Alex - stock.adobe.com

Social Security number data breach: What you need to know

An estimated 2.9 million Social Security numbers and other PII have been leaked onto the dark web in a National Public Data breach.

Social Security numbers are critically important pieces of personal data for Americans. SSNs are considered to be a primary type of personally identifiable information, i.e., PII, and are supposed to be kept secure and private.

National Public Data disclosed a massive data breach in August 2024, which involved the Social Security numbers of nearly every American. The data leaked also includes full names, phone numbers, and current and past addresses.

The total number of records breached is estimated to be 2.9 billion records, totaling 277GB of data. It is unclear if all the records are unique -- or as some cybersecurity experts suspect, there are duplicates. Records include people living in the United States, United Kingdom and Canada.

A cybercriminal organization known as USDoD is allegedly behind the data breach. USDoD initially tried to sell all the data for approximately $3.5 million worth of cryptocurrency on a dark web forum.

What is National Public Data?

National Public Data (NPD) is a data broker company based in Coral Springs, Fla. The company was founded in 2008 by Salvatore Verini and is technically part of a business known as Jerico Pictures.

The company provides background check services to a variety of clients -- including employers, private investigators and other businesses that require verification of individuals' backgrounds. The company's services encompass searches for criminal records, vital records and Social Security numbers.

NPD's database is designed to assist in making informed decisions about hiring, tenancy and other personal assessments.

What information was stolen?

The following information was included in the NPD data breach:

  • Full names. Complete names of individuals, which are crucial for identity verification.
  • Addresses. Current and past addresses, spanning up to three decades, providing a comprehensive history of individuals' residences.
  • Social Security numbers. A critical piece of PII used for many official purposes -- such as obtaining a loan or credit card -- making them highly valuable for identity theft.
  • Phone numbers. Contact information that can be exploited for phishing and other fraudulent activities.
  • Dates of birth. Essential for identity verification and often used in combination with other data to commit fraud.
  • Information about relatives. Data on people's family members -- including parents, siblings, aunts, uncles and cousins.
  • Criminal records. The breach potentially includes criminal records, as NPD offers background check services including criminal record searches.

Did NPD alert consumers about the breach?

NPD did not immediately alert consumers about the breach.

The company first admitted and acknowledged that it was the victim of a data breach in a breach disclosure notification published on its website on Aug. 15, 2024.

In the disclosure, NPD acknowledged that a third-party threat actor attempted to hack into NPD data in December 2023, with potential leaks in April 2024 and summer 2024.

How to determine what data breaches you've been involved in

There are several ways individuals can determine if their personal information has been compromised in this or other data breaches. Consider the following methods:

  • Have I Been Pwned. HIBP was created by researcher Troy Hunt as a free service. A user can enter their email address to see if it has been involved in known data breaches.
  • Credit monitoring services. Many credit monitoring services -- such as those offered by Equifax, Experian and TransUnion -- provide alerts for suspicious activity on credit reports, which can indicate a data breach.
  • Monitor financial accounts. NPD's official disclosure advises individuals to closely monitor their financial accounts for any unauthorized activity.
  • Watch for notifications. While not always reliable, companies sometimes notify individuals if their data has been involved in a breach. However, in this case, NPD initially did not provide widespread notification.

What can bad actors do with this personal information?

Bad actors can potentially use the stolen personal information for a variety of malicious purposes, including the following:

  • Opening fraudulent credit card accounts. Bad actors use stolen identities to open new lines of credit.
  • Applying for loans. Securing loans in victims' names, leaves them with the financial burden.
  • Committing tax fraud. Stolen PII enables bad actors to file false tax returns to claim refunds.
  • Accessing existing financial accounts. This provides unauthorized access to bank accounts.
  • Creating fake identities. This is often done for illegal activities.

How to protect yourself

There are several things people can do to protect against this data breach and others like it, including the following:

  • Monitor accounts. Closely monitor financial accounts and promptly contact the financial institution if any unauthorized activity is observed.
  • Get a credit report. Contact the three U.S. credit reporting agencies -- Equifax, Experian and TransUnion -- to obtain a free credit report from each by calling 1.877.322.8228 or visiting www.annualcreditreport.com.
  • Check with the FTC. The Federal Trade Commission's identity theft website can provide information about what to do in the case of identity theft and data breaches.
  • Get a free fraud alert. Place a free fraud alert on your credit file. This can be done by contacting any one of the three major credit bureaus:
    • Equifax: Call 1.800.685.1111 or visit its website.
    • Experian: Call 1.888.397.3742 or visit its website.
    • TransUnion: Call 1.888.909.8872 or visit its website.
  • Consider freezing your credit. Contact the major credit bureaus to freeze your credit, preventing unauthorized access.
  • Use strong, unique passwords. Implement strong passwords for all online accounts and enable two-factor authentication where possible.
  • Employ a password manager. Use a password manager to securely store and generate complex passwords.
  • Beware of phishing. Remain cautious of phishing attempts and verify the authenticity of any suspicious communications.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Dig Deeper on Security