On August 1st, 2024, a class action lawsuit was filed against Jerico Pictures, Inc. otherwise known as National Public Data, alleging a massive data breach that appears to impact nearly all Americans.
The lawsuit alleges that National Public Data, a background check company, was breached sometime before April 2024 by a cybercriminal group that goes by the name USDoD.
According to the complaint, National Public Data gathered the personally identifiable information of billions of individuals from non-public sources. Since National Public Data allegedly obtained the information from scraping non-public sources, most individuals affected likely have never heard of National Public Data nor have they ever knowingly provided their personal information to National Public Data directly.
Shortly after the alleged breach, the data was posted for sale on the dark web claiming to have 2.9 billion records which makes this breach one of the most significant breaches in history.
The class action lawsuit goes on to state that an educational website focused on malware and cyber security called V-X-Underground was able to confirm the validity of the data and determined that the data includes first and last names, addresses, address history (over three decades), and social security numbers. The data set also provided the ability to identify an individual’s relatives.
SpyCloud, a leader in helping businesses avoid cybercrime, reported that their team was also able to analyze the data and confirmed that 277 million distinct social security numbers were included in the breach. Given the current population of the United States is about 337 million people, most individuals should assume their information was included.
On their website, National Public Data has confirmed a “Security Incident” occurred in December 2023 acknowledging that personal information, including social security numbers, was likely compromised and leaked throughout the spring and summer of 2024.
While significant data breaches like what is alleged against National Public Data are challenging, and the investigation is still ongoing, it is clear that a strategy of hoping that personally identifiable information is never exposed is no longer a reasonable option for everyday Americans. Rather, each individual must assume that identity thieves already have access to their personal data and should incorporate wealth protection strategies into their overall financial plan to reduce the chance that a criminal who has their information is able to do anything nefarious with it.
The following recommendations represent the steps we suggest taking to begin protecting your personal information.
Protect Your Most Important Accounts
The first step to protecting your financial wellbeing is to make sure that your most important accounts are protected with strong passwords and multifactor authentication. Typically, these would be bank accounts, investment accounts, credit card accounts, and any other accounts that provide access to finances. It is also recommended that any accounts with sensitive health information be strongly protected as well.
To ensure your accounts are protected, the first key is to use strong passwords that are randomly generated and not repeated from site to site; however, adding the extra step of multifactor authentication is crucial to ensure that an exposed password is not sufficient to gain access to important accounts.
While maintaining strong passwords can be a challenge, there are quality password management systems that help streamline the process of creating strong passwords and allowing users to efficiently move from one website to another without having to manually remember each password.
Key Takeaway:
It is crucial to use strong passwords and multifactor authentication to reduce the risk that identity thieves are able to gain access your accounts.
Freeze Your Credit Reports
There are three major agencies that provide credit reporting on individuals – Equifax, Experian, and TransUnion. When an individual applies for a loan or other forms of credit such as a credit card, the lender will typically access the individual’s credit report to determine whether the individual is creditworthy.
An individual’s credit report will include details on all credit accounts and inquiries. Per federal law, individuals are entitled to a free credit report annually which can be obtained from AnnualCreditReport.com. Starting during COVID in 2020, the three major credit agencies temporarily announced that they would allow weekly credit checks for free, and they have since made that policy permanent.
Individuals should review their credit reports on a regular basis to ensure all information is up to date and free from errors. If the credit report shows unusual activity, the individual should investigate immediately since it may be a sign of unauthorized activity.
In order to prevent identity thieves from opening credit card accounts or borrowing funds fraudulently, individuals should consider freezing their credit at each of the three credit reporting agencies.
A credit freeze prevents lenders from accessing your credit report which, in many cases, will prevent them from opening a new account or issuing credit in your name. To initiate a credit freeze, the first step is to visit each agency’s website and set up a personal account. Once the account is set up, individuals are able to establish and manage their credit freezes.
While setting up a credit freeze can prevent unauthorized accounts from being opened, it is important to remember that lenders will also be blocked from accessing credit reports when an individual is legitimately trying to open an account. Accordingly, individuals who freeze their credit will have to remember to thaw their credit reports anytime they are applying for a new loan or credit card.
Individuals who would like to set up their accounts for the major credit reporting agencies and institute a credit freeze can do so by going to each reporting agency’s credit freeze webpage to get started: Equifax Credit Freeze, Experian Credit Freeze, and TransUnion Credit Freeze.
Key Takeaway:
Individuals should consider freezing their credit at each of the three credit reporting agencies to prevent identity thieves from opening fraudulent accounts.
Apply For an IRS Identity Protection PIN
In 2023 over one million tax returns were flagged by the IRS for potential identity fraud representing $6.3 billion in potential refunds. In this scheme, identity thieves will file fraudulent tax returns using an individual’s social security number in order to claim a bogus refund on behalf of the taxpayer.
When this occurs, the taxpayer typically encounters an issue where they cannot e-file their tax return because a duplicate return has already been filed with their social security number. Other signs are receiving IRS notices or information in the mail related to returns or documents that the taxpayer did not file.
The primary way to combat tax-related identity theft is to enroll in the IRS Identity Protection PIN program. Think of it as multifactor authentication for your tax return. To start, the taxpayer must create an online account with the IRS.
To create the account, the IRS will require an authentication process using ID.me. Once the account is created, the taxpayer will be able to log in to view their account balance, payment activity, notices, letters, etc. Additionally, by selecting “Profile” and scrolling to the bottom of the page, the taxpayer has the option to enroll in the Identity Protection PIN Program.
Once the PIN is created, it is valid only for the given calendar year and only known to the taxpayer and the IRS. Any tax returns filed within the calendar year will be rejected unless they include the appropriate PIN. The IRS publishes a detailed FAQ page for the Identity Protection PIN program which can be a helpful resource to taxpayers.
Even if the taxpayer has filed their tax return for the current year, it is worthwhile obtaining a PIN given it will prevent an identity thief from filing a fraudulent amended return going forward.
Each year the taxpayer will receive a new PIN that covers the current calendar year. The taxpayer will need to obtain the updated PIN by logging into their online account in early January so that they can include the updated PIN when filing their tax return.
By enrolling in the PIN program, the taxpayer eliminates the ability for an identity thief to file a fraudulent tax return solely with the taxpayer’s social security number.
Key Takeaway:
Applying for the IRS Identity Protection PIN program is similar to multifactor authentication for your tax return and is important in preventing the filing of fraudulent tax returns.
Don’t Give Out Your Sensitive Information
While choosing not to give out your sensitive information seems like a straightforward strategy, it often is one of the most successful ways cyber criminals obtain an individual’s personally identifiable information.
A good example is the National Public Data breach. As a result of the breach, there are multiple websites that suggest you can enter your personal information, including your social security number, and they will check to see if your data has been compromised. While some of the sites are legitimate, we would never recommend entering your social security number to confirm whether or not your information has been compromised.
There are too many opportunities for nefarious individuals to create copycat sites that pretend to search for your information in the breached data when they are simply stealing your information themselves.
If asked for sensitive information like your social security number over the phone, question why it is needed, how it will be used, and what will happen if you refuse to provide it. Always verify that the person asking for the information is legitimate. When in doubt, don’t provide the information.
Key Takeaway:
If in doubt about giving out sensitive information, refuse and find an alternative way to verify that the request is legitimate.
Purchase Identity Theft Protection and Restoration Services
Part of being prepared in the event of an identity theft is having a plan in place for when it happens. With all the data that has to be shared with third party sites, most individuals will experience some form of identity theft during their lifetime.
There are multiple identity theft solutions available in the marketplace that provide credit monitoring services to identify when your information has been exposed on the dark web. While these are useful because they allow you to change your passwords and update your information in a timely fashion when information is exposed, we believe it is important to take this one step further to include credit restoration services.
Credit restoration services assist victims of identity theft in restoring their credit after an identity theft incident. We recommend considering a service similar to Zander Insurance’s ID Theft Protection insurance policy which currently costs $145 per year for a family plan. One of the unique benefits of Zander’s identity theft protection plan is the restoration services offered.
We view the annual $145 insurance premium similar to a retainer that provides access to the restoration team in the event that an identity theft occurs and credit needs to be restored.
Key Takeaway:
Purchase a credit monitoring service that includes credit restoration.
Conclusion:
In the wake of the alleged National Public Data breach, we believe every American should proceed with the assumption that their sensitive data is already exposed on the dark web or will be in the future. Gone are the days of simply hoping your data will not be exposed.
Accordingly, it is no longer sufficient to take a “wait and see” approach to protecting yourself from identity theft. Rather, proactive steps should be taken to ensure your most important accounts are protected by strong passwords and multifactor authentication, your credit reports are kept frozen as the default status, you are enrolled in the IRS Identity Protection PIN program, you avoid giving out your personal information when possible, and you have an identity theft protection insurance plan in place that provides restoration services.
As the world we live in continues to become more interconnected, our personal information will continue to be vulnerable to cybercriminals who plot and scheme to steal the data from entities who have access to it – often without our knowledge as in the case of National Public Data.
Going forward, the best chance of avoiding an identity theft incident is to assume nefarious individuals already have your data and start taking steps that make it difficult for them to use the data in a meaningful way.
If you are interested in learning more about steps you can take to protect the wealth you’ve built and ensure your financial plan is prepared for the years ahead, our Family CFOs would love to connect to see if what we do is right for you.