Did you get a recent notification that your personal information has been stolen? Even if you didn’t, your Social Security number, address, and other personal information may have been exposed in a massive—and confusing— security breach. Here is what you need to know and what steps you might need to take.
National Public Data
The information was allegedly stolen from National Public Data (NPD), a private company in Florida that aggregates personal information for background checks. The firm’s website brags, “Many different businesses use our service to obtain criminal records, background checks, and more all via XML integration.” The website goes on to say, “All our data is updated regularly. We guarantee freshness and quality. Search billions of records with instant results, and many searches are no hit/no fee. Our services are currently used by private investigators, consumer public record sites, human resources, staffing agencies and more. Join now and enjoy quality data with low fees.”
The website doesn’t say how the data is obtained, and an email to the company seeking comment was not returned. However, complaints filed against the company charged that the data had been scraped from non-public sources.
The Florida Secretary of State’s website indicates that National Public Data is a fictitious name for an entity in Coral Springs, Fla., owned by Jerico Pictures Inc. The website for Jerico Pictures currently features only a picture of a traffic cone with the words “The site is down for maintenance,” followed by the phrase “Come back quickly!”
The most recent corporate annual report filed with the state names Salvatore Verini Jr. as the President and Registered Agent for the Jerico Pictures. Verini, who has also been identified as a retired sheriff’s deputy, has a website, salvatoreverini.com, which touts his acting experience—he started his acting career in the 6th grade with the stage play “Annie”—and his filmography. There’s no mention of NPD on his personal site and an email seeking comment about his involvement with the company was not returned.
The breach has attracted the attention of those in Congress. On August 22, Reps. James Comer (R-Ky.) and Nancy Mace (R-SC) of the House Committee on Oversight and Accountability sent Verini a letter requesting “a briefing to confirm the veracity of the attack, and if accurate, assess the potential impacts of the breach to the U.S. government, businesses, and the American people, as well as National Public Data’s response to the attack.” The letter went on to note that Verini’s company “has yet to provide a substantive explanation about the self-described security incident.”
The Breach
So what happened, exactly?
On April 8, 2024, Hackmanac, a cybersecurity company located in Dubai, tweeted that there had been a massive data breach, stating, “2.9 billion records of USA, Canada, and UK citizens allegedly for sale for $3.5 million.” Hackmanac went on to name NPD as the source of the data, saying, “The threat actor USDoD claims to be selling a 4 TB database containing 2.9 billion rows apparently exfiltrated from National Public Data, a public records data provider specializing in background checks and fraud prevention. The database is for sale for $3,500,000, and the credentials for the server are included. Given the massive amount of data, the likelihood that this claim is inflated and that the data are scraped from public sources is high. Further analysis will confirm or deny these claims.”
The details of precisely what was stolen—and when—aren’t exactly clear. However, a post from Daily Dark Web, which investigated the claim, indicated, “The leaked data, which spans from the years 2019 to 2024, is of unprecedented magnitude, comprising 2.9 billion rows.” That, the post goes on to say, is “monumental, with the compressed data reaching 200GB to a staggering 4TB when uncompressed.”
Notably, “The breached database includes comprehensive citizen information, firstname, lastname, middlename, name_suff, address, city, county name, phone 1, aka1 fullname, ssn and more.”
NPD didn’t officially acknowledge the breach on its website until this month, posting, “There appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light…The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
Lawsuits
At least 12 lawsuits have been filed against NPD, doing business as Jerico Pictures, and there is a clear indication that more will follow.
Virtually all of the complaints follow a similar pattern—they are class action lawsuits. A class action allows one or more plaintiffs to file a legal action on behalf of a group, called a class. The idea is to allow a large group of individuals who have allegedly suffered similar harm to join together and file a single suit—keeping the court’s caseload manageable. Typically, if a lawsuit is certified as a class action, members of the class are bound by the outcome and can’t bring their own case to court.
To file as a class action, the plaintiffs and the class must have common (though not identical) stories resulting in similar harm. In this case, the named plaintiffs generally claim in court documents they did not willingly turn over information to NPD, that they were impacted by the breach, and that the breach occurred due to NPD’s failure to implement and follow basic security procedures.
It’s impossible to know at this time exactly how many accounts were stolen, but court documents suggest it could be “billions.” Brian Krebs of Krebs On Security reports that an analysis made by Atlas Data Privacy Corp. puts that number closer to 272 million unique Social Security numbers.
NPD has not filed a response in court. It remains unclear whether the company is represented by counsel. An email seeking comment was not returned.
Identity Theft
With the right pieces of data, a bad actor can steal your identity. According to the Department of Justice, in 2021, about 23.9 million U.S. residents age 16 or older—9% of the population—had experienced identity theft in the past 12 months, with 1 in 5 persons—22%—reporting it in their lifetime.
And it’s costly. According to the FBI’s Internet Crime Report, in 2023, identity theft resulted in more than $126 million in reported losses.
Social Security numbers are a valuable commodity and a top target for identity thieves. That’s because Social Security numbers have become synonymous with our personal identification numbers. It is how we are identified at the doctor’s office, school, banks, and even sometimes, at work. But the reality is that the Social Security number wasn’t intended to be anything other than a way of identifying workers and other qualifying individuals for purposes of Social Security benefits. The Social Security Administration (SSA) was created in 1935, and on December 2, 1936, SSN 055-09-0001, belonging to John D. Sweeney, Jr. of New Rochelle, New York, became the first Social Security record established in the country (interestingly, Sweeney never received any Social Security benefits).
Since then, more than 453 million Social Security numbers have been issued. We use them for a wide range of purposes—including filing and paying our taxes—even though Congress has approved only about 40 uses. However, one of those uses is pretty broad—the Social Security Act allows states and local governments to require a Social Security number for various tax and other reasons.
Your Social Security number is valuable and you should be careful about sharing it, even when you are asked. You should ask why your number is needed, how it will be used, and what will happen if you refuse. The answers to these questions can help you decide if you want to give out your Social Security number.
Pentester, a cybersecurity technology platform, claims you can check whether your Social Security number, date of birth, and other sensitive information may be in the NPD Breach. (I can report that my name popped up many times.)
What You Can Do
In response to the breach, the Social Security Administration issued a reminder about how to protect personal information while confirming that reports of a data breach are “unrelated to SSA’s internal systems and data, neither of which has been compromised.”
One way to protect yourself is to create an online account with the SSA. Social Security tracks your earnings history over your lifetime. You may receive a statement in the mail, but your history is also available online. To check it out, navigate to the my Social Security account page.
You’ll need to sign in. If this is your first time clicking through, you’ll also need to register. As with the IRS, SSA now uses ID.me to verify your identity. Once you’ve created an account, you can review your earnings record and estimate your benefits.
If you receive benefits, you can add security blocks to your Social Security account. The eServices block prevents anyone, including you, from viewing or changing your personal information online, while a Direct Deposit Fraud Prevention block prevents anyone, including you, from enrolling in direct deposit or changing your address or direct deposit information through my Social Security or a financial institution (via auto-enrollment). If you add blocks, you’ll need to contact SSA to make changes or remove the blocks.
If you believe your information has been stolen and you may be a victim of identity theft, visit the Federal Trade Commission’s IdentityTheft.gov, to make a report and get a recovery plan. You can also call 1.877.IDTHEFT (1.877.438.4338).
You should also file a police report and consider filing an online report with the Internet Crime Complaint Center (IC3) at ic3.gov.
Finally, contact the IRS to prevent someone else from using your Social Security number to file a tax return to receive your refund. Visit Identity Theft Central on the IRS website or call 1.800.908.4490.
Freeze Your Credit
You can also freeze your credit. It’s free, but you’ll have to place a freeze with the three big consumer credit reporting agencies: Equifax, Experian, and TransUnion.
When you freeze your credit, creditors cannot access your credit report. That means that no one—including you—will be able to open any new accounts in your name during the freeze. To apply for credit or to run a credit check for purposes of signing a lease or applying for a new job, you will need to lift your credit freeze permanently or temporarily.
Freezing your credit should happen in real time if you do it online or over the phone, but it can take up to one business day. If you do it by mail, agencies have three days to act.
Unfreezing your credit should happen in real time if you do it online or over the phone, but it can take up to one hour. Again, if you do it by mail, agencies have three days to act.
Importantly, freezing your credit does not impact your credit score.
Monitor Your Accounts
Freezing your credit does not create alerts or prevent someone who already has access to your account from making bogus charges. You should consider setting up alerts for transactions on your bank accounts and credit cards and regularly checking your bank statements and credit reports for unauthorized transactions.
Consider adding a “trusted contact”—this is especially helpful for seniors who may need assistance monitoring accounts. Since 2018, the Financial Industry Regulatory Authority (FINRA) has required investment companies to ask customers whether they’d like to designate another adult the firm can contact. This trusted contact doesn’t control a customer’s accounts or the ability to see what’s in them. But the investment company can contact this designee if they see suspicious activity in an account and can’t reach its owner.
While banks and credit unions aren’t required to ask for a trusted contact name, the Consumer Financial Protection Bureau (CFPB) reports more are offering customers the option. (Be sure to read the form and see what you’re agreeing to.)
Other Protections
Change your passwords regularly—security experts suggest every three months—and don’t use the same password for multiple accounts. Using a unique password for each account will protect other accounts if a password is stolen.
You can add an extra layer of security to your online accounts by using multi-factor authentication (MFA), a sign-in process that requires a password plus an additional step or action, like entering a code or PIN from an app. Banks and agencies—including the IRS—increasingly require you to use MFA to sign in to your accounts.
Finally, contact your financial institution immediately if you notice any unauthorized or suspicious transactions. With access to online accounts, scammers and bad actors can move quickly—the money is often gone within 24 hours. Once it’s gone, your chances for recovery are slim. Your best bet is to report any unusual activity as quickly as possible.