The agency has finally acknowledged the data breach that exposed every American’s Social Security number to identity thieves — and said the hackers obtained more sensitive information than previously reported.
Florida-based National Public Data, a company that collects personal information for background checks, posted a “security incident” notice on its site to report “potential leaks of certain data in April 2024 and summer 2024.” The company said the breach involved a third party “attempting to hack the data in late December 2023”.
A step Class action lawsuit In a filing in US District Court in Fort Lauderdale, Fla., the hacking group USDoD said in April it stole personal records of 2.9 billion people from national public databases. Posting on a forum popular among hackers, the group offered to sell the data, which included records from the United States, Canada and the United Kingdom. $3.5 millionA cyber security expert said in a post on X.
Last week, Felice, a proposed member of the USDoD, told a hacking forum that they offer.The entire NPD database,” according to a screenshot taken by BleepingComputer. The information includes about 2.7 billion records, each containing a person’s full name, address, date of birth, Social Security number and phone number, aliases and dates of birth, Felice said.
No information is encrypted.
Such a release would be problematic enough. But according to national public data, the breach also included email addresses — a critical area for identity thieves and fraudsters.
Having a person’s email address makes it easier to target them with phishing attacks, which try to trick people into downloading malware that reveals passwords to financial accounts or extracts sensitive personal information from devices. Additionally, since many people use their email address to log into online accounts, it can be used to try to hijack those accounts through password resets.
It is not clear what was leaked onto the dark web from the breach. In a very small sample scanned using Google One, no email addresses taken during the national public data breach appeared. But A Free tool Other personal data exposed by the breach, including Social Security numbers, was found on the dark web from cybersecurity firm Pentester.
National Public Data said on its website that it would notify individuals of “further significant developments” applicable to them. “We have implemented additional security measures to protect our systems and prevent a repeat of such a breach,” it said.
Earlier, in an email to people seeking information about their accounts, the company said it had “removed the entire database, in its entirety, any and all entries, essentially excluding everyone.” As a result, it said it deleted any “non-public personal information” about people, though it added that “we may need to retain certain records to comply with legal obligations”.
The company did not respond to a request for comment. Laws in California And essentially every other state requires companies to report whether an individual’s sensitive personal information was taken in a breach, said Timothy Toohey, head of the privacy and data protection practice at law firm Greenberg Glusker in Los Angeles.
There is no specific time frame for the announcement, Toohey said, adding that it is expected to be done quickly. But the purpose of the case is to challenge national public data because it requires finding out which of the affected individuals are still alive, where they currently live, and then complying with specific requirements in that state.
“Logistically, it’s kind of mind-blowing,” Toohey said.
At this point, the only notice National Public Data has provided appears to be a page on its website that says, “We’re notifying you so you can take action to help minimize or eliminate potential harm. We strongly encourage you to take preventative measures to help prevent and detect misuse of your information.”
That type of notification doesn’t meet the requirements of California law, which requires the state attorney general’s office to be notified of any breach affecting more than 500 state residents, Toohey said.
Steps recommended by National Public Data include checking your financial accounts for unauthorized activity and placing a free fraud alert on your accounts with the three major credit bureaus. Equifax, Experian And Transunion. Once you’ve placed a fraud alert on your account, the company advised, ask for a free credit report, then check for accounts and inquiries you don’t recognize. “These could be signs of identity theft.”
So far, the company has not offered free credit monitoring services to individuals whose information has been stolen, unlike other companies that have experienced large-scale data breaches. “Typically, with a data breach notification, you’re giving something because you’re proactive and want to help people,” Toohey said.
“The way companies look at it, something bad has happened. The company certainly feels it’s affected, but that’s not what the public thinks.
Security experts advise freezing your credit files with the three major credit bureaus. You can do so for free, and it will prevent criminals from taking out loans, signing up for credit cards, and opening financial accounts in your name. If you are getting or applying for something that requires a credit check, you should remember to temporarily disable it.
In the meantime, security experts say, make sure all your online accounts use two-factor authentication to make hacking harder.
Given the prevalence of “impersonation scams,” it’s also important to look for signs that an email or text isn’t legitimate. By using messages disguised as an urgent inquiry from your bank or service provider, these scams try to trick you into giving up your keys to your identity and your savings. Any request for sensitive personal information is a huge red flag.
Aleksandr Valentij of cyber security firm Surfshark says to look carefully for a sender’s email address to see if it matches the name of the organization they claim to represent, and look for typos or grammatical errors — two telltale signs of a scam. If the message is from someone you’ve never interacted with, avoid clicking on links that include an “unsubscribe” link or button, as bad actors may use them for malicious purposes.
“If you suspect you have received a phishing email, do not interact with it and report it to your email provider,” Valentij said. “If it is posing as a legitimate organization, it should be reported to that organization as well. Once it’s done, delete the email and stay alert to avoid receiving such emails in the future.