National Public Data Breach: How to Protect Your Social Security Number [CNET]

If your information is included in the reported massive data theft of 2.9 billion records of people, you can take steps to secure your Social Security number.

A massive breach of National Public Data servers in December 2023 may have included the theft of a reported 2.9 billion records with Social Security numbers, names and other personal data. You may not be able to do much about the actual hack, but you can watch if your Social Security number was leaked and you can take steps to protect your information. 

According to a statement from National Public Data — whose data is used by private investigators, consumer public record sites,  human resources and staffing agencies — “a third-party bad actor” hacked into the data and leaked the stolen information on the dark web. National Public Data obtained the information by scraping nonpublic sources without consent, according to a proposed class action lawsuit.

Here are steps you can take to protect your Social Security number if you are concerned your personal data was leaked in the massive data hack. For more information, here are the best identity theft protection services and how to freeze your credit. For more on Social Security, here’s when to expect Social Security check to arrive this month and 4 ways you can lose your Social Security benefits.

How was my personal data stolen in the National Public Data breach?

According to a National Public Data statement, “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

The theft — reportedly by a cybercriminal group by the name of USDoD– may be as large as nearly 3 billion personal records of people and include your name, email address, phone number, Social Security number and mailing addresses.

What is National Public Data doing in response to the data theft?

In a statement on the security breach, the company said it is cooperating with law enforcement and governmental investigators and conducting a review of the potentially affected records. For those who had their information stolen, the company said “it will try to notify you if there are further significant developments applicable to you” and recommends you closely monitor your financial accounts for unauthorized activity.

How do I know if my Social Security number was leaked?

While you can’t stop the theft, you can watch your credit reports and accounts to see if your Social Security number and other personal information is being used.

Check if your stolen data has been leaked: To start, check a free site like Have I Been Pwned to see if your email has been leaked as part of a data breach.

Monitor your credit reports: To spot identity theft, request one free credit report a year from each of the three major credit bureaus — Equifax, Experian and TransUnion — and look for unfamiliar activity, such as a new account you didn’t open. Watch your credit card and bank statements for unexpected charges and payments. 

Sign up for a credit monitoring service. A credit monitoring service can constantly monitor your credit report on major credit bureaus and alert you when it detects unusual activity. With a monitoring service, you can set fraud alerts that notify you if someone is trying to use your identity to create credit, including someone trying to use your Social Security number. Here are the best identity theft protection services.

I think my Social Security number was stolen. What should I do?

First, if you think your Social Security number has been stolen, know that the Social Security Administration itself can’t do much if someone uses your stolen information to, for example, open a line of credit or get a job. Here’s what you can do.

Head to the Federal Trade Commission’s IdentityTheft.gov and fill out a form to receive a personal recovery plan. This plan walks you through all you need to know about protecting yourself from fraud and recovering your identity. You can also call 877-438-4337.

Contact the Internal Revenue Service if your Social Security number has been stolen to prevent the thief from using your number to file a tax return and receive your tax refund or to prevent them from using your number for a job. If a thief uses your Social Security number to get a job, owed taxes may show up on your record. Visit the IRS’s Identity Theft Central to dispute these claims, get help and clear up any issues you have.

File an online complaint with the Internet Crime Complaint Center, which monitors cybercrime complaints to combat internet crime. It’s also advisable to check your credit report every so often to detect any fishy behavior as it happens. Visit www.annualcreditreport.com to receive a free credit report. 

Contact the Social Security Administration if you think your Social Security number has been compromised and the administration can help review your statements. 

Do I need a new Social Security number? 

If you have done all the steps that the Social Security Administration recommends and your Social Security number is no longer being used by someone other than yourself, then you don’t need to apply for a new SSN. If you’ve taken all of the necessary steps and still find that your number is being used, you can apply for a new one. 

But the administration doesn’t make it easy to get a new SSN. You’ll need proof that your number continues to be used by someone other than yourself. The administration said if you lost your card or think someone stole your number but have no evidence of someone else using it, you won’t be able to receive a new one. 

What can I do in the future to help prevent identity theft?

Sometimes, like with the National Public Data breach, there is little you can do to keep your information safe. But you can take steps to limit your risk. 

Don’t carry your Social Security card in your wallet. Instead, store it in a safe place in your home. Try to memorize your number so you don’t have to take your card out every time you’re filling out a document that requires it. If you have to provide your number over the phone, make sure you’re far away from other people who could possibly hear it. 

Employers and landlords often request documents to be sent electronically through email. If you have to provide your Social Security number or other personal documents by email, try encrypting the document with a password or providing your number separately in a phone call. 

Your employer will need your Social Security number to run a background check. But you should be skeptical of any job posting that requires you to enter personal information at the outset of an application. Unless you are starting a new position and have an offer in hand, you should not provide your Social Security number to a recruiter. 

Finally, always check your bank statements and credit statements regularly to address any issues as soon as they pop up. Enable two-factor authentication on your passwords to protect your private information on websites and apps. And verify the source of your notices — whether they’re phone calls or emails. The Social Security Administration said in general it will only call you if you requested a call. If you believe you’ve received a scam call or email, don’t give the person any personal information. 

How else could my personal data get stolen?

Theft happens everywhere, all the time. People will steal wallets and bags or go through mail in search of personal bank or credit card information. The Social Security Administration warns that people rummaging through trash outside of homes or businesses in search of critical information is another way identity theft takes place, along with people buying personal information from insider sources. There’s also the risk of receiving phone calls, texts or emails from seemingly official sources who are actually fraudsters looking to trick you into revealing information. 

As CNET’s Bree Fowler explained, cyberattacks happen when hackers take to online accounts with combinations of usernames and passwords that are often stolen in previous data breaches and use them to break into as many accounts as they can. That strategy is reason enough to protect your passwords and use passkeys whenever possible.