Not to alarm you, but your Social Security number is already leaked

You may have been one of the hundreds of millions of people whose highly sensitive personal information — including full names, phone numbers, emails, address histories, and Social Security numbers — was compromised when a South Florida data broker was hit last August by a cyberattack.

Initial reports claimed, erroneously, that 2.9 billion people had been victims of the massive breach. The stolen database in fact contained personal data of somewhere between 130 million and 170 million people across the US, UK, and Canada, according to security experts. The incident was extensive enough to now rank as the 12th-largest data breach in history, although the biggest of all-time remains a 2013 breach of 3 million Yahoo! user accounts.

In this latest huge breach, cybersecurity researchers soon exposed the culprit as Luan Gonçalves Barbosa, a 33-year-old hacker in Brazil’s Minas Gerais state, who first tried to sell the trove on the dark web for $3.5m, after which it appeared, for free, on assorted underground hacking forums.

“It is time to admit I got defeated, and I will retire my Jersey,” Barbosa, who was arrested by Brazilian authorities on October 16, wrote in a public statement after his identity was revealed.

“I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me.”

But what about the cost for his victims, whose public data has been leaked online?

Consumers regularly get the “your data has been found in a breach” — but are companies being held accountable for their weak security being breached, or are the hackers that steal it facing repercussions?

open image in gallery

And is all this data floating around freely, giving away our personal info, something we should be panicked about?

James Lee, COO of the nonprofit Identity Theft Resource Center (ITRC), said the “unfortunate truth” is that unless you are under the age of 18, and thus have not yet established any sort of credit profile, your personal data is, almost unquestionably, no longer private.

“For the most part, at this point, the basic information of most adults in the United States, and in many other parts of the world, is already widely available,” Lee told The Independent. “Social Security numbers have been widely available for years, so there’s really no additional risk that comes from your Social Security number being involved in a data breach if it happens today.”

That doesn’t mean you shouldn’t take precautions. National Public Data (NPD), the target of the attack, was significantly less forthcoming than Barbosa but it did release a statement recommending victims take their own measures to mitigate potential harm. “We strongly advise you to take preventive measures to help prevent and detect any misuse of your information,” the company posted on a section of its website titled, “Security Incident.”

Victims were told to monitor their financial accounts for unauthorized activity, to request and review their credit reports, and to place “fraud alerts” on their credit files, which requires creditors to contact a person before opening a new account or revising an existing one.

NPD is a data broker, a company that vacuums up vast amounts of publicly available data from myriad sources and aggregates it for sale to any number of private, quasi-governmental, and governmental agencies. They are the companies that do background checks on you before a new job or where a property manager runs a credit report before allowing you to rent an apartment.

The amassed information they find can be sliced and diced in endless ways, for sale to just about any willing buyer. The massive stores of sensitive information are, obviously, goldmines for hackers and the identity thieves who make up their customer base.

open image in gallery

In September, Rep Ritchie Torres (D-NY), one of the people whose info was exposed by the breach, issued the results of an investigation into NPD.

“The conduct of National Public Data has been so egregious that it all but rises to the level of corporate malfeasance,” the Torres report stated, pointing out that NPD first learned it had been breached initially in December 2023, then targeted again in April 2024, and finally for a third time over the summer. Despite this, NPD didn’t admit to the attacks until August 16, more than two weeks after a California man whose data was stolen in the breach filed the first of a coming blizzard of lawsuits against the company.

What hackers do with the stolen data has changed significantly over the past decade or so.

A reformed credit card fraudster from Eastern Europe, who was convicted on US fraud charges, described his past life impersonating legitimate cardholders to customer service representatives with American Express and others, spending hours on the phone taking over accounts and authorizing bogus purchases.

The former crook, who is now employed full-time after spending seven years in prison, and asked not to be identified, said his cons in the aughts were, essentially, one-offs. His ability to steal was constrained by an individual customer’s spending limit. A stolen card number has an extremely short “shelf life,” according to one law enforcement expert, and is often canceled within 24 to 72 hours — sometimes before the fraudsters can even put it to use.

In 2024, unless you are a high-net-worth individual, or a high-profile person, you are almost certainly “not at individual risk” for having your bank account drained by an identity thief after a data breach, because the types of scams they’re generally committing have evolved in the past 10 to 15 years, Lee explained.

“They’re not targeting you specifically,” he went on. “They’re not seeking your resources specifically. You may get caught up in some sort of a phishing scam, or you may get caught up in some other kind of a romance-type scam. But, for the most part, that’s not what they’re looking for. When they steal your information, they’re looking to impersonate you or someone else to get money from businesses and government agencies. That’s the name of the game today.”

This means using your identity to apply for unemployment benefits or filing for a large tax refund in your name, taking out a home equity loan in your name, or opening up a bank account in your name to hide money stolen in a business email compromise, according to Lee. He said fraudsters can also create a so-called synthetic identity, using pieces of multiple people’s identities to establish an entirely new one.

open image in gallery

Today’s scammers are using automation to target their victims, and are doing it at scale, according to Lee.

“They know what data they want,” he said. “They know where to get it, and they know what they’re going to do with it when they get it.”

Of course, if a scam artist stumbles across your info and can make a quick buck, most will. But, said Lee, advancing technology has made it easier to commit identity crimes, and the required tools are available off-the-shelf, for cheap.

“They’ll pay 50 bucks, they’ll get a piece of software, and they’ll start scraping data,” Lee said. “That’s one of the reasons why we’ve seen this huge spike in data breaches over the last couple of years.”

During the first six months of 2024, the number of data breaches increased by nearly 500 per cent over the same period last year, the ITRC found.

In September, NPD quietly announced that it was getting out of the data-selling business. On October 2, NPD filed for bankruptcy amid the snowballing deluge of suits, in addition to at least 20 state attorneys general demanding civil penalties. According to Torres, NPD “has some explaining to do.”

NPD was a subsidiary of a small film production company called Jerico Pictures, which is owned and operated by Salvatore Verini, a retired deputy sheriff who appeared alongside Burt Reynolds on a 1990 episode of B.L. Stryker, a short-lived TV series starring Reynolds as a world-weary private dick living aboard a houseboat. It is unclear how or why Jerico Pictures got into the data brokering business. Efforts to reach Verini were unsuccessful.

The after-effects of the NPD breach have been revealed in court documents filed by numerous victims, who all tell a similar version of what they have endured in the months since their data was pilfered.

open image in gallery

Christopher Hoffman, the California man whose August 1 lawsuit revealed the existence of the NPD breach, first learned his SSN and other private info had been stolen in late July when Experian, the credit monitoring service he subscribed to, notified him that his personal data had been compromised, according to court filings.

“Such fraud may go undetected until debt collection calls commence months, or even years, later,” Hoffman’s suit says. “Fraudulent tax returns are typically discovered only when an individual’s authentic tax return is rejected. An individual may not know that his [personal data] was used to file for unemployment benefits until law enforcement notifies the individual’s employer of the suspected fraud.”

The NPD breach has saddled Hoffman, whose attorneys did not respond to The Independent’s requests for comment, with “significant anxiety and stress,” the lawsuit states.

While no formal accounting of the NPD breach has emerged from NPD itself, numerous other victims have recounted, in their own lawsuits, stories almost identical to Hoffman’s. They peg the cost of credit and identity theft monitoring at roughly $200 annually, a cost the plaintiffs want NPD to pay for a minimum of five years.

In Hoffman’s case, he and the other victims are demanding damages to be determined by a jury, plus an injunction requiring NPD, which may or may not continue to exist in any way related to its data brokering business, to maintain “adequate security.”

“The risk of another such breach,” Hoffman’s lawsuit says, “is real, immediate, and substantial.”

open image in gallery

Although people have developed what Lee described as a sort of “breach fatigue,” he said it’s important not to ignore the notices and to take advantage of the free credit monitoring you will likely be offered. And while every request for free monitoring is fulfiled, Lee warned against expecting anything more than a token cash payment after a breach settlement, which can run into the hundreds of millions of dollars.

“As more people join the line, the amount that everybody gets goes down,” Lee said, explaining that the named plaintiffs “do tend to get a little bit more.”

“Class action lawsuits in this space are not particularly lucrative for individuals,” he went on. “You’re not going to make a lot of money. You’re going to get a coupon, or a credit for a product that you already bought, or free identity monitoring. You’re not going to get rich off of it.” (Each situation is different, and there are outliers: those who joined a 2021 class action against Juul received payments between $200 and $7,000, some three years later.)

Still, credit monitoring tells you that something bad happened, after it happens. But freezing your credit, while not an absolutely foolproof solution, is “the one thing that can stop something bad from happening,” according to Lee.

The process is free, can be done entirely online, and has no impact on your credit score, Lee explained, saying that consumers can easily unfreeze their accounts when they need to buy something, then refreeze them immediately afterward. This, according to Lee, is the only true way of protecting your finances.

“Stop whatever you’re doing right now and go freeze your credit,” he said.