A massive hack may have exposed the personal data of many of us in the United States, the United Kingdom, and Canada, including, among other sensitive data, Social Security numbers. If true, this breach puts many at risk of identity theft, but the story isn't so cut and dry.
As initially reported by Bloomberg Law, the exposure is the fault of Jerico Pictures Inc., operating as the background check company National Public Data, according to a lawsuit against the company. The suit alleges that, on April 8 of this year, the hacking group USDoD uploaded a database on the dark web site Breach Forums, called, simply, "National Public Data." This database, as outlined by the lawsuit, supposedly contained the information of 2.9 billion people. That data could have been yours for the price of $3.5 million.
Since this story initially broke, however, it turns out that number may have been inflated. While the lawsuit alleges the breach contains the data of nearly three billion people, BleepingComputer reports the hacking group claims to have stolen 2.9 billion data records. A member of the hacking group subsequently released most of the data for free, uploading 2.7 billion data records to the web. Many victims have multiple data records belonging to them in this database, which means the number of people affected is far below the 2.9 billion outlined in the lawsuit. A previous version of this article reported that number based on the lawsuit.
That said, this is still a serious breach. The hacking group claims to have stolen the data of every American, Briton, and Canadian, but so far, this claim is unverified. Even still, 2.7 billion records is massive, and the data stolen is concerning.
National Public Data (the company, not the database) reportedly collects the data of billions of us from "non-public" sources, unbeknownst to those the data belongs to. This data isn't anonymous, either: It includes information like Social Security numbers, home addresses (both current and former), full legal names, and other names the person has used—data that can easily be tied directly to you.
The suit has been brought forth by one Christopher Hofmann from California, who says he learned about this practice after his identity protection service alerted him to the data breach. Through the lawsuit, Hofmann wants a few things: a payout, the National Public Data to delete all the data it collected from affected users, and for the company to implement changes to prevent this from happening again—namely, to protect future collected data with encryption.
It's not clear how National Public Data was able to obtain some of this information, particularly sensitive data like Social Security numbers. However, it appears some of the data may be outdated or incorrect: Some readers told BleepingComputer their Social Security numbers were tied to the wrong people, while others found current addresses were not listed in the database.
What can you do?
These situations are tricky, because the breached data wasn't stolen from a service you actively use. As such, you can't change a password or close an account. Instead, it may be best to seek professional services.
If you don't have one already, consider signing up for a credit monitoring service. National Public Data is not warning affected users: Only a service that looks for stolen data online can let you know if your data, such as your Social Security number, was included in this breach. From here, the service may be able to guide you through steps to take going forward. PCMag, our sister site, has a list of the best identity theft protection services, including:
In addition, be mindful of phishing attempts following this data breach. Bad actors may take advantage of the situation to trick you into providing the information they don't have: They may pretend to be your bank, and try to get you to confirm a two-factor authentication code to break into your account. Stay vigilant, and be skeptical of any strange text messages, emails, or phone calls that request your information.