Hackers Steal 272 Million U.S. Social Security Numbers, 161 Million U.S. Phone Numbers and More Highly Sensitive Historic Data from National Public Data.
Updated: Aug 28
What happened? And how to tell if your were breeched and what to do about it.
(Usual disclaimer: I'm just an investor expressing my personal opinion and am not an attorney, accountant nor your financial advisor. Consult your own financial professionals before making any financial decisions. Code of Ethics: To remove conflicts of interest that are rife on other sites, I/we do not accept ANY money from outside sponsors or platforms for ANYTHING. This includes but is not limited to: no money for postings, nor reviews, nor advertising, nor affiliate leads etc. Nor do I/we negotiate special terms for ourselves in the club above what we negotiate for the benefit of members. Info may contains errors so use at your own risk. See Code of Ethics for more info.)
National Public Data is a company which sells personal information to private investigators, consumer public record sites, human resources and staffing agencies.
According to a recently proposed class-action lawsuit, a cybercriminal group by the name of USDoD posted a database entitled “National Public Data” on a dark web forum and which claimed to be selling the personal data of 2.9 billion people for $3.5 million. And National Public Data recently confirmed a "data security incident" on it's website:
"There appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light. What Information Was Involved? The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).
What Exactly Was Stolen?
Spy Cloud, security firm, said they have analyzed the stolen data and claims it's made of up of:
2.7 billion total records
Sensitive personally identifiable information (PII) on individuals including:
Full names, dates of birth
420 million distinct addresses
272 million distinct US Social Security Numbers (SSNs)
Over 161 million distinct phone numbers
Historical data like old addresses and phone #s. Per spy cloud: "This introduces risks because it is not uncommon for credit checks and other identity verification systems to verify places where you have previously lived in order to grant you access to certain resources, so this breach will likely make certain types of verification systems more trivial to bypass."
How to Fail as Publicly and Badly as Possible
And according to security researcher Brian Krebs (of Krebs on Security) the bungling didn't stop there.
Krebs says that a National Public Data data broker continued to share the passwords to its back-end database (and which shares access to the same records) in a file that was freely available on it's homepage until recently:
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
Adding Insult to Injury?
And as if that wasn't bad enough...if the proposed class action lawsuit is to believed, then allegedly the data was scraped from the web by National Public Data without consumer consent.
Was my info breeched?
According to CNET, you can check to see if your social security number or phone number was breeched using one of the sites on their article.
What do do about it?
The nonprofit National Cybersecurity Alliance, recommends freezing your credit, saying:
The lawsuit says that hackers stole the personal information of 3 billion people, including every existing Social Security numbers, from background check company National Public Data (NPD). If true, this would mean every American is at risk of having their identity stolen. While the exact details of the breach are not confirmed, don’t wait. Freeze your credit now and keep it frozen by default. Freezing your credit: 1) Is free. 2) Doesn’t impact your credit score. 3) Is easy and fast to un-freeze if you need to apply for credit.
CNET also recommend other steps such as:
Contact the Internal Revenue Service "if your Social Security number has been stolen to prevent the thief from using your number to file a tax return and receive your tax refund or to prevent them from using your number for a job (and put their taxes on your account)."
The IRS says they have a PIN program to mitigate the risk of stolen tax refunds:
Check your credit report regularly.
Sign up for a credit monitoring service.
Go to Federal Trade Commission's IdentityTheft.gov.
File an online complaint with the Internet Crime Complaint Center.
Contact the Social Security Administration
Click here for more details from CNET.
August 28, 2024 Update: It turns out that the above steps are Not EVEN NEARLY ENOUGH!
The conventional advice of merely freezing and monitoring credit reports doesn't stop a thief from sticking you with bogus utility bills, fraudulent pay-day loans, fake bank and brokerage accounts, stealing your tax refunds, and more. Here's a brand new article with real life examples from people who learned the hard way... and here's what to do to avoid being victimized.
Comments