On Aug. 14, an X post with over 8.5 million views claimed that the personal information of nearly every American, including Social Security numbers and physical addresses, may have been compromised in a recent data breach.
“Every American’s Social Security number may have been stolen in a new major hack, with over 2.7 billion records allegedly compromised from National Public Data. The stolen information includes Social Security numbers and physical addresses,” the viral post said.
Multiple readers, including Carol, have asked us whether their personal information is now at risk. Here’s what we can VERIFY.
THE SOURCES
- National Public Data
- Social Security Administration
- Class-action lawsuit filed in U.S. District Court for the Southern District of Florida
- Schubert Jonckheer & Kolbe LLP
- Top Class Actions
- McAfee, information security company
- Hack Manac, a cybersecurity company
- VX-Underground, an international cybersecurity research group
- National Cybersecurity Alliance
- U.S. Public Information Research Group (PIRG), a non-profit consumer watchdog
WHAT WE FOUND
Initial reports of the alleged data breach stem from a class-action lawsuit filed in Florida in August.
The lawsuit, which was filed by California resident Christopher Hofmann on Aug. 1, alleges that hackers gained access to the personal information of “billions of individuals” from National Public Data, a background check company based in Coral Springs, Florida.
National Public Data scrapes data from public record databases, national and state databases, and court records, including nonpublic sources, according to Schubert Jonckheer & Kolbe LLP, a law firm investigating the breach.
Schubert Jonckheer & Kolbe LLP says National Public Data then sells this private data to a wide range of organizations, including background check websites, investigators, app developers, and data resellers.
“Because individuals did not affirmatively provide their private information to NPD, individuals may not even know that they have been affected,” Schubert Jonckheer & Kolbe LLP said.
Hofmann claims his identity theft protection service notified him in late July that his personal information had been compromised by the “nationalpublicdata.com” breach.
The lawsuit claims the exposed information includes Social Security numbers, past and current addresses, names, and information about parents and siblings. Cybersecurity experts warn that this is the type of sensitive data that could allow a scammer to take out a loan in your name or gain access to your banking information.
Top Class Actions says at least two more class-action lawsuits have also been filed against National Public Data concerning the same data breach.
Has National Public Data or SSA confirmed the breach?
National Public Data confirmed the data breach on its website on Aug. 13.
“There appears to have been a data security incident that may have involved some of your personal information,” National Public Data said. “The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”
The company says it has conducted a review of the potentially affected records and is now working to notify people who were affected by the breach. It also says it has implemented additional security measures “to prevent the reoccurrence of such a breach and to protect our systems.”
Many states require companies to report data breaches to their attorneys general offices. However, information security company McAfee said on Aug. 14 that it had not found any filings related to the breach.
Florida law requires companies to file notices of any data breach that impacts 500 or more Floridians. National Public Data says it is cooperating with law enforcement and governmental investigators regarding the breach.
Meanwhile, a Social Security Administration (SSA) spokesperson told VERIFY that “recent reports related to a data breach are unrelated to the Social Security Administration’s internal systems and data, neither of which has been compromised.”
When did the alleged breach happen?
According to National Public Data, a third-party bad actor attempted to hack into certain data in late December 2023. The company says the potential leaks occurred sometime in or around April and summer 2024.
The lawsuits allege that a cybercriminal group named USDoD gained access to National Public Data’s network and then published and sold its findings on the dark web.
One of the lawsuits claims the breach was first reported on June 1, by VX-Underground, an international cybersecurity research group, according to Top Class Actions.
Top Class Actions says VX-Underground claimed that the cybercriminal group “USDoD” was behind the attack and had posted the database containing 2.9 billion records for sale online for $3.5 million. VX-Underground also confirmed the authenticity of the data.
VX-Underground says the stolen database includes 277.1 gigabytes of data, including names, address histories, relatives, and Social Security numbers dating back at least three decades, according to Schubert Jonckheer & Kolbe LLP.
USDoD has no affiliation with the U.S. Department of Defense, which is commonly referred to by the acronym “DOD.”
How can I protect myself?
Cybersecurity experts recommended that you freeze your credit if you suspect your Social Security number or other personal information has been compromised.
It’s free to freeze your credit with the three major credit bureaus: Equifax, Experian and TransUnion, according to the U.S. Public Information Research Group (PIRG), a non-profit consumer watchdog.
Freezing your credit can block bad actors from taking out a loan or opening a new credit card in your name. But PIRG warns to never freeze your credit in response to an unsolicited email or text claiming to be from one of the credit agencies because it could be a scam.
The National Cybersecurity Alliance says freezing your credit will limit access to your credit reports, and you’ll have to remember to unfreeze your credit if you’re applying for a new credit card or mortgage. PIRG notes that freezing your credit does not directly increase or decrease your credit score.
You can freeze your accounts with the three major credit bureaus by phone or online:
You can also sign up for a tracking service that will alert you if your data appears on the dark web through services provided by companies like Norton and Google One.
If you suspect you are a victim of identity theft, the Social Security Administration recommends:
- Contacting the Federal Trade Commission at www.idtheft.gov, or call 1-877-IDTHEFT (1-877-438-4338); TTY 1-866-653-4261,
- Filing a police report with the police department where the identity theft took place and keeping a copy of the police report as proof of the crime,
- Contacting the fraud unit of one of the three consumer reporting companies
- Reporting Social Security scams online at oig.ssa.gov
The VERIFY team works to separate fact from fiction so that you can understand what is true and false. Please consider subscribing to our daily newsletter, text alerts and our YouTube channel. You can also follow us on Snapchat, Instagram, Facebook and TikTok. Learn More »