- A massive data breach by a company named National Public Data could have made billions of personal financial records vulnerable.
- Many Americans are wondering if they've been personally affected and what to do next.
- Here's how experts respond to some of the biggest questions on the breach.
You may have never heard of National Public Data, yet your personal information may have been compromised in the company's recent massive data breach.
The background check company, which is owned by Jerico Pictures Inc., recently released details of the breach after a proposed class action lawsuit alleged 2.9 billion personal records may have been exposed. Other reports suggest the amount of records leaked may have been more than 2.7 billion.
Get Tri-state area news delivered to your inbox.> Sign up for NBC New York's News Headlines newsletter.
In an official data breach notice filed in Maine, National Public Data indicated 1.3 million records may have been breached, said James E. Lee, chief operating officer at Identity Theft Resource Center, a non-profit organization focused on mitigating risks of identity breaches and theft.
"It is entirely possible that it is that low; it's also entirely possible it's higher," Lee said of the number of people affected.
More from Personal Finance:
Social Security cost-of-living adjustment may be 2.6% in 2025
Here's the inflation breakdown for July 2024
A U.S. construction boom is sending rents lower
Money Report
The information breached may have included Social Security numbers, names, email addresses, phone numbers and mailing addresses, National Public Data states on its website.
A third-party bad actor may have hacked into the data in December, with potential leaks of the information in April and over this summer, the company said on its website. National Public Data did not return a request for comment by press time.
As cyber professionals dig into the breached data, they're finding that not all of it is accurate and much of the information was already available. "The reality is there's nothing new in this data," Lee said.
Still, experts say news of the breach is a great reminder to take steps to protect your personal information. Here's a roundup of answers to common consumers are asking now.
Can you be affected even if you've never heard of National Public Data?
Yes. National Public Data is a background check company that provides information either through legitimate sources or by scraping it off the web, Lee said. Because the data is collected more casually, it can be gathered without consumers' permission and outside of certain regulations. As a result, it may be inaccurate or outdated, he said.
Certain information, such as when you buy a house or pay property taxes, technically is public record, said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, a nonprofit focused on cybersecurity awareness and education. Companies can collect and aggregate that publicly available data to gather a picture of who someone is, he said.
"You have varying levels of companies' ability to protect the data that they're collecting, and they may not fall under any regulation to do so because it's like public data to begin with," Steinhauer said.
Is there a way to know if your Social Security number has been affected?
Certain cyber groups have set up websites to enable individuals to search to see if their personal data was affected by the breach, Lee said. One site — NPDBreach.com — allows for a search by full name and zip code, Social Security number or phone number. Another site — NPD.pentester.com — allows for search based on first name, last name, state and birth year.
"I certainly don't recommend anybody enter their Social Security number" in the sites, Lee said.
By entering your name, you may get a sense of what information, if any, has been shared. The good news is most people are finding information that has been leaked is inaccurate, Lee said.
What is the best way to protect your personal information?
If you find you're included in the breach, the steps you should take are not necessarily new.
"There's nothing additional you should do that you haven't hopefully have already done, or you know now to do," Lee said.
Freezing your credit should be at the top of that list. Be sure to submit requests to each of the three major credit bureaus — Equifax, Experian and TransUnion.
A freeze will help block access to your records by bad actors. However, keep in mind you will need to either temporarily or permanently unfreeze your credit if you want to apply for a new credit card or auto loan, for example.
As you freeze your credit, be extra vigilant that you are on the legitimate websites of the credit bureaus, and not look-alike sites aimed at stealing your personal information.
Additionally, you should change all your passwords, particularly if you have repeated passwords among multiple websites. Ideally, you should enable multi-factor authentication for personal websites to help keep your financial data secure. Also, never share your personal information while using public internet.
Is it worthwhile to pay for extra protection?
In addition to freezing your credit, there are ways to purchase additional protection.
Sites like National Public Data may allow for individuals to opt out of being included in their data collections. However, because there are so many data brokers, it can be time consuming for consumers to contact each one, Steinhauer said. To help, consumers can pay for a data broker removal service that will contact the websites on their behalf.
Additionally, identity theft monitoring tools will let you know if someone tries to open an account using your personal information.
Dark web monitoring services can let you know if your information was found in a data breach that was published on the dark web.
Can you be entitled to money damages if you're affected by the breach?
While legal organizations may tout the idea that money damages may be available to people affected by the breach, any sums that are eventually paid likely won't be meaningful, Lee said.
"You're not going to get a lot of money," Lee said.
After the 2017 Equifax breach affecting more than 147 million consumers, for example, people reported receiving lawsuit payouts in late 2022 of less than $3 in some cases, while other said they got around $40.
The goal of the solicitations is often to build a multi-state, multi-jurisdiction class action lawsuit, which may consolidate multiple lawsuits.
However, they will need to prove actual harm came from this specific data breach, Lee said. Because there have been so many data breaches, it can be difficult to tie a specific piece of data to this one event, he said.