PYMNTS-MonitorEdge-May-2024

Social Security Number Hack May Produce New Fraud Vector

Earlier this year, hackers stole the data of 2.9 billion people from a broker.

Now, that breach threatens to usher in a wave of identity fraud and other crimes, Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group, said in a recent Los Angeles Times (LAT) interview.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning” than past breaches, Murray said. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

The report, citing a recent class-action lawsuit, said the hack was apparently carried out by a group called USDoD, which claimed in April to have stolen the records of 2.9 billion people from National Public Data (NPD), which provides personal information for background checks.

The company confirmed the breach on its website, saying “there appears to have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

According to the LAT report, a member of the group is offering to sell what it calls “the full NPD database,” including about 2.7 billion records, each including a person’s full name, address, date of birth, Social Security number and phone number, plus alternate names and birth dates.

The LAT report noted that people who suspect their Social Security number or other important identifying information has been leaked may want to put a freeze on their credit files at the three major credit bureaus, Experian, Equifax and TransUnion. 

This can be done for free, and will stop criminals from taking out loans, setting up credit cards and opening financial accounts in your name. 

“People don’t realize how easy it is to steal your identity,” Bryan Lewis, CEO of Intellicheck, told PYMNTS CEO Karen earlier this year. “If I can get your social media account or your email, I can change everything about your life. I can change every password you have.”

As that report noted, the world is in the midst of an “arms race,” one in which hackers can access all the ammunition they need — the email addresses, social media passwords and credit card data they need — to pretend to be someone else. 

“The recent cyberattack at Change Healthcare is just one example, exposing sensitive data of patients and hospital systems,” that report siad. “Lewis himself estimated to Webster that he’s been a victim of half a dozen breaches as an AT&T customer.”

Best practices and vigilance are also important, as people should know that banks or call centers — or the IRS — will not call seeking information. 

“Never give anything out,” by phone, Lewis said. “Hang up, Google the phone number, call the agency.”