You've likely never heard of National Public Data, the company that makes its money by collecting and selling access to your personal data to credit card companies, employers, and private investigators. It now appears that the hacker group USDoD snatched about 2.9 billion of its records. Odds are that your records -- including, possibly, your Social Security number (SSN) -- are in those databases.
USDoD wanted to sell this data for the low price of $3.5 million. Ironically, before USDoD could profit from the theft, another threat actor, Fenice, swiped the data and released it on the dark web.
How bad is it really? According to the security organization Vx-Underground, the stolen data includes
Vx-Underground also found that "the database does not contain information from individuals who use data opt-out services." These are sites or services that allow you to say no to a company or group that wishes to keep your records.
That's good to know, but for many of you, it's probably a little late.
The leaked data, totaling 277GB, can be used for identity theft and fraud. Although the breach does not necessarily affect 2.7 billion unique individuals (due to multiple records per person), it still poses a significant risk. The information can be used to open fraudulent accounts, apply for loans, or even commit tax fraud.
First, check to see whether your data is actually out there. The easiest way to do that is with the Have I Been Pwned website. This should be your first resource to find out which breaches you and your data have been involved in and how extensively your data has been leaked. To use Have I Been Pwned, all you need to do is give the site your email address, and in less than a minute, you'll get the bad news.
Notice, I didn't say if your data has been leaked. I can guarantee that your data has been leaked. With one data breach following hot on the heels of another for decades now, there's no question that some of your personal data is out there.
For example, I take security more seriously than many people do, and I'm better equipped than most of you to deal with security and privacy issues. Nevertheless, my data has been ripped off in no fewer than 34 data breaches.
Now, the vast majority of these breaches are relatively harmless. For example, my chess.com account's email address was revealed. I can live with that. But the USDoD data drop is another matter.
Next, you need to determine just how bad the news really is. If you've reason to believe your data's been being used against you, it's time to use an identity theft protection and credit monitoring service to protect yourself. ZDNET recommends Aura as the best overall such service.
It's not enough to have these services, though. You should regularly check your credit reports for any unauthorized activity. Report any suspicious transactions to the credit bureaus (Experian, Equifax, and TransUnion) and consider placing a credit freeze to prevent new accounts from being opened in your name.
Also, you should stay vigilant against phishing attacks. Be cautious of emails, texts, or calls that attempt to solicit personal information. Scammers will use your leaked data to craft convincing phishing attacks. For example, I recently got an email purporting to be from my bank, which included my address, warning that my account had been hacked and that I needed to change my password from the included link Right Now.
Anytime you get a message like that, whether it's warning you of something dreadful or promising you something that sounds too good to be true, don't trust it. Never click on links from such e-mails or text messages.
If you've clicked on a phishing link, don't panic. Do, however, take these steps immediately:
Disconnect from the internet and your local network immediately. This prevents any potential malware from spreading or communicating with malicious servers.
Back up important data to an external hard drive or a USB stick. This safeguards your information in case of data loss or corruption.
Watch your important online accounts. If you see any suspicious activity, contact the company as soon as possible.
Let's suppose, however, you have reason to believe that your SSN has ended up in the hands of crooks. In this worst possible scenario, you should take the following steps:
Next, contact the Internal Revenue Service (IRS) to prevent potential tax-related fraud. Here's what to do:
This can be a long, tedious process. But, if you don't check and -- if necessary -- protect your accounts, your identity can be stolen. Recovering from identity theft is much more painful than preventing it.
Afterward, stay vigilant and continue monitoring your accounts and credit reports regularly. If you notice any suspicious activity, report it immediately to the relevant authorities and financial institutions. This is not a threat you can deal with once and then ignore. It's one that will continue for the rest of your life.
Yes, I hate that too.