencies (Equifax, Experian and TransUnion) and get a free copy of your credit report from each company by calling 1.877.322.8228 or visiting www.annualcreditreport.com .
- Check with the FTC. The Federal Trade Commission’s identity theft website provides information about what to do if you are the victim of identity theft or a data breach.
- Receive free fraud alerts. Place a free fraud alert on your credit file. You can do this by contacting one of the three major credit reporting agencies.
- Equifax: Call us at 1.800.685.1111 or visit our website.
- Experian: Call us at 1.888.397.3742 or visit our website.
- TransUnion: Call us at 1.888.909.8872 or visit our website.
- Consider a credit freeze. Contact the major credit reporting agencies to freeze your credit to prevent fraudulent access.
- Use a strong and unique password. Implement strong passwords for all online accounts and enable two-factor authentication where possible.
- Use a password manager. Use a password manager to securely store and generate complex passwords.
- Beware of phishing. Be wary of phishing scams and verify the authenticity of any suspicious communications.
Sean Michael Kerner is an IT consultant, technology enthusiast, and technologist. He has been known to pull Token Ring, configure NetWare, and compile his own Linux kernel. He consults industry and media organizations on technology issues.
