Your Social Security number was almost certainly stolen by a hacker. And offered for sale in the Internet’s underground.
Again.
Don’t be alarmed; just be careful.
Thanks to a class-action lawsuit made public earlier this week, we know that a company you’ve never heard of with the cryptic (and now ironic) name “National Public Data” had its massive trove of private information stolen by criminals back in April. In fact, the company said, it had been fighting off attacks as far back as December.
In a rather timid online mea culpa, Florida-based National Public Data said this week that there were “potential leaks of certain data in April 2024 and summer 2024…. What Information Was Involved? The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
You’re all wondering, as you should: “Who is National Public Data and why did it have all my personal information, since I never granted that outfit permission?” It’s a backgrounding company that other companies use to see if they are about to hire a criminal by accident. It specializes in “fraud prevention.” (Calling The Onion!) For what it’s worth, National Public Data’s About Us page looks like it was set up by a someone in a very big hurry, so I don’t blame you for not trusting it.
There’s lots more allegations about what happened in that class-action lawsuit. The hacker group that posted the information for sale goes by the cutesy name “USDod,” the lawsuit says. And on April 8, it posted an ad to sell the stolen data on an underground forum. “They claimed it contained 2.9 billion records on U.S. citizens. They put the data up for sale for $3.5 million,” the suit says.
Did anyone buy it? Who knows. But apparently the database has popped up for sale in other locations, too…often with small subsets of the data shared as part of the advertisement. BleepingComputer.com has tracked these ads.
How worried should you be about this? No more worried than you were after the Equifax hack, which is to say…you do already look at your credit report once a year, don’t you? You have already considered a credit freeze on your credit reports, haven’t you? And you’ve kept up with all those free offers of credit monitoring you get after hacks like this, right?
Clearly, this hack is bad, and you should be on slightly-higher-than-normal alert that something bad might happen to you. But the larger concern I have is that some large criminal enterprise or a state actor (one in the same, perhaps) is hoarding all this data in a dark place for use in some major cyber attack in the future. You can’t do much to stop that.
And I’m also concerned that companies like this have your personal information without your knowledge. This is one reason it’s high past time to pass a federal privacy law but…well, we’re not good at that kind of thing.
If you want more what-to-do tips, Ron Lieber of The New York Times offers his usual straightforward insights and advice at his Your Money column, which you should read. But basically – set up two-factor authentication everywhere you can, don’t ignore strange emails or alerts, DO ignore weird messages from friends, and hope for the best.
Be the first to comment