You can take steps to protect yourself if your Social Security number was stolen in the December 2023 National Public Data breach as part of the massive theft of a reported 2.9 billion records. Here’s how.
According to an August statement from National Public Data — a data broker that sells personal information to private investigators, consumer public record sites, human resources and staffing agencies — “a third-party bad actor” hacked into the data and leaked the stolen information on the dark web. National Public Data obtained the information by scraping nonpublic sources without consent, according to a proposed class action lawsuit. A House of Representatives committee has opened an investigation in response.
Here are steps you can take to see if your information was stolen and then what to do if your Social Security number and other personal data were leaked in the massive data hack. For more information, here are the best identity theft protection services and how to freeze your credit. For more on Social Security, here’s when to expect your Social Security check to arrive this month and four ways you can lose your Social Security benefits.
How was my personal information stolen in the National Public Data breach?
National Public Data said it obtains personal information from public record databases, court records, state and national databases and other repositories nationwide.
According to a National Public Data statement in August, “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”
The theft — reportedly by a cybercriminal group by the name of USDoD — may be as large as nearly 3 billion personal records of people and may include your name, email address, phone number, Social Security number and mailing address.
The exact number of people whose information was stolen is still unknown. Maine’s Attorney General’s office puts the number at 1.3 million, reportedly based on conversations with the data broker. Troy Hunt of Have I Been Pwned estimates the stolen files include 134 million unique email addresses.
On Aug. 22, the House Committee on Oversight and Accountability announced it was opening an investigation into “reports about a possible cyberattack executed against National Public Data.” CNET has reached out to National Public Data for comment.
How to see if my Social Security number was stolen in the National Public Data breach
Two online security companies have put up websites that let you check for free to see if your Social Security number is part of the stolen store of personal information: One is npdbreach.com from the online privacy company Atlas Privacy; the second is npd.pentester.com by the Pentester cybersecurity company.
Both lookup tools are easy to use and search for different pieces of information in the stash. Neither requires you to enter your Social Security number. Both showed my personal information was stolen in the hack after I searched the different states I’ve lived in.
What is National Public Data doing to respond to the data theft?
In an August statement on the security breach, the company said it’s cooperating with law enforcement and governmental investigators and conducting a review of the potentially affected records. For those who had their information stolen, the company said “it will try to notify you if there are further significant developments applicable to you” and recommends you closely monitor your financial accounts for unauthorized activity. At the end of the statement, the company included an email address: breach@nationalpublicdata.com.
How do I learn if my Social Security number was leaked?
You can’t stop the theft, you can watch your credit reports and financial accounts for unexpected activity to see if your Social Security number and other personal information are being used.
Check if your stolen data has been leaked: To start, check a free site like Have I Been Pwned to see if your email has been leaked as part of a data breach.
Monitor your credit reports: To spot identity theft, request one free credit report a year from each of the three major credit bureaus — Equifax, Experian and TransUnion — and look for unfamiliar activity, such as a new account you didn’t open. Watch your credit card and bank statements too for unexpected charges and payments.
Sign up for a credit monitoring service. A credit monitoring service can constantly monitor your credit report on major credit bureaus and alert you when it detects unusual activity. With a monitoring service, you can set fraud alerts that notify you if someone is trying to use your identity to create credit, including someone trying to use your Social Security number. Here are the best identity theft protection services.
I think my Social Security number was stolen. What should I do?
First, if you think your Social Security number has been stolen, know that the Social Security Administration itself can’t do much if someone uses your stolen information to, for example, open a line of credit or get a job. Here’s what you can do.
Create your online Social Security account. To stop someone else from creating an online Social Security account in your name — where they could see your statement, change your address and more — create your own online account.
Head to the Federal Trade Commission’s IdentityTheft.gov and fill out a form to receive a personal recovery plan. This plan walks you through all you need to know about protecting yourself from fraud and recovering your identity. You can also call 877-438-4337.
Contact the Internal Revenue Service if your Social Security number has been stolen to prevent the thief from using your number to file a tax return and receive your tax refund or to prevent them from using your number for a job. If a thief uses your Social Security number to get a job, owed taxes may show up on your record. Visit the IRS’s guide to identify theft to dispute these claims, get help and clear up any issues you have.
File an online complaint with the Internet Crime Complaint Center, which monitors cybercrime complaints to combat internet crime. It’s also advisable to check your credit report every so often to detect any fishy behavior as it happens. Visit www.annualcreditreport.com to receive a free credit report.
Contact the Social Security Administration if you think your Social Security number has been compromised and the administration can help review your statements.
Do I need a new Social Security number?
If you have done all the steps that the Social Security Administration recommends and your Social Security number is no longer being used by someone other than yourself, then you don’t need to apply for a new SSN. If you’ve taken all of the necessary steps and still find that your number is being used, you can apply for a new one.
The administration doesn’t make it easy to get a new SSN. You’ll need proof that your number continues to be used by someone other than yourself. The administration said if you lost your card or think someone stole your number but have no evidence of someone else using it, you won’t be able to receive a new one.
What can I do in the future to help prevent identity theft?
Sometimes, like with the National Public Data breach, there is little you can do to keep your information safe. You can take steps to limit your risk.
Don’t carry your Social Security card in your wallet. Instead, store it in a safe place in your home. Try to memorize your number so you don’t have to take your card out every time you’re filling out a document that requires it. If you have to provide your number over the phone, make sure you’re far away from other people who could hear it.
Employers and landlords often request documents to be sent electronically through email. If you have to provide your Social Security number or other personal documents by email, try encrypting the document with a password or providing your number separately in a phone call.
Your employer will need your Social Security number to run a background check. You should be skeptical of any job posting that requires you to enter personal information at the outset of an application. Unless you are starting a new position and have an offer in hand, you should not provide your Social Security number to a recruiter.
Finally, always check your bank statements and credit statements regularly to address any issues as soon as they pop up. Enable two-factor authentication on your passwords to protect your private information on websites and apps. And verify the source of your notices — whether they’re phone calls or emails. The Social Security Administration said in general it will only call you if you request a call. If you believe you’ve received a scam call or email, don’t give the person any personal information.
How else could my personal data get stolen?
Theft happens everywhere, all the time. People will steal wallets and bags or go through the mail in search of personal bank or credit card information. The Social Security Administration warns that people rummaging through trash outside of homes or businesses in search of critical information is another way identity theft takes place, along with people buying personal information from insider sources. There’s also the risk of receiving phone calls, texts or emails from seemingly official sources who are actually fraudsters looking to trick you into revealing information.
As CNET’s Bree Fowler explained, cyberattacks happen when hackers take to online accounts with combinations of usernames and passwords that are often stolen in previous data breaches and use them to break into as many accounts as they can. That strategy is reason enough to protect your passwords and use passkeys whenever possible.