The details are unclear. In April, Hackmanac, a cybersecurity company, posted on X that around 2.9 billion records containing personal information from people in the US, Canada and the UK were for sale. The data was allegedly stolen from National Public Data, a company that conducts background checks.
The company has become the target of a class-action lawsuit recently reported by Bloomberg Law. Plaintiffs claim that thieves obtained social security numbers through the data theft. Bleeping Computer, a technology and security magazine, has compiled reports of hackers sharing large amounts of this data.
The extent of the breach and the resulting data leakage is something we will probably never know, but I'm not sure the details matter.
Security breaches happen all the time. Thieves often find vulnerabilities in large systems and exploit them.
Our lack of data protection and security is deeply abhorrent, but in the short and medium term all we can do is seal ourselves off as best we can.
Here are some tips on how to proceed.
Control your fear
Remember that some thieves just steal because they can. If they don't try to use the stolen information, you won't have a problem.
More criminal fraudsters need to know how to use the data against the aggressive defense mechanisms of a bank, for example. They often fail.
Or they may try to sell the data. There may be no market for it, so the stolen information remains unused. If a sale does occur, the data may be out of date.
Additionally, the buyers may be state actors. If you are not a blackmail target or have any interesting secrets, they may have the goods but do not want to use them.
Freeze your balance
Identity theft, where someone impersonates you and uses your Social Security number to open new accounts, can be damaging. A good defense is to have your credit files frozen with the three major consumer credit bureaus: Equifax, Experian and TransUnion.
Credit card companies, cell phone providers, and similar firms typically won't open new accounts if they can't verify your credit score. If you have your credit frozen, someone who wants to open an account in your name with a new company won't be able to do so.
And if you need to open a new account yourself? You get a PIN when you freeze your file with each of the three companies and use that to unfreeze the file when someone needs to check it. Don't lose the PIN or chaos can ensue.
It's annoying, but I've been doing this for years and have only heard a few stories of people not being able to unfreeze their files when they needed to. I've also set up blocks for my underage children.
Further measures
Set up two-factor authentication on as many online accounts as possible, or use an authenticator app to secure your online accounts. Unless thieves have intercepted your emails, text messages, or phone, it will be difficult for them to break in.
Account alerts are your friend. Depending on your bank or credit card company, you can set them up for many things, including any charges outside your home country, any (or all) ATM withdrawals, or transactions over a certain amount.
If you receive an unexpected or even expected notification, do not click on links in the notification or call phone numbers. Instead, log into the account in question and find a contact number there. This will prevent thieves from redirecting you to their own websites.
Take the compensation
I'm not convinced we'll ever live in a fraud-free world. Until we do, I'm happy to accept compensation from companies that have made mistakes.
I've cashed settlement checks from various class action lawsuits. The offers come in the mail so fast and furious these days that a week later I can't even remember them. What did I send at the beginning of the month? A request to join the fight against Ticketmaster? Quest Diagnostics? There have been a lot of them lately.
Thieves don't want us to mess up their jobs. And credit bureaus don't want to slow down the system either. Countering them and taking money when there's money on the table is a form of revenge, or at least a way to protest the absurd security status quo.