What to do if your data is breached

Seriously, it doesn’t matter who you are. Your online data has been smoked out and scooped up by thieves who want every dollar you have in an online account, every government-sponsored benefit you’re entitled to and every paycheck that’ll ever transfer to your bank. They were just prioritizing who to rip off and your name and data could be next on the list.

The damage is done. Prevention is an afterthought at this point. Now is the time to focus on minimizing the impact.

National Public Data makes the nation’s data public

The biggest data breach of the year – so far, that we know about – involves a little-known, privately-owned, Florida-based company called National Public Data. It’s a data broker, which means it collects data about you from your search history, purchase history, online agreements and other publicly available sources. It then aggregates your data into a profile and sells it to third parties.

Whether this is legal or not is a matter of where the data lives. If a data broker is operating in Europe, then every individual it’s spying on needs to give explicit permission for every 1 or 0. In the U.S., though, grabbing everybody’s personal data and selling it to anyone willing to pay is as legal as lemonade at a church picnic. It’s considered a state-by-state issue here and, so far, only California has enacted a privacy law that puts limits on how your data can be collected and distributed.

According to a class-action suit filed last month in the U.S. District Court for the Southern District of Florida, “a  cybercriminal  group  by  the  name  of USDoD gained access to [NPD’s] network prior to April 2024 and was able to exfiltrate the unencrypted [personal information] of billions  of individuals … [which] was published, offered for sale and sold on the Dark Web by cybercriminals.” The plaintiffs allege NPD advertised that it had the data of 2.9 billion people – that is, one-third of the whole world – and it could be yours for the low, low price of $3.5 million.

Maybe you’ve already picked up on this, but the point is important enough to spell out: The breach was in April. We found out about it in August, and the only reason we learned about it then is because NPD got sued. Someone literally had to make a federal case out of it. And the only reason the lead plaintiff knew was because he happens to live in the one state in the Union that has a law requiring notification.

As a privately owned company, NPD isn’t accountable to the investor community and so it doesn’t have to report such shenanigans to the Securities and Exchange Commission (SEC). (NPD finally posted this to their website.) Public companies like AT&T and UnitedHealth, who each had their own massive breaches this year, were compelled to self-report.

So, this isn’t a one-off event. TicketMaster, Change Healthcare and Dell are among the victims of the now infamous “Snowflake” attack, which was just one of thousands of data breaches that occurred so far this year – and we’re running just a bit ahead of 2023. The average breach costs a company in the industrial sector almost $1 million.

The stakes

According to data security firm McAfee, data brokers routinely trade in individuals’:

  • Names
  • Genders
  • Birthdates
  • Contact information
  • Current and past home addresses
  • Marital status and family situation, including children
  • Social Security numbers
  • Levels of education
  • Assets
  • Jobs
  • Purchase habits
  • Interests and hobbies
  • Criminal records
  • Political preferences
  • Medical history

There are plenty of legitimate reasons to collect and disseminate this information. Employers and landlords need to be able to run background checks. You can’t build a credit report without at least some of these data points.

But legitimate companies like Intellius and Equifax don’t have to muck around on the dark web for their fodder. This is the domain of drug dealers, fraudsters and black-hat hackers. And if this is where your data ends up, that’s still not the absolute worst that can happen. One market for such private information is foreign governments – both real ones like Russia or Iran, and wannabes like Al-Qaida and Hezbollah. Even so, system penetration to facilitate ransomware attacks or other types of extortion is still by far the biggest motivation for stealing data.

What you can do if your data is breached

Even if the damage is already done, you still have options for data breach recovery. One way or another, the bad guys have your data. But there are still things you can do to mitigate the damage:

  • Get an inventory of which of your personal data was taken through sites such as NPDBreach.com or NPD.pentester.com.
  • Freeze your credit score and report by visiting the freeze option pages of Equifax, Experian, and TransUnion (notice the use of “and”, not “or”), which will prevent identity thieves from taking out loans and establishing credit cards in your name.
  • While you’re visiting the credit bureaus, get a copy of your current credit report to make sure you recognize all the listed accounts.

Going forward, here’s how you can limit your data exposure:

And of course, remain vigilant. Don’t fall for any scams. We know that’s easier said than done, but start with disbelieving anyone who claims to be from the government – especially the IRS, Social Security or Medicare. Also, if someone from a bank or online financial services provider reaches out to you to “check on a fraudulent charge,” don’t give them any information until you look at that account summary online. If what a stranger says on the phone or in an email doesn’t match what your app is telling you, trust the app, not the stranger. And if you just can’t tell if something is real or fake, you can always reach out to Smith Anglin.