Background check service data breach may affect 2.7 billion individuals
A massive data breach in April may have exposed the personal information of 2.9 billion people worldwide, including the Social Security numbers of millions of Americans.
MANCHESTER, NH – A massive data breach in April may have exposed the personal information of 2.9 billion people worldwide, including the Social Security numbers of millions of Americans.
The breach happened months ago, but became news this week after a California man filed a class action lawsuit in Florida Aug. 1 alleging background check company Jericho Pictures Inc., doing business as National Public Data, exposed the information of billions of people that it has collected in its work for clients.
While the suit alleges that the personal information of up to 2.7 billion people may have been compromised, that number comes from the hacker, which put the information up for sale on the dark web. [The dark web is a portion of the cyber world that is accessible only by special software and allows users to remain anonymous.] NPD has not commented to news outlets about the breach and it’s unclear to whom the company reported it to.
The personal information breach affected people who do not use data opt-out services, according to VX Underground, a malware and cybersecurity edition website cited in the suit. According to security.org, only 6% of Americans, about 14 million, use data removal services or opt-out tools.
According to the suit, the class action has more than 100 plaintiffs in several different states. The lawsuit was reported by Bloomberg Law on Aug. 2 and picked up by national media this week.
The suit alleges that hacker group USDoD accessed information from NPD, which is based in Coral Springs, Florida. The company does background checks for private investigators, consumer public record sites, human resources, staffing agencies and more, according to its website. NPD does background checks for “many different clients” across the world, according to the lawsuit.
USDoD accessed, for each individual, full names; current and past addresses going back up to 30 years; Social Security numbers; information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and other personal information, according to the suit. It then offered the information up on the dark web [a part of the worldwide web accessed by special software, where users remain anonymous].
Unlike a hack at, say a health care network or credit card company that would notify customers of a hack, those affected by the NPD hack likely didn’t even know the company had access to their information in the first place, since it’s collected at the request of clients doing background checks.
Christopher Hoffman, of Fremont, California, who filed the suit against NPD, was notified by his identity theft protection service on July 24 that his information had been compromised, and then found on the dark web. Hoffman says in the suit that he never gave NPD any personal information, and believes it was scraped from non-public sources.
The suit charges that NPD failed to protect the security of people whose information it accesses and also said that people whose information was compromised were not notified about the breach. CBS News reported that no reports on the breach had been made to state attorneys general. All states require that companies that have clients in their state inform them of data breaches. Many other states require breaches be reported to the attorney general, though even those laws vary, including whether a company doing business in the state must report, or a company must report if individuals in the state are affected by the breach.
In New Hampshire entities engaged in business in the state must notify the relevant regulator if there’s a breach; all other entities must inform the Attorney General if the breach affects more than 1,000 residents. The New Hampshire Department of Justice on its website lists data breaches reported to it. There are 37 so far in August.
NPD, on its site, also offers an opt-out feature for residents of California, Colorado, Connecticut, Utah and Virginia, required by the those states, that allows individuals to ask that information be corrected or some nonpublic information not be used. But a resident would have to know NPD existed and that the site offered that service in order to take advantage of it.
The suit says that no details have been revealed by NPD as to how the breach happened, and since the suit was filed two weeks ago, there appears to be no public information on it from NPD.
On April 8, USDoD gained access to the unencrypted personal information of billions of individuals stored on NPD’s network, according to the suit. The hackers offered the entire package of information for sale for $3.5 million on the dark web, according to the lawsuit.
The suit says the hackers sold some of the information. It also says that VX Underground found that the hackers intended to make the entire package of information publicly available on the dark web.
Were you a victim?
Social Security numbers, unique to each individual, are the portal for many scams and much of the fraud that affects individuals in the U.S. They are used for identifying bank, credit card and other financial accounts, as well as other personal information. Fraudsters and scammers can use them to hack into personal accounts and steal identity information.
To see if your information has been used by hackers, access your credit reports. They are free weekly from the three credit reporting agencies: Experian, Transunion and Equifax. You can check them for charges or applications that you didn’t make. For information on how to do this, and to get free credit reports, visit USA.gov/creditreports.
You can freeze your credit, for free, to protect it from hackers through the three agencies. This keeps anyone from taking out a credit card or loan in your name. You unfreeze it if you want to apply for credit or a loan.
Industry experts also recommend that consumers get a tracking service that will alert them if their data appears on the dark web. [Some credit card agencies, like CapitalOne, do this for their customers].
Experts also advise enrolling in two-factor authentication, which will make it harder for hackers to access your accounts.
Social Security phishing scam alert
In other fraud news, the Federal Trade Commission Thursday issued an alert on a new Social Security scam, tied to fake employers and What’s App.
Scammers are sending texts on What’s App pretending to offer remote jobs for positions like online data specialists that pay up to $600 a day, the FTC reported. The text gives the job’s age requirement and asks for a valid Social Security number.
The text is a phishing scam to get individuals’ Social Security numbers. [A phishing scam is one designed to steal personal information.]
The FTC advises:
- Don’t click on links or respond to unexpected texts. If you think the text could be legit, contact the company using a website or phone number you know is real — not the information in the text.
- Do some research. Scammers usually promise big rewards for little work, but don’t give a lot of information. Search online for the name of the company and words like “review,” “scam,” or “complaint.” If you can’t find the company online, steer clear.
- Block unwanted texts. Scammers send texts designed to get your attention. Some phone settings and call-blocking apps let you block unwanted texts so you don’t hear from scammers in the first place.
If you get a text that’s a scam, visit ReportFraud.ftc.gov to notify the FTC. Forward it to 7726 (SPAM) or use your phone’s report “junk” option to delete and report it, the FTC advises.
If you gave personal or financial information to a scammer, visit IdentityTheft.gov to report it and get a recovery plan.
