Social Security number data breach: What we can VERIFY

On Aug. 14, an X post with over 8.5 million views claimed that the personal information of nearly every American, including Social Security numbers and physical addresses, may have been compromised in a recent data breach.

“Every American’s Social Security number may have been stolen in a new major hack, with over 2.7 billion records allegedly compromised from National Public Data. The stolen information includes Social Security numbers and physical addresses,” the viral post said.

Multiple readers, including Carol, have asked us whether their personal information is now at risk. Here’s what we can VERIFY.

THE SOURCES

WHAT WE FOUND

The lawsuit, which was filed by California resident Christopher Hofmann on Aug. 1, alleges that hackers gained access to the personal information of “billions of individuals” from National Public Data, a background check company based in Coral Springs, Florida.

National Public Data scrapes data from public record databases, national and state databases, and court records, including nonpublic sources, according to Schubert Jonckheer & Kolbe LLP, a law firm investigating the breach.

Schubert Jonckheer & Kolbe LLP says National Public Data then sells this private data to a wide range of organizations, including background check websites, investigators, app developers, and data resellers.

“Because individuals did not affirmatively provide their private information to NPD, individuals may not even know that they have been affected,” Schubert Jonckheer & Kolbe LLP said.

Hofmann claims his identity theft protection service notified him in late July that his personal information had been compromised by the “nationalpublicdata.com” breach.

The lawsuit claims the exposed information includes Social Security numbers, past and current addresses, names, and information about parents and siblings. Cybersecurity experts warn that this is the type of sensitive data that could allow a scammer to take out a loan in your name or gain access to your banking information.

Top Class Actions says at least two more class-action lawsuits have also been filed against National Public Data concerning the same data breach.

Has National Public Data or SSA confirmed the breach?

As of Aug. 15, National Public Data, the defendant in the lawsuit, has not confirmed the data breach and the company did not immediately respond to VERIFY’s request for comment.

Meanwhile, a Social Security Administration (SSA) spokesperson said in an email that “recent reports related to a data breach are unrelated to the Social Security Administration’s internal systems and data, neither of which has been compromised.”

It is unclear if National Public Data has alerted people whose information was compromised in the alleged breach, though Hofmann’s lawsuit claims the company had “still not provided any notice or warning” to him.

Some states require companies to report data breaches to their attorneys general offices. However, information security company McAfee said on Aug. 14 that it had not found any filings related to the breach.

Florida law requires companies to file notices of any data breach that impacts 500 or more Floridians.

When did the alleged breach happen?

The exact date of the data breach is unclear, but it is believed to have taken place sometime in or around April 2024, according to Hofmann’s lawsuit.

The complaints allege that a cybercriminal group named USDoD gained access to National Public Data’s network and then published and sold its findings on the dark web.

One of the lawsuits claims the breach was first reported on June 1, by VX-Underground, an international cybersecurity research group, according to Top Class Actions.

Top Class Actions says VX-Underground claimed that the cybercriminal group “USDoD” was behind the attack and had posted the database containing 2.9 billion records for sale online for $3.5 million. VX-Underground also confirmed the authenticity of the data.

VX-Underground says the stolen database includes 277.1 gigabytes of data, including names, address histories, relatives, and Social Security numbers dating back at least three decades, according to Schubert Jonckheer & Kolbe LLP.

USDoD has no affiliation with the U.S. Department of Defense, which is commonly referred to by the acronym “DOD.”

How can I protect myself?

Although the data breach has not yet been confirmed by National Public Data, cybersecurity experts recommended that you freeze your credit if you suspect your Social Security number or other personal information has been compromised.

It’s free to freeze your credit with the three major credit bureaus: Equifax, Experian and TransUnion, according to the U.S. Public Information Research Group (PIRG), a non-profit consumer watchdog.

Freezing your credit can block bad actors from taking out a loan or opening a new credit card in your name. But PIRG warns to never freeze your credit in response to an unsolicited email or text claiming to be from one of the credit agencies because it could be a scam.

The National Cybersecurity Alliance says freezing your credit will limit access to your credit reports, and you’ll have to remember to unfreeze your credit if you’re applying for a new credit card or mortgage. PIRG notes that freezing your credit does not directly increase or decrease your credit score.

You can freeze your accounts with the three major credit bureaus by phone or online:

You can also sign up for a tracking service that will alert you if your data appears on the dark web through services provided by companies like Norton and Google One.

If you suspect you are a victim of identity theft, the Social Security Administration recommends: