About four months after a notorious hacking group claimed to have stolen an unusually large amount of sensitive personal information from a major data broker, a member of the group has reportedly released most of it for free on an online marketplace for stolen personal data.
The breach, which includes Social Security numbers and other sensitive data, could lead to a range of identity theft, fraud and other crimes, according to Teresa Murray, director of consumer enforcement for the US Public Information Research Group.
“If this is in fact the entire record of all of us, it is certainly much more concerning” than previous breaches, Murray said in an interview. “And if people in the past did not take precautions, as they should have, this should be a five-alarm wake-up call for them.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, the hacking group USDoD claimed in April to have stolen personal data on 2.9 billion people from National Public Data, which provides personal information to employers, private investigators, employment agencies and others who perform background checks. The group offered to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million to hackers on a forum, a cybersecurity expert said in a post on X.
Bloomberg Law reported on the lawsuit.
Last week, an alleged USDoD member identified only as Felice told the hacking forum that they were offering “the entire NPD database,” according to a screenshot captured by BleepingComputer. The information consists of approximately 2.7 billion records, each containing an individual’s full name, address, date of birth, social security number and phone number, along with alternate names and dates of birth, Felice claimed.
Read more: Data of nearly all AT&T customers downloaded in security breach
National Public Data did not respond to a request for comment and did not formally notify people about the alleged breach. However, it did tell people who contacted the company by email that “we are aware of certain third-party claims regarding consumer data and are investigating these issues.”
In that email, the company also said that it had “purged the entire database as a whole of all listings, and essentially unsubscribed everyone.” As a result, the company said, it has removed all “nonpublic personal information” about people, though it added: “We may be required to retain certain data to comply with legal obligations.”
Several cybersecurity news outlets have looked at some of the data Felice offered and said it appears to be real people’s information. If the leaked material is what it claims to be, here are some of the risks and steps you can take to protect yourself.
The threat of identity theft
The leak should provide much of the information that banks, insurance companies and service providers seek when creating accounts, and when granting a request to change the password of an existing account.
There appeared to be a few key pieces missing from the hackers’ haul. One was email addresses, which many people use to log into services. Another was driver’s license or passport photos, which some government agencies use to verify identities.
Still, PIRG’s Murray said that bad actors could do “all sorts of things” with the leaked information, the most worrisome of which would likely be to try to take over someone’s accounts — including their banks, investments, insurance policies and email. With your name, Social Security number, date of birth and mailing address, a fraudster could create fake accounts in your name or try to convince someone to reset the password to one of your existing accounts.
“For someone who is really good at it,” Murray said, “the possibilities are endless.”
It’s also possible that criminals could use information from previous data breaches to add email addresses to the data in the reported National Public Data breach. Armed with all that, Murray said, “you can cause all kinds of chaos, commit all kinds of crimes, steal all kinds of money.”
Read more: Phishing attack hits LA County Public Health Department, compromising personal information of over 200,000 residents
How to Protect Yourself
Data breaches have become so common in recent years that some security experts say sensitive information about you is almost certainly available in the dark corners of the internet. And there are a lot of people who can find it; VPNRanks, a website that rates virtual private network services, estimates that 5 million people a day access the dark web via the anonymous TOR browser , though only a fraction of those people have malicious intent.
If you suspect that your Social Security number or other important identifying information about you has been compromised, experts recommend freezing your credit files with the three major credit bureaus, Experian, Equifax and TransUnion. It’s free to do, and it prevents criminals from taking out loans, signing up for credit cards and opening financial accounts in your name. The catch is that you’ll have to remember to temporarily lift the freeze if you apply for or obtain anything that requires a credit check.
You can initiate a freeze online or by phone, working with each credit bureau separately. PIRG warns you never to respond to an unsolicited email or text message that appears to come from one of the credit bureaus. Such a message is likely the work of a scammer trying to trick you into divulging sensitive personal information.
For more information, please refer to PIRG’s step-by-step guide to credit freezes.
You can also sign up for a service that monitors your accounts and the dark web to protect you from identity theft, usually for a fee. If your data is exposed in a breach, the company whose network was hacked will often offer one of these services for free for a year or more.
As important as these steps are for preventing people from opening new accounts in your name, they don’t really help protect your existing accounts. Oddly enough, those accounts are especially vulnerable to identity thieves if you haven’t signed up for online access, Murray said — that’s because it’s easier for thieves to create a login and password while pretending to be you than it is to crack your existing login and password.
Read more: Trump campaign says his emails were hacked
Of course, it helps to have strong passwords that are different for every service and changed periodically. Password manager apps provide an easy way to create and keep track of passwords by storing them in the cloud, essentially requiring you to remember one master password instead of dozens of long, unpronounceable passwords. These are available both free (such as Apple’s iCloud Keychain) and for a fee.
Additionally, experts say it’s extremely important to sign up for two-factor authentication, which adds an extra layer of security to your login and password. The second factor is usually something sent to or tied to your phone, such as a text message; a more secure approach is to use an authenticator app, which will keep you safe even if your phone number is hijacked by scammers.
Yes, scammers can hijack your phone number through techniques called SIM swaps and port-out fraud, leading to more identity theft nightmares. To protect you in this regard, AT&T lets you create a passcode that restricts access to your account; T-Mobile offers optional protection against porting your phone number to a new device; and Verizon automatically blocks SIM swaps by disabling both the new device and the existing one until the account holder turns on the existing device.
Your worst enemy may be you
As much or more than hacked data, scammers rely on people to give up sensitive information about themselves. A common tactic is to pose as your bank, employer, phone company, or other service provider you’ve done business with, and then try to lure you in with a text message or email.
For example, banks routinely tell customers that they will not ask for their account information over the phone. Yet scammers have convinced victims to hand over their account numbers, logins, and passwords by posing as bank security guards trying to stop an unauthorized withdrawal or other supposedly urgent threat.
People may even get an official-looking email purporting to be from National Public Data, offering to help them with the reported breach, Murray said. “It won’t be the NPD trying to help. It will be some bad guy overseas” trying to scam them out of sensitive information, she said.
It’s a good rule of thumb to never click on a link or call a phone number in an unsolicited text or email. If the message warns of fraud on your account and you don’t want to just ignore it, find the phone number for that company’s fraud department (it’s on the back of your debit and credit cards) and call for advice.
“These bad guys, this is what they do for a living,” Murray said. They might send out tens of thousands of queries and only get one response, but that response could net them $10,000 from an unwitting victim. “Ten thousand dollars in one day for one hit on one victim, that’s a pretty good return on investment,” she said. “That’s what motivates them.”
Sign up for our Wide Shot newsletter and receive the latest news, analysis and insights from the entertainment industry.
This story originally appeared in the Los Angeles Times.
