BETHLEHEM, Pa. — Social media and news outlets this week have sounded the alarm to consumers that their data could have been leaked in a massive data breach.
National Public Data, a Florida-based background check company, announced details of its security breach on its website, saying information such as names, email addresses, phone numbers, Social Security numbers and mailing addresses may have been leaked.
Nearly 2.9 billion individuals' information may have been leaked into the dark web after a hacker group called USDoD tried to sell the data for $3.5 million.A class-action lawsuit filed in Florida
"The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024," the webpage said.
"We conducted an investigation and subsequent information has come to light."
A class-action lawsuit filed in Florida alleges nearly 2.9 billion individuals' information may have been leaked into the dark web after a hacker group called USDoD tried to sell the data for $3.5 million.
"While no details have yet been revealed by Defendant as to how or when the data breach occurred, upon information and belief, a cybercriminal group by the name of USDoD gained access to Defendant’s network prior to April 2024," the lawsuit reads.
"And was able to exfiltrate the unencrypted PII of billions of individuals stored on Defendant’s network" the “Data Breach.”
The lawsuit alleges information from those deceased for upwards of two decades has also was involved in the leak and address information from individuals for the past 30 years.
How to tell if you've been affected
Some consumers, such as the plaintiff mentioned in the class action lawsuit, report having been contacted by financial institutions or credit bureaus of suspicious activity on their credit.
The suit says the plaintiff was notified by Experian around late July 2024 that his information, "including his Social Security number, is being sold on the Dark Web after a breach involving Defendant and/or Defendant’s website, www.nationalpublicdata.com."
National Public Data's webpage called "Security Incident" also said it's notified those affected.
For those who are concerned but have not been contacted, cybersecurity firm Pentester claims to have obtained the leaked data and created a search tool for consumers to determine whether their data was part of the breach.
Richard Glaser, co-founder of Pentester, said in an email that based on the raw, breached data it obtained, the total number of leaked records in Pennsylvania amounts to 110,072,993.
That number includes multiple records for single individuals and also for deceased people.
NPDbreach.com, operated by the Data Dividend Project and Atlas Privacy, also offers the same screening capability as Pentester.
The sites ask for information such as first name, last name, ZIP code, state and birth year to search for leaked data.
What can you do?
Pedro Robles, an assistant teaching professor of Cyber Analytics and Operations at Penn State Lehigh Valley, said "it's more important than ever to protect your personal information," given the recent data leak.
"It's crucial not to feel overwhelmed and to respond with common sense," Robles said. "Cybercriminals are constantly challenging networks and institutions to obtain data for various purposes.
"The fact that the news was delayed for almost a year has led to many interpretations, and we may never know the complete facts."
"If your personal information has been misused, visit the FTCs site at IdentityTheft.gov to report the identity theft and get recovery steps. Even if you do not find any suspicious activity on your initial credit reports, it is recommended that you check your credit reports periodically so you can spot problems and address them quickly."National Public Data's website
National Public Data's webpage on the data breach recommends consumers put a fraud alert on their credit file or freeze it through the one of the three major credit bureaus: Equifax, Experian or TransUnion.
A credit freeze will remain in place until the consumer asks the credit bureau to temporarily remove it.
The company also suggests requesting a credit report from credit bureaus to review accounts for inquiries consumers might not recognize so they can report them.
"If your personal information has been misused, visit the FTCs site at IdentityTheft.gov to report the identity theft and get recovery steps," the website says.
"Even if you do not find any suspicious activity on your initial credit reports, it is recommended that you check your credit reports periodically so you can spot problems and address them quickly."
Other suggestions
Robles also recommends following suggestions from the Social Security Administration to safeguard personal information.
The SSA advises consumers to monitor their Social Security accounts, limit access to their Social Security numbers, enhance online security — using strong or unique passwords and enabling multi-factor authentication — and stay up to date on recent scams.
For those who have had their Social Security numbers compromised, the SSA suggests to:
- Report identity theft at IdentityTheft.gov. Consumers can also call 1-877-IDTHEFT
- File a police report
- Report the cybercrime to the Internet Crime Complaint Center to alert law enforcement and regulatory agencies
- Regularly monitor credit reports
- Contact the IRS to prevent fraudulent tax filings through their Identity Protection Specialization Unit at 800-908-4490, extension 245.
