Sensitive personal data belonging to every American including their Social Security number, address, date of birth and phone number was stolen online by hackers who have put the information up for sale on the dark web, it was alleged in a lawsuit.
The class-action lawsuit was filed against Jerico Pictures Inc., a background check and fraud prevention company that does business as National Public Data.
A cybercriminal group that calls itself USDoD uploaded a large database titled “National Public Data” to a dark web forum.
The database, which the group has offered for sale at $3.5 million, is said to contain the personal data of nearly 3 billlion people living in the United States, United Kingdom and Canada, according to a federal lawsuit filed in Fort Lauderdale on Aug. 1.
Cybersecurity experts said many of the stolen data records are duplicates and that the actual number of people impacted by the breach is likely smaller than what is claimed in the lawsuit.
News of the lawsuit was first reported by Bloomberg Law.
NPD is said to collect data from public sources of information which it then uses to compile user profiles for people in the US and other countries.
According to the news site BleepingComputer, several individuals have confirmed seeing their and their family members’ legitimate information, including Social Security numbers and mailing addresses that belong to people both living and deceased.
The lawsuit was initiated by California resident Christopher Hofmann, who said an identity theft watchdog notified him earlier this summer that his data were exposed in a breach and leaked on the dark web.
Hofmann is demanding that NPD purge its records of all personal information and that it encrypt all of its collected data in the future.
He is seeking unspecified monetary damages.
The Post has sought comment from NPD.
How to know if your Social Security number has been leaked
Dr. Tommy Morris, a cybersecurity expert who teaches at the University of Alabama at Huntsville, recommended that internet users visit this free website to determine whether their data were hacked in the NPD breach.
Morris told The Post: “There are credit monitoring services available that monitor the internet for references to your Social Security number and other personal identifying information.”
While these services usually cost money, the large credit bureaus, Google and others offer these services free of charge, according to Morris.
Cybersecurity experts urge those who fear their Social Security number was hacked to visit the Have I Been Pwned website.
Visitors to the site can enter their email address to see if their personal data have been leaked — though it is unlikely to confirm if your Social Security number is floating around the dark web.
It is likely that some of your personal data have been appearing on underground websites that cybercriminals use to traffic and trade information.
How to freeze your Social Security number
The most sure-fire way to protect yourself is to freeze your credit files.
“If you suspect your Social Security number has been leaked, the first step you should take is to put a freeze on your credit files at the three major credit bureaus, Experian, Equifax and TransUnion,” Ted Jenkin, an Atlanta-based business consultant, told The Post.
“It’s also a good idea to notify your bank and/or brokerage company for any unusual activity as well.”
Jenkin said tax filers should be on the lookout for someone who could attempt to use the stolen data to submit fraudulent tax returns to the IRS.
“Most importantly, it’s entirely possible that someone the following tax season will attempt to file a fraudulent tax return, so look to get a PIN number from the IRS for filing your taxes,” he said.
Justin Rush, a Michigan-based financial planner, agreed, telling The Post: “Freezing your credit reports is generally a good habit to get into in case a bad actor tries to apply for a credit card or loan in your name.”
“After this, there are many identity theft products that can help monitor activity and place an extra layer of security and monitoring in place.”
How to minimize the chances of your Social Security number and data being leaked
Tony Fiorillo, a financial adviser with Indianapolis-based Asset Management Strategies, told The Post that he tells his clients to safeguard their data by turning on two-factor authentication and by buying a separate device — either a cheap laptop or a tablet — that would be used exclusively to access money sites.
“Do not read email, browse the web or conduct any online activity [on your separate device] other than accessing your money sites,” Fiorillo told The Post.
Andy LoCascio of advisory firm QVeritySecure told The Post that people need to check all recent bank transactions and change all bank passwords.
“Never assume that just your password has been stolen,” he said.
“Always treat this as an identity theft and change all your other passwords. If someone tries to access one of those accounts, you might get an email that provides additional visibility to what has been captured.”