Data Breach, And Other Personally Identifiable Information (PII) 2024
What You Need to Know
TL;DR: An estimated “3 Billion Records” that contain Social Security Numbers (SSN) and other Personally Identifiable Information (PII) have been leaked onto the dark web in a breach that impacted National Public Data.
Check to see if you are impacted: NPD Breach Check – Pentester.com
Social Security Numbers (SSN) are critical pieces of personal data for U.S. Citizens. SSN’s are considered to be a primary type of Personally Identifiable Information (PII), and are expected to be kept secure and private.
Unfortunately, National Public Data disclosed a massive data breach of their systems in August 2024. The impacts include the Social Security numbers of nearly every U.S. Citizens. The data leaked also includes full names, phone numbers, and current and past addresses.
The total number of records breached is estimated to be 2.9 billion records, totaling 277GB of data. It is unclear if all the records are unique, or are duplicates. Records include people living in the United States, United Kingdom, and Canada.
A cybercriminal organization known as USDoD is allegedly behind the data breach. USDoD initially tried to sell all the data for approximately $3.5 million worth of cryptocurrency on a dark web forum.
What is National Public Data?
National Public Data (NPD) is a data broker company based in Coral Springs, Florida. The company was founded in 2008 by Salvatore Verini, and he is part of a business known as Jerico Pictures.
Salvatore’s company provides background check services to a variety of clients, including employers, private investigators, and other businesses that require the need verification of backgrounds checks. The company’s services encompass searches for criminal records, vital records and Social Security numbers. NPD’s database is designed to assist in making informed decisions about hiring, tenancy and other personal assessments.
What information was stolen?
The following information was included in the NPD data breach:
· Full names – Complete names of individuals, which are crucial for identity verification.
· Addresses – Current and past addresses, spanning up to three decades, providing a comprehensive history of individuals’ residences.
· Dates of birth – Essential for identity verification and often used in combination with other data to commit fraud.
· Social Security Numbers – A critical piece of PII used for many official purposes, such as obtaining a loan or credit card, making them highly valuable for identity theft.
· Phone numbers – Contact information that can be exploited for phishing and other fraudulent activities.
Criminal records – The breach potentially includes criminal records, as NPD offers background check services including criminal record searches.
· Information about relatives – Data on people’s family members and including parents, siblings, aunts, uncles and cousins.
Did NPD alert consumers about the breach?
NPD did not immediately alert consumers about the breach.
The company first admitted and acknowledged that it was the victim of a data breach in a breach disclosure notification published on its website on August 15, 2024. In the disclosure, NPD acknowledged that a third-party threat actor attempted to hack into NPD data in December 2023, with potential leaks in April 2024 and summer 2024.
How to determine what data breaches you’ve been involved in
There are several ways individuals can determine if their personal information has been compromised in this or other data breaches. Consider the following methods: · Have I Been Pwned (Have I Been Pwned: Check if your email has been compromised in a data breach).
HIBP is a free service. That a user can enter their email address to see if it has been involved in known data breaches.
· Credit monitoring services. Credit monitoring services, such as those offered by Equifax, Experian, and TransUnion will provide
alerts for suspicious activity on credit reports, which can indicate a data breach.
· Monitor financial accounts. NPD’s official disclosure advises individuals to closely monitor their financial accounts for any unauthorized activity.
· Watch for notifications. While not always reliable, companies sometimes notify individuals if their data has been involved in a breach. However, in this case, NPD initially did not provide widespread notification.
What can the bad actors do with this personal information?
Bad actors can potentially use the stolen personal information for a variety of malicious purposes, including the following:
· Opening fraudulent credit card accounts. Bad actors will use stolen identities to open new lines of credit.
· Applying for loans. Securing loans in victims’ names leaves them with the financial burden.
· Committing tax fraud. Stolen PII enables a bad actor to file false tax returns to claim refunds.
· Accessing existing financial accounts. Unauthorized access to financial accounts.
· Creating fake identities. This is often done for illegal activities.
How to protect yourself
There are several items that you can do to protect against this data breach and others similar, including the following:
· Monitor your accounts. Closely monitor financial accounts and promptly contact the financial institution if any unauthorized activity is observed.
· Get a credit report. Contact the three U.S. credit reporting agencies: Equifax, Experian and TransUnion, to obtain a free credit report from each by calling 1.877.322.8228 or visiting www.annualcreditreport.com.
· Check with the FTC. The Federal Trade Commission’s identity theft website can provide information about what to do in the case of identity theft and data breaches.
· Get a free fraud alert. Place a free fraud alert on your credit file. This can be done by contacting any one of the three major credit bureaus: o Equifax: Call 1.800.685.1111 or visit its website. o Experian: Call 1.888.397.3742 or visit its website. o TransUnion: Call 1.888.909.8872 or visit its website.
· Consider freezing your credit. Contact the major credit bureaus to freeze your credit, preventing unauthorized access.
· Use strong and unique passwords. Implement and consider to Create Strong Passwords or Passphrases. Passwords for all online accounts and enable Multi-factor authentication where possible.
· Use a Password Manager. Use a password manager to securely
store and generate complex passwords.
· Beware of phishing. Remain cautious of phishing attempts, and verify the authenticity of any suspicious communications.
What to do if you are affected by the leak
If your Social Security Number was breached, the best thing to do is to freeze your credit by using or creating an account with one of the three consumer credit reporting agencies: Equifax, Experian or TransUnion. This can prevent identity theft. Credit reporting agencies also have services for those who set up accounts to check if their Social Security Number has been compromised. You can always unfreeze the account if needed.
Even if your Social Security Number was not leaked, be sure to monitor your Social Security Number for any unexpected usage. Ensure to setup Multi-Factor Authentication (MfA) set up your financial and personal accounts that may have sensitive data for protection on as many online accounts as possible, or use an authentication app to secure your online accounts.
By Dave Broucek, Trusted Advisor and Cybersecurity
Comments are closed