Only recently, an enormous amount of Social Security numbers and a series of other sensitive information for millions of people might have fallen into the hands of a hacking group. This took place after a data breach, with the suspicion that the numbers might have been released on an online marketplace, according to the Los Angeles Times.
The hacking group USDoD claimed it allegedly stole personal records of over 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida. According to the lawsuit, the breach is believed to have happened around April 2024.
What information is included in this data breach?
The class action law firm Schubert, Jonckheer & Kolbe declared in a press release that the stolen file also includes 277.1 gigabytes of data, alongside names, address histories, relatives, and Social Security numbers dating back to at least three decades.
According to a recent post from a cybersecurity expert on X, USDoD claims to sell the 2.9 billion records for citizens of the United States, U.K., and Canada on the dark web for $3.5 million. And since the information was posted for sale back in April, others have released different copies of the data, according to the cybersecurity and technology news site Bleeping Computer.
A hacker known as “Fenice” leaked the most complete version of the data for zero dollars on a forum in August, according to Bleeping Computer.
What’s National Public Data?
National Public Data is a Florida-based background check company under Jerico Pictures, Inc. While the company hasn’t publicly confirmed any data breach, the Los Angeles Times reported that people were contacted via email that “we are aware of some third-party claims about consumer data, and we’re further investigating these issues.”
What to do if you suspect your information has been stolen
If you believe that your information has been stolen and you think it shows up on the dark web, there are a couple of steps you can take yourself to prevent fraud or identity theft.
First, make sure your antivirus is up to date and performs enough security scans on all your devices. If you find any type of malware, most antivirus programs should be more than capable of removing it. However, in some instances, you might have to ask for professional help.
Then, you should update all your passwords for bank accounts, email accounts, and other services you might be using. You should also make sure they are strong and different for every single account. Include some uppercase and lowercase letters, numbers, and punctuation marks, and try to avoid using personal information that any hacker could guess.
On top of that, you can use multi-factor authentication for any accounts or services that offer it, simply to make sure you are the person logging in.
You can check your credit report, and report any kind of unauthorized use of your credit cards. Moreover, if you notice any suspicious activity, you can easily ask credit bureaus to freeze the credit. Be very careful with your email and social media accounts, and beware of any phishing, which would be an attempt to steal your personal information by misrepresenting who a message or even an email is really from.
How many people have been affected?
The number of people who have been impacted by this is yet to be determined. Even if the lawsuit claims “billions of individuals” had their data stolen, the total amount of the U.S. stands at around 330 million.
The lawsuit also points out that the data includes the personal information of deceased individuals. Bleeping Computer also shows that the hacked data involves somewhere around 2.7 billion records, with individuals having multiple records in the database.
To be more explicit, one individual might have different records for each address where they lived, which would imply that the number of impacted people could be far lower than the lawsuit actually claims. The data might reach back to at least three decades.
Did NPD alert individuals?
It’s still unclear if NPD provided any kind of warning to Hoffman or anyone else who might have been affected by the breach. As a matter of fact, upon further information and belief, the wide majority of Class Members were pretty unaware that their extremely sensitive personal information had been compromised, and that they were, and continue to be so, at significant risk of identity theft and other forms of personal, social, and financial harm.
Information security company McAfee also reported that it hasn’t found any kind of filings with state attorneys general. Some states might require companies that have experienced data breaches to file reports with their AG office.
Where can you find if your data was part of it?
There are many tools available that will directly monitor what kind of information about you is available on the dark web, according to Michael Blair, managing director of cybersecurity firm NukuDo. Commonly breached data also includes personal addresses, passwords, and email.
One of these services is how Hofmann, the one who filed the lawsuit in the first place, found out that his information had been leaked as part of an NPD breach. “You need to make sure you use reputable companies to look that up,” Blair explained.
What should I do to protect my information?
Security experts would recommend that consumers put some freezes on their credit files at the three big credit bureaus: Experian, Equifax, and TransUnion. Freezing your credit is completely free, and will definitely stop bad actors from taking out loans or even opening credit cards in your name.
Also, the biggest thing is to freeze your credit report, so it can’t really be used to open brand new accounts in your name or commit other fraud on your behalf.
How do you freeze your credit?
The only 100% foolproof defense consumers might have against scammers is to freeze their credits. A credit freeze is essential in hacks such as this one because scammers can’t really get their payday just using your Social Security number.
They have to pair it with other personal details before they even get to cash in. Credit freezes, also known as security freezes, block some lenders (or anyone else, for that matter), from accessing your credit reports.
This is considered to be quite a necessary step, especially when you apply for a credit card, auto loan, mortgage, or any other form of credit, for that matter. The only issue is that this already happened in April. If scammers already used your Social Security number and decided to open a fraudulent account before you froze your accounts, a credit freeze today won’t really help you. That horse is somehow out of the barn.
Other personal finance safety tips and tricks
The LA Times notes that most bad actors and scammers use consumers’ vulnerability to pounce on any kind of sensitive information. A common tactic they might use is to pose as a bank or employer and entice you to click a dangerous phishing link or even give up personal details.
Banks will never ask for account information by phone. However, scammers have convinced the victims to share important details like account numbers and passwords. The ensure full safety, you should make sure you pay attention to unsolicited calls, texts, and even e-mails, always use two-factor authentication if you can, vary your passwords and update them as often as you can, and if you ever have doubts, call the number on the back of your credit or debit card and ask for guidance.
If you found this article useful, we also recommend checking: 7 Bills You Should Never Pay by Credit Card
