Data breach: How to check if your Social Security number was affected
Summary
1. Scale of the breach:
- Approximately 2.9 billion records were affected, making it one of the largest data breaches in history.
- The breach was confirmed by NPD in late August 2024, though it occurred earlier in the year.
2. Information compromised:
- Names, addresses, email addresses, phone numbers, and Social Security numbers were among the data leaked.
3. How it happened:
- A cyber attack targeted NPD, a background checking service also known as Jerico Pictures.
- The attack occurred in April, with data appearing to be leaked in April and summer of 2024.
4. Legal action:
- A class action lawsuit was filed against NPD in early August 2024, alleging negligence and other breaches of duty.
5. Checking if affected:
- People can check if their data was compromised using tools like npd.pentester.com without providing their full Social Security number.
- Experts advise against submitting full Social Security numbers to unfamiliar websites claiming to check breach status.
6. Protecting yourself:
- Monitor credit reports for signs of fraud.
- Consider credit freezes and fraud alerts.
- Use credit monitoring services.
- Implement two-factor authentication on accounts.
- Be cautious about unsolicited requests for information.
7. Reporting fraud:
- Contact the Federal Trade Commission at idtheft.gov or 1-877-438-4338.
- File a police report and contact fraud units of major credit bureaus.
8. Context:
- This breach surpasses the 2013 Yahoo breach in scale.
- Many affected individuals did not knowingly provide information to NPD, as the company scrapes data from non-public sources.
The documents emphasize the importance of vigilance in monitoring personal accounts and information, given that third parties can collect and potentially lose personal data without individuals' direct involvement or knowledge.
Data breach: How to check if your Social Security number was affected
An estimated 2.9 billion records, including names, addresses and Social Security numbers may be affected after National Public Data confirmed it suffered after a massive data breach involving the personal information of millions of Americans.
Still, despite privacy concerns, Americans shouldn't offer to submit their Social Security numbers to websites just because they claim they can help identify if they're a victim of a recent breach.
Social Security scams are nothing new. On any given day, someone might receive a call where the operator on the other end claims to be an agent with the FBI who has a warrant for their arrest and demands they hand over their Social Security number, bank information and other personal details to clear up the matter.
But what about when a website claims it can help someone identify if their data was stolen in the recent breach?
Some websites claim they can help victims identify if their information was stolen. It may not be a scam, but people still shouldn't submit their Social Security numbers and other identifying information to random websites that may not be legitimate resources.
Here's what to know.
Why you should be worried:What to do about the massive National Public Data breach
Why shouldn't you give over your Social Security number?
Banks, schools, new employers, accountants and landlords do require Social Security numbers. But you should not submit your Social Security numbers to people, businesses or websites you do not trust.
"The most important thing for the public to always be aware of is the need to protect their personal information," said Darren Lutz, a spokesperson for the Social Security Administration, told USA TODAY.
Experts, like James E. Lee, chief operating officer at Identity Theft Resource Center, "certainly don’t recommend" people enter their Social Security numbers on websites that enable people to search if their personal information was affected or leaked, CNBC reported.
Fraudsters can do a lot with that number and some identifiable information, like the following, according to AARP:
- Open credit accounts in the victim's name
- Use the victim's information to collect unemployment insurance
- Circumvent the victim's benefits
Some websites are reputable and will allow people to check if their data was stolen without requiring them to submit a Social Security number.
The following are reputable websites that don't require Social Security numbers to be submitted, according to CNBC:
- NPD.pentester.com — Only requires people to submit their first name, last name, state and birth year.
- NPDBreach.com — People can search for their information using their full name and zip code, SSN or phone number.
Credit reports can show signs of fraud
People wondering if their identity may have been stolen can check their credit reports for signs of fraud, according to the University of Wisconsin-Madison.
Credit reports help people monitor for unfamiliar or unexpected activity. People can request a credit report once a year from the following locations, according to CNET:
A person can also regularly check their my Social Security account for suspicious activity, Lutz said.
"If a person has not yet applied for benefits, they should not see information about payment amounts on their my Social Security account and will be able to access their Social Security Statement to receive estimates of their future benefits," he said.
If suspicious activity is found on reports, people can place a credit freeze to protect themselves from identity theft and further misuse of stolen information, according to the Federal Trade Commission.
How to report suspected fraud
Anyone who believes their identity was stolen should contact the Federal Trade Commission at idtheft.gov, or call them at 1-877-438-4338, Lutz said.
The victim should then do the following:
- File a police report where the identity theft took place, and keep a copy of the report
- Contact a fraud unit
- Monitor their credit report periodically
Victims can reach out to the following fraud units, according to Lutz:
- Equifax: 1-800-525-6285
- Experian: 1-888-397-3742
- Trans Union: 1-800-680-7289
The company that is called is required to alert the other two companies listed.
Julia is a trending reporter for USA TODAY. She has covered various topics, from local businesses and government in her hometown, Miami, to tech and pop culture. You can connect with her on LinkedIn or follow her on X, formerly Twitter, Instagram and TikTok: @juliamariegz
Nearly 3 Billion People Hacked in National Public Data Breach. What You Need to Know
Nearly three billion individuals had their personal data leaked during a cyber attack targeting National Public Data (NPD), a background checking service also known as Jerico Pictures. The data breach is one of the biggest in history and surfaced when a proposed class action lawsuit was filed in early August.
The lawsuit alleges that personal data from nearly three billion people was leaked during a cyber attack targeting the company in April. Initially, neither NPD, nor Jerico Pictures confirmed the cyberattack.
But as of late August, NPD has confirmed the cyberattack and published a breach disclosure to its company website acknowledging a third-party had attempted to access data in the NDP's possession in December before appearing to leak the data in April and this summer.
Sign up for Kiplinger’s Free E-Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
Until the NPD breach, the Yahoo data breach in 2013 stood as the worst cyberattack in history. The first attack occurred in 2013, with more to follow over the next three years. Only after Verizon bought out Yahoo in 2017, did the actual number of records affected come to light. It was determined that all 3 billion of Yahoo's accounts were affected. That particular breach included the theft of names, email addresses, phone numbers and birthdates, but did not involve financial information.
What is National Public Data and what kind of data was stolen?
National Public Data is owned by Jerico Pictures, Inc. and is headquartered in Coral Springs, Florida. It is a background checking service that scrapes personally identifiable information of individuals from non-public sources. This means many of the people who were affected by the breach did not knowingly provide any of their personal information to NDP.
In their breach disclosure, NDP stated that "information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es)."
They also said they had "cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you."
NDP suggests monitoring all of your financial accounts for unauthorized access/use, contacting the three U.S. credit reporting agencies, Equifax, Experian, and TransUnion, to obtain a free credit report from each by calling 1.877.322.8228 or by logging onto www.annualcreditreport.com. See below for more suggestions about how to protect your data and identity.
Were you part of the data leak?
Cyber security firm Pentester has set up a tool to let you determine if your data was part of the breach. Go to npd.pentester.com, enter your name and birth year to see a list of breached accounts, including the last four digits of the leaked Social Security numbers, at no charge.
What was learned from the lawsuit filed against NDP
The breach First became public when a lawsuit was filed against NDP alleging negligence, unjust enrichment, and breaches of fiduciary duty and third-party beneficiary contract.
On July 24, 2024, Christopher Hofmann received a notification from his identity theft protection service provider notifying him that his personally identifiable information (PII) was compromised as a direct result of the “nationalpublicdata.com” breach, and that his PII had been found on the Dark Web.
The lawsuit alleges that on April 8, 2024, a criminal gang that goes by the name of USDoD posted a database entitled “National Public Data” on a Dark Web hacker forum called “Breached.” USDoD alleged to have the PII of approximately 2.9 billion individuals and offered the database for purchase at a price of $3.5 million.
Hofmann v. Jerico Pictures, Inc., Docket No. 0:24-cv-61383 (S.D. Fla. Aug 01, 2024), Court Docket
Steps you can take to protect your identity and data
Identity theft plans available typically include some combination of account monitoring, alerts and restoration support. This means the plans can't stop criminals from targeting you and can only offer remediation assistance after the fact.
This breach highlights the fact that data breaches can arise despite the best intentions of individuals to protect and store their information safely. This information was scraped from nonpublic sources and stored without encryption or other safeguards.
"As the list of mega-breaches continues to grow, it is essential to consider investing in protective services that surpass the traditional practice of just monitoring changes in your credit report, particularly those that provide continuous surveillance of your bank accounts, your mailing address, and the dark web to detect any potential signs of identity theft at an early stage. Embracing the latest technology is crucial to safeguarding your identity" says ”Odysseas Papadimitriou, WalletHub CEO.
Here are some other suggestions from Wallethub for protecting your identity and data:
- Sign up for 24/7 credit monitoring
- Activate two-factor authentication
- Don’t respond to unsolicited requests for information
- Review credit card and bank accounts on a regular basis
- Sign or use your PIN to verify debit card purchases
- Place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts.
- Freeze your three primary credit reports. In this context, "freezing" means that you prohibit your credit reports from being accessed by most third parties. In return for a fee you get a PIN from the credit bureaus. This PIN acts as an additional key and it must be given in order for your credit reports to be accessed and used to open accounts or obtain loans
Bottom line
This breach demonstrates third-parties can collect, store and lose your data all without your participation or knowledge. You must be vigilant in monitoring your accounts and mind your surroundings when using credit cards or when providing personal information.
Consider using a credit card for expenses and not your debit card. All major credit cards offer blanket liability against unauthorized credit card purchases. If your debit card is appropriated, your bank account could be drained and you will potentially face a lengthy process to try and recover your money. And by using a credit card and not a debit card, you'll also have the opportunity to rack up rewards you can spend elsewhere.
Comments
Post a Comment