You may have heard about a lawsuit filed regarding a data breach concerning social security numbers. I encourage you to read at least the first few pages of the linked class action complaint to see how massive a violation of privacy this is.
The data breach concerns National Public Data, a company which offers background checks. They collect personally identifiable information (PII) as a part of their business. The defendant claims that NPD scraped PII from non-public sources (¶11). NPD then stored the data in an insecure manner and did not adequately protect this personal information (¶25). Consequently, a hacking group by the name of “USDoD” stole records of 2.9 billion individuals from NPD. According to the document, the data was independently reviewed by VX-underground, the cybersecurity company. They confirmed the breach included full names, address and address history, and social security numbers. They were also able to identify familial connections, both living and deceased (¶ 22-24).
Based on this class action complaint, NPD’s conduct was grossly negligent, leading to potential identity theft for almost anyone in the United States. It was also a massive privacy violation by scraping data from non-public sources. Even after they took millions of Americans personal information, they failed to secure the data from hackers.
Criminals can ruin your life if they target you with this information. They can open lines of credit without you knowing. You might only find out until creditors call you, demanding that you pay them back (¶60).
So, yeah. I am very concerned. I’ll have to figure out how to defend against this identity theft. Overall, I’m new to the privacy community, but I’m feeling like “privacy” in the United States is an absolute mess. If your data wasn’t somewhere on the dark web, it might be now. Protect your data. Stay safe.
There’s no longer any restrictions on feeezing and thawing your credit from the big 3 agencies. All of them also offer temporary thawing that automatically freeze after a designated time. Do not under any circumstance permanently thaw them again. If you need new credit cards, credit checks from apartments or mortgaging / car loans, just work with your lender / seller to figure out which agency they will query and when. Set a temporary thaw for as small amount of time as you can, and all will be peachy. What’s more, after a temporary thaw, get a credit report in a couple months after that to verify nothing snuck in during that time.
What does freezing your credit do, exactly? Is this still something someone should do if they don’t even have any credit cards?
I’ve generally been pretty ignorant toward how credit reporting works.
What does freezing your credit do, exactly?
It prevents opening new credit cards or other lines of credit in your name.
The reason this matters is lots of fraudsters are using names and SSNs they bought on the dark web, to open credit cards they have no intention of paying back.
If you’re an American, your name and SSN combination is almost certainly for sale for about 25 cents, on the dark web, today.
Freezing your credit at all three agencies is the only effective prevention, today.
The credit agencies will attempt to charge you a monthly fee for the privilege, but don’t fall for it. They’re legally required to provide the service for free.
If I’m ever a juror on a murder trial where the “victim” worked in leadership at one of the big three credit agencies, I’ll have to admit that I couldn’t possibly convict someone for that.
Is this still something someone should do if they don’t even have any credit cards?
Yes. Absolutely. Being a victim of credit fraud can make it impossible to get a home mortgage, or even get certain jobs or apartments. It can be incredibly difficult and expensive to clean up, and the burden is largely left entirely on the victim.
Thanks, Major. How hard is it for fraudsters to unfreeze credit?
Freezing your credits means you (or anyone else) cannot access your credit report to open new lines of credit. No credit cards, mortgages, car loans, nothing.
Exactly.
But it’s very easy and fast to temporarily thaw it when you want to apply for credit.
I’ve been doing it for years.
Freeze your credit:
Yes! And don’t pay these assholes a dime for the privilege.
They’re legally required to provide freezes for free, but two of them were trying to sell it as a service through misleading page links, last time I checked.
Still are.
Everyone in the US should freeze their credit. Yes, it sucks that you have to unfreeze it to apply for new credit but it doesn’t actually suck that bad. Everything is done through the websites.
Also what ever email you use, enable 2 factor authentication. I think using OTA is better because people have had their numbers sim swapped.
The best time to have frozen your credit reports at all three agencies was many many years ago. The second best time is right now. Not tomorrow. Now.
Wish I would have known to do this a while ago, I am currently trying to do it now but all three are telling me that my info doesn’t match their records and to call them. Too bad they are all closed right now so I can’t call them, definitely doesn’t bode well for me.
I like how the only way to protect yourself is to freeze your credit but also the private websites to freeze your credit that also leak your data like a drippy faucet won’t let you create an account to freeze your credit.
Freeze your credit report at all three credit agencies and ChexSystems. That should protect you from most fraud that involves opening new accounts.
The news is kind blowing this up bigger than it really is. But I find this as a good thing because I’ve noticed a few people FINALLY taking the advice I’ve been giving for years now, and that’s to freeze your credit at the big bureaus and some, if not all, of the smaller ones.
That being said, I checked this data dump for my own data as well as a bunch of friends and family. Not a single person I checked was in it… Which is why I’m not finding this breach to be that frightening personally. The ATT breach was way worse. Also Krebs posted on this today… A good read for anyone interested. Main thing I took from it was a large number of these entries belong to people who have passed away already.
How would one check to see if they’re included?
Not sure it’s against the rules to go into specifics, so I’ll just say… It’s 100% free and open on the dark web for anyone to download. The site hosting the content is mentioned on many articles. Just be sure you have at least 300gb of space to store it while you check for yourself when you do find it.
I know that may be a little vague, but don’t want to break any rules and also don’t want to make it sound like I’m promoting going to these sites, as I literally only go to them to verify (open) data breaches that I know I or my family could potentially be in.
If a mod feels even this message is going too far, feel free to delete it.
What is the data used to freeze your credit? Why couldn’t a bad actor with your SSN unfreeze it?
Edit: I just froze with the big 3 credit agencies. It took name, address, phone number, email, SSN, birthday.
So all the stuff that leaks. Why do people think this provides security if a bad actor has the same data to unfreeze?
The credit monitoring companies have your up-to-date contact information (and verified) when you put the freeze in place. Now, should a third party try to open an account, etc. in your name it should be blocked from happening and the credit monitoring company should contact you.
If a scammer tries to unfreeze or otherwise modify your account with them they should also contact you.
If/when they contact you or you request your account be unfrozen then they’ll use old credit history to confirm your identity. These are a series of three or four random questions that a scammer is unlikely to know. For example they might ask you what kind of car you purchased in 2005, then give you 4 options, like Ford, Honda, Jaguar, or BMW, and then also a “nine of the above” option. Then they might ask you which of the following street addresses you used to live at, and list 4 seemingly random addresses, one of which you might have lived at.
This shouldn’t be our responsibility to “fix”.
Also be careful of having your experian account being compromised where hackers then attempt to unfreeze your credit.
What was the story on that? I remember reading but can’t recall, just anyone could provide a new email if “locked out” with no verification or something essentially invalidating all security setup to that point? Wasnt that fixed?
Gosh damn Linyos Torovoltos!!!
