Data theft from data traders (again) brings social security numbers to light

In the news

Background check company National Public Data has publicly acknowledged that it suffered two data breaches in April and this summer that exposed millions of Social Security numbers and other personal information. The Record reports that a threat actor using the pseudonym “USDoD” has offered 2.9 billion NPD records for sale on an internet forum. “The data includes a person’s first and last name, three decades of address history and Social Security number. Some experts said they could also find a person’s parents, siblings and immediate relatives. The database includes people living and deceased.” Notably, people using data opt-out services were not included in the database. Read more here.

What you can do

This is not surprising, especially since we reported on the first, similar breach just two months ago. To reinforce what my colleague Martin Shelton said then: It is simply absurd that the United States does not regulate the sale of personal data by these data brokering giants. If you live in the US or UK, your personal data was most likely affected by this breach. Here are some options to prevent potential cases of identity theft:

• You can manually opt out of many data brokers for free by following the instructions in journalist Yael Grauer's Big Ass Data Broker Opt-Out List. However, brokers have been known to re-acquire your data on a regular basis – sometimes every few months, sometimes every few years. It's not trivial to keep opting out.
• In about a dozen countries, you can use anti-data broker services like DeleteMe that allow you to have personal information removed from such sites. It's not cheap, though – it costs about $129 a year. If you have the means, it can be a worthwhile investment. We encourage media organizations with the capacity to support staff, especially those working on politically sensitive reporting, to use these services.
• For U.S. residents: If you're concerned that your Social Security number has been shared or could be used for harassment or fraud, consider placing a freeze on your credit score with all major credit reporting agencies. Essentially, credit reporting agencies like Equifax allow you to request additional information before allowing someone to use credit on your behalf (such as when purchasing a car or opening a new credit card). You can always resort to the credit freeze portals described above to unfreeze your credit score if needed. Read more about how to freeze your credit score.

Updates from our team

• We've written a guide to OnionShare, the anonymous file sharing app from FPF co-founder Micah Lee. If you're thinking of setting up your own 24/7 Dropbox, check it out!

Our team is always available to help journalists with questions about digital security. Contact us here and stay safe and protected.

Preferably,

Kevin

–

Kevin Pham
Digital Security Training Intern

Foundation for Press Freedom