Nexstar Media Wire News

Was your data leaked in massive breach?: How to know, and what to do now

(NEXSTAR) — Billions in personal information records may have been exposed in an April data breach, a recent lawsuit has alleged, prompting warnings from identity experts.

A class action lawsuit filed in Florida claims a hacking group was able to access the database of National Public Data (NPD), a background check company that provides access to data “from various public record databases, court records, state and national databases and other repositories nationwide.”

The group made the database, which was said to contain “2,900,000,000 records on United States citizens,” public on the dark web. A purported member reduced that number last week, telling a hacking forum there were almost 2.7 billion records in the data, BleepingComputer reports. They also claimed the data was for residents in the U.S., the U.K., and Canada (which have a combined population of less than 440 million).

NPD has not responded to multiple media requests for information regarding the breach. The company has, however, responded to some who reached out to them via email that it is “aware of certain third-party claims about consumer data and are investigating these issues,” the Los Angeles Times reported Tuesday. NPD also explained it had “purged the entire database” and deleted “non-public personal information.”

Unfortunately, if your data was part of the alleged brief, that isn’t very helpful now. There are, however, steps you can take to help protect yourself.

Was your information leaked in the breach?

Cybersecurity technology platform Pentester was able to review the data once it became public and create a tool that allows people to search for their information. While the information in the leaked database was not redacted, Pentester has masked personal birth years and Social Security numbers.

If the name, state, and birth year you input match information found in the NPD breach, you’ll see a list of “exposed information.” That includes a name, date of birth, address, phone number, and Social Security number. You’ll also be encouraged to freeze your credit (more on that in a moment).

If there are no matches found in the breach data, you’ll receive an error notice. But that doesn’t mean you can let your guard down.

You may want try other states you’ve lived in or former names you’ve used, like a maiden name, Richard Glaser, co-founder of Pentester, told Nexstar via email.

“From my experience a lot of the data is old, but a [Social Security number] never changes,” he added.

What to do if your data was leaked

Simple measures, like freezing your credit, can reduce your exposure for these types of crimes of opportunity. That can prevent bad actors from using your Social Security number to take out loans or open new credit cards.

Freezing your credit prevents any new credit, like loans or new credit cards, from being approved, whether it’s legitimate or not. You are able to freeze (and ‘thaw,’ or lift the freeze) your credit report for free with the three major credit reporting agencies: Equifax, Experian, and TransUnion.

If you think someone is using your Social Security number and creating credit problems for you, you should report it at IdentityTheft.gov, the Social Security Administration says. You’ll go through the steps of putting a fraud alert on your credit reports, alerting the FTC, and possibly filing a police report. From there, you may need to go through several steps of damage control to clear your name.

While it is widely believed our personal information, like Social Security numbers, is already out there, experts note not everyone who has been victimized in a data breach will end up victimized by identity theft.

“If you’re a high-value individual that maybe has a high net worth or works at a company that they can extort you, you might actually be a real target,” Kyle Hanslovan, CEO of cybersecurity firm Huntress, previously told Nexstar. “For the masses though, the everyday common person, you’re more of a target of opportunity.”

Most people shouldn’t spend too much time worrying about what may happen if their information ends up in the wrong hands. Instead, Hanslovan recommends keeping an eye on your important accounts and making sure you’re prepared to act in case something does go wrong.

“It stinks for privacy, but it kind of normalizes just what’s happening,” Hanslovan said. “It doesn’t make it right, and it definitely doesn’t wave, you know, a company’s true fiduciary responsibilities to protect your data.”