What huge data leaks mean for you

At some point last year, one or more hackers quietly penetrated a background check company called National Public Data (NPD), exposing millions of U.S. Social Security numbers (SSNs), email and mailing addresses, as well as phone numbers and names. The accuracy and validity of some of this data, much of which NPD likely scraped together from public government records, is questionable. The reality of the leak itself is not: In August, NPD confirmed an incident in which “a malicious third party attempted to hack into data in late December 2023,” according to a notice on the data aggregation company's website. The stolen information appears to have been offered for sale online starting in the spring.

It's deeply uncomfortable to imagine Social Security numbers and other sensitive information floating like digital plankton in the darker currents of the internet. And what gets out into the open can't be retrieved. So what do you do when that happens?

You can have your credit freezed through the major credit bureaus — preventing anyone from opening a new credit account in your name until the freeze is lifted. (The three major agencies in the U.S. are Equifax, Experian and TransUnion.) In the future, an incident like this is a sobering reminder to practice good password hygiene. Don't reuse passwords — complexity and uniqueness are powerful — and consider a manager like 1Password. Americans can check to see if their SSN has been exposed using a tool like Pentester.

To support science journalism

If you like this article, you can support our award-winning journalism by Subscribe. By purchasing a subscription, you help ensure the future of influential stories about the discoveries and ideas that shape our world today.

And on the website Have I Been Pwned?Launched in 2013 by Australian online security consultant Troy Hunt, visitors can check whether their email addresses have been exposed in data breaches. A spin-off project checks passwords in a similar way. In its more than ten years of existence, Have I Been Pwned? has grown to six billion unique email addresses. Each account has been hacked on average just over twice.

“I had no idea it would get this big – I wouldn't have given it such a stupid name,” says Hunt. To “pwn” (pronounced “pone” as a play on the word “own”) someone means to completely defeat them, an internet slang that had its heyday in the early 2000s. It also means to take unauthorized control of a person's computer hardware or, for example, their email account.

As Hunt puts it, the risk of data breach is simply a cold reality that comes with being online. If the internet is the information superhighway, data leaks are part of the roadside debris. “It's terrible that we have a road toll – and targets towards zero are fantastic,” he says. “But as we speed around in metal machines at 100km an hour, that's exactly what's going to happen. Data breaches are just a small part of the internet's road toll.” Hunt recently spoke to Scientific American about how to make sense of the potentially alarming amount of data generated by massive security breaches and what an increasingly online world means for our private information.

[An edited transcript of the conversation follows.]

This year, several major data breaches have been uncovered, such as the AT&T data breach (in which data from 73 million former and current customers). Recently, there was this National Public Data fiasco. One clear difference between these breaches is that NPD was this little-known data aggregator that sells services like background checks—not a big, well-known company. Maybe there's no blueprint for what a standard data breach is, but tell me: is this an unusual case?

I look at the list of major [breaches in the Have I Been Pwned? database]and often they come from people like data aggregators. People don't know who data aggregators are. Most of us, I think, are not particularly excited about the idea [of data aggregation]We don’t like the idea of ​​organizations harvesting and monetizing our data without our knowledge or informed Agreed. (I will add this reservation.)

When an incident like this happens, it's quite frustrating for people because they're wondering, “Who is this organization? Why do they have my data? What can I do?” And you really have no way to take action against it.

There are some standard recommendations after a data breach like this – like blocking your account with credit bureaus and making sure you have strong passwords. Is there anything else people should do after a data breach like this?

There is nothing you can do discreetly direct about this incident. It is not like back then [infidelity dating website] AshleyMadison was injuredwhere you can change your password and probably have a conversation with your [spouse or partner]. In this case, those are the basic things you should be doing anyway. You should have any locks available to you on credit until you actually need to apply for them. You will have to spend some money on identity theft monitoring services, but that's not a bad idea. And then, of course, use strong, unique passwords and multifactor authentication.

Then just ask yourself: “What should you look out for that could indicate misuse of this data?” – for example, calls from a bank asking about an application you have made and about which you have no idea.

This does not change the guidelines. It simply strengthens them.

Rumors about the NPD hack circulated for a few months before they made it into the mainstream media. When it first broke, some headlines spoke of 2.9 billion accounts being hacked, which was not true. (The hack actually appears to be about 2.9 billion.) Lines of data.) To make matters worse, the malicious actors behind a data breach or sale may not be trustworthy – they may brag and inflate the file size, or combine already-disclosed data from multiple data breaches to make one data breach look huge. How should we think critically about big, scary numbers in data breach headlines?

We have seen this so many times. A few months ago, the headlines were about the largest password dump of all time, which included 10 billion records. But when [bad actors] include every word from the dictionary and every combination thereof, [does the average person] Do you have to worry about it? No!

There was another incident earlier this year. It is called the “mother of all data breaches”. It involved 20 billion records or something. Well, it's just that someone collected a whole series of data breaches and put them together. If you add one more, you have the biggest [mother of all breaches].

For the same reason, the truth is always contained in the data. The number of Total records is an important number. But without the context of what that actually means, it's hard to understand. So I think a much fairer measure is how many people are affected. And if it's just the US Social Security numbers, it's clearly going to be a few hundred million, the absolute upper limit.

Can we know for sure that every American social security number is included?

No, we don't know exactly.

[Investigative journalist] Brian Krebs has written some good articles about this: There are a lot of different places where this data could be published, and then it all gets merged together. For example, if you haven't been arrested or ended up on a public registry somewhere, you might not be included in it.

What really frustrates me about this is that there was clearly a violation at NPD. I think there is no doubt about that anymore. And if you look at the disclosure statement… there is basically nothing there. [The company has] really didn't give us anything substantial.

[Editor’s Note: Scientific American repeatedly e-mailed NPD to ask whether it had taken additional actions to contact affected individuals. The company did not respond. In a recorded message on its breach hotline, NPD says that it “will try to notify you if there are further significant developments applicable to you.”]

They wrote about the inadequate disclosure of company data in a Blog post from June entitled “The State of Data Breach.” It may surprise many that there can be exceptions to data breach laws regarding notification. In Florida, where the NPD is based, Violation affects more than 500,000 peopleLegally sufficient is a notice “in print and broadcast media” and “a prominent notice on the Internet website of the entity concerned”. How would you improve disclosure?

Disclosure does not necessarily mean that the data subjects are informed. Usually, disclosure is to the supervisory authority, unless it is sensitive personal information – health data, for example. In Australia, the exception is that there must be a likelihood of serious harm. In Florida, as you just mentioned, it is notification. California has [the California Consumer Privacy Act]but I believe, even under this [companies] In the vast majority of cases, the federal government can still decide whether or not to notify individuals.

There are all these people who sour if you don't tell them – well, really, really angry, understandably! And I'm sitting here [at Have I Been Pwned?]and said, “Well, I have your data. I can inform you.” But that shouldn't be my job, should it? I should be completely redundant because organizations should inform their people well in advance.

You've worked on Have I Been Pwned? for more than a decade, but let's look ahead. Where will data breaches lead in the next decade?

If you think about the factors that lead to data leaks or amplify data leaks, we're going to have more people. We're going to have more systems. We're going to have more devices storing data. We have a lot [Internet of Things–related] Data breaches. There are [data collected from] CloudPets toys in “Have I Been Pwned?” – talking teddy bears!

We are also going down a path where we see many violations – like all the recent ones related to [cloud data storage company] Snowflake – here we are so dependent on external services that one mistake or one approach can be applied by threat actors over and over again to every user of that particular platform. So all of these factors are compounding the problems we have now. In summary, I think it's getting worse.