Massive data breach involving Social Security numbers may be worse than suspected

The company whose data breach exposed every American’s Social Security number to identity theft has finally acknowledged the data theft — and said hackers obtained more sensitive information than previously reported.

National Public Data, a Florida-based company that collects personal information for background checks, posted a “security incident” notice on its website reporting “potential data breaches in April 2024 and summer 2024.” The company said the breach appeared to involve a third party “attempting to compromise data in late December 2023.”

According to Class action lawsuit In April, the hacking group USDoD, which filed suit in U.S. District Court in Fort Lauderdale, Florida, claimed to have stolen the personal records of some 2.9 billion people from the National Public Data website. On a popular hacker forum, the group offered to sell the data, which included records from the United States, Canada and the United Kingdom, for $100 million. $3.5 millionA cybersecurity expert said in a post on X.

Last week, an alleged member of the US Department of Defense, identified only as Phyllis, told a hacking forum that they were offering “Complete NPD Database“According to a screenshot taken by BleepingComputer, the information consists of approximately 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number, and phone number, along with alternate names and dates of birth,” Phyllis claimed.

None of the information is encrypted.

Such disclosure could be a huge problem. But according to national public data, the breach also included email addresses — a key piece of information for identity thieves and fraudsters.

Having someone’s email address makes it easier to target them with phishing attacks, which try to trick people into giving up passwords for financial accounts or downloading malware that can extract sensitive personal information from devices. Additionally, since many people use their email address to log into online accounts, it can be used to try to hijack those accounts by resetting the password.

It’s not yet clear what was leaked on the dark web from the breach. In a very small sample of Google One scans, email addresses taken during the national public data breach did not show up. But Free tool Cybersecurity firm Pentester found that other allegedly compromised personal data, including Social Security numbers, was on the dark web.

The National Public Data Authority said on its website that it would notify individuals if there were “further significant developments” that applied to them. It added: “We have also implemented additional security measures in an effort to prevent a recurrence of such a breach and protect our systems.”

Earlier, in an email to people who sought information about their accounts, the company said it had “purged the entire database, as a whole, of any entries, which essentially means unsharing everyone.” As a result, it said it had deleted any “non-public personal information” about people, though it added: “We may be required to retain certain records to comply with legal obligations.”

The company did not respond to a request for comment. Laws in California The United States and all other countries require companies to notify anyone whose sensitive personal information was obtained in a breach, said Timothy Toohey, head of privacy and data security at the law firm Greenberg Glusker in Los Angeles.

There is no specific deadline for notification, Tuohy said, just an expectation that it will be done quickly. But the scope of this case poses a challenge for national public data, because it will have to find out who the affected individuals are still alive and where they currently live, and then comply with the requirements set by that state.

“Logistically, it’s a bit mind-boggling,” Tuohy said.

At this point, the only notice National Public Data appears to have provided is a page on its website, which states, “We are notifying you so you can take action that will help minimize or eliminate potential harm. We strongly advise you to take preventive measures to help prevent and detect any misuse of your information.”

Tuohy said that type of notification would not meet the requirements of California law, which also requires reporting to the state attorney general’s office any breach affecting more than 500 state residents.

Steps recommended by the National Public Data include checking your financial accounts for any unauthorized activity and placing a free fraud alert on your accounts with the three major credit bureaus, Equifax, Experian and TransunionThe company advises that once a fraud alert is placed on your account, request a free credit report, and then check it for accounts and inquiries you don’t recognize. “These could be signs of identity theft,” it says.

So far, the company has not offered free credit monitoring services to people whose information was stolen, unlike other companies that have suffered massive data breaches. “Usually, with a data breach notification, you offer something because you want to be proactive and help people,” Tuohy said.

“The way companies look at it is that something bad has happened. Of course the company feels like the victim, but that’s not the impression the general public has.”

Security experts also recommend freezing your credit files with the three major credit bureaus. You can do this for free, and it will prevent criminals from getting loans, applying for credit cards and opening financial accounts in your name. The catch is that you’ll need to remember to temporarily lift the freeze if you’re getting or applying for something that requires a credit check.

Meanwhile, security experts say, make sure all your online accounts use two-factor authentication to make them harder to hack.

It’s also important to look for signs that an email or text message is not legitimate, given the prevalence of “phishing scams.” Using messages disguised as an urgent inquiry from your bank or service provider, these scams attempt to trick you into giving up the keys to your identity, and possibly your savings. Any request for sensitive personal information is a huge red flag.

Alexander Valenti of cybersecurity firm Surfshark suggests carefully checking the sender’s email address to see if it doesn’t exactly match the name of the organization they claim to represent, and looking for typos or grammatical errors — two telltale signs of a scam. And if the message is from someone you’ve never interacted with before, Valenti said, avoid clicking on links, including an “unsubscribe” link or button, because bad actors will use them for malicious purposes.

“If you suspect you have received a phishing email, do not interact with it and report it to your email service provider,” Valenti said. “If the person is pretending to be a legitimate organization, you should also report it to that organization. Once you do, delete the email and be on the lookout for similar emails in the future.”