A very recent, massive data breach involving Social Security numbers and other sensitive personal data of millions of Americans occurred at a company called National Public Data (NPD).
Here’s what we know so far:
- Scope. The breach is estimated to have affected a staggering 2.9 billion records, potentially exposing the Social Security numbers, full names, phone numbers, and current and past addresses of nearly every American. It’s unclear if all records are unique, or if there are duplicates but it is known that data includes consumers and their family members dating back at least three decades.
- Data Leak. The data was initially offered for sale on the dark web by a cybercriminal organization known as USDoD around April 2024 for a price of $3.5 million. Later, the database was leaked for free on a hacker forum.
National Public Data Response
National Public Data collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.
It’s not lost the irony of a company holding large amounts of sensitive personal information for background and criminal checks is unable to protect the public’s information.
NPD has confirmed the breach and is cooperating with law enforcement. They acknowledge leaks of certain data in April 2024 and Summer 2024 and believe the breach is associated with a threat actor attempting to hack their systems in late December 2023.
NPD Impact on Consumers
It has been reported that billions of people’s data was published on the dark web around April 8, 2024. However, many identity theft victims are likely unaware of their exposure because they have not received a notification or statement from the National Public Data.
The breach has serious implications for affected individuals, increasing their risk of identity theft and fraud. If you live in the US, this data breach has likely leaked some of your personal information. The leaked information consists of the following information:
- Person’s Name
- Mailing addresses
- Phone numbers and in some cases, email addresses
- Social Security number
- Some records may include additional information, like other names associated with the person
NPD has offered a look-up tool for concerned consumers to check if their SSN has been breached at npdbreach.com and npd.pentester.com.
What Should Consumers Do
The best advice for those concerned about the breach is to monitor your credit reports weekly and to freeze credit files at each of the three major consumer reporting bureaus. This makes it much harder for identity thieves to open new accounts in your name.
The NPD incident is a very serious breach with potentially far-reaching consequences and highlights the vulnerabilities of even companies that specialize in handling sensitive data.
Consider additional protections like LifeLock
While freezing and monitoring your credit reports is a powerful way to prevent new accounts from being opened in your name, LifeLock and similar services offer additional layers of protection and convenience beyond just credit freezes including:
- Identity Theft Insurance: They provide financial reimbursement for expenses incurred due to identity theft, like lost wages, legal fees, and costs associated with restoring your identity.
- Stolen Funds Reimbursement: Some plans include reimbursement for stolen funds from your bank accounts or investment accounts.
- Dark Web Monitoring: They scan the dark web for your personal information, like your Social Security number or credit card numbers, being sold or traded.
- Identity Restoration: If you do become a victim of identity theft, they provide expert assistance in restoring your identity and cleaning up the mess.
- Additional Services: Depending on the plan, they may offer additional services like data breach notifications, social media monitoring, and VPNs for secure online browsing.