Another huge data breach: Don’t stress out; take action instead

Breach reportedly involves every American, including names, mailing addresses going back 30 years, Social Security numbers and verified relatives

Mikhail Nilov via pexels.com | Used by permission

News erupted this week of yet another massive data breach, the latest in this parade of invasions into our personal information. Word that the data broker National Public Data was hacked has caught many people’s attention. That’s a good thing; it could be a wake-up call for all of us that we need to pay attention to protecting ourselves and our families every single day.

The breach reportedly involves every American, even dead people, including some or all of the following: their name, mailing address, Social Security number and verified relatives, according to reports. Previously leaked data also included phone numbers and email addresses. It’s not clear whether additional information has been stolen and sold on the dark web.

The breach involved nearly 3 billion records, which doesn’t mean 3 billion people. A person can have multiple records. In addition, data apparently was stolen regarding an unknown number of people in the United States, Canada and the United Kingdom and being offered for sale earlier in 2024.

This could be a big deal for some people. We should all recognize that at least some of our private information is almost surely out there for bad guys to access, and has been for years. But this latest breach could provide a kernel or two of data that was missing from the dark web dossier about you. The file on you may have already contained public data, non-public hacked data and even information you’ve provided voluntarily on social media. 

What could bad guys do with stolen data?

They can do an array of deeds, none of them good, using very personal information to:

  • Hack your bank account or investment account. 
  • Pose as one of your relatives and contact you by phone, text or email with an urgent plea to send money.
  • Hijack your phone number with your mobile provider, using a tactic called port-out hijacking or SIM swapping
  • Open a new loan or credit card.
  • Create a Google Voice number in your name and commit crimes. 

The list of possibilities goes on and on.

What should you do? First, don’t worry

We shouldn’t stress out about how this happened or who has what information. We should focus on what we can control. Taking action to protect yourself is empowering, and beneficial. Here are four easy tasks to start with:

  1. Freeze your credit files.
    This takes 20 minutes by phone. Research shows only about 10% of consumers have frozen their credit files. People talk about maybe getting around to it some day. In reality it will take you minutes to freeze your files but if you get hit with fraud because you didn’t freeze them, it likely will take hours and days and weeks to unravel the mess of identity theft.
    Here’s a link to our step-by-step guide to freeze your files.
  2. Make sure your contact information is up to date.
    Maybe you’ve moved. Maybe you have a new phone number or email address. You should make sure that your banks, investment accounts, credit cards, your state bureau of motor vehicles, and so on have your current contact information. That way, if someone is trying to hack into an existing account, you can be reached quickly.
  3. Sign up for transaction alerts.
    You can sign up for alerts with your banks, credit cards, investment firms, etc. to be notified by email or text for any transactions above a certain dollar amount (maybe $50), any new payees, any effort to change your address, etc. While you’re at it, sign up for two-factor authentication alerts so that even if a thief is able to guess or extract your user name and even your password, they can’t get into your account without the two-factor code that is generated in real time, unless they take over your phone number.
  4. Be extra paranoid and vigilant about everything.
    Watch out for phone calls, texts, emails that pretend to be from a company, a relative or government office. No matter how you’re contacted, if you’re not specifically expecting it, don’t confirm information. Don’t send money. If someone says they’re calling from your bank or the police department or the FBI or the Social Security Administration, don’t provide or confirm information, no matter how many things they know about you such as your address, your date of birth, your mother’s maiden name and so on.
    Whoever is supposedly contacting you, if you think it could be legit, call them at the number on the back of your bank card, or that’s on your account statement, or by logging into your account online. You need to use an independent means to verify who you give information to.

We have additional advice here: 22 ways to protect yourself from fraud, identity theft and headaches and on our new one-stop shop: PIRG.org/scams

Unfortunately, this is the world we live in now. It’s been pushing two decades since this country had its first huge corporate data breach, Heartland Payment Systems, that affected 100 million payment records in 2008. Since then, we’ve had breaches by Facebook, Yahoo, LinkedIn, AT&T and JPMorgan Chase, and the granddaddy, the devastating breach by Equifax in 2017.

Topics
Authors

Teresa Murray

Consumer Watchdog, U.S. PIRG Education Fund

Teresa directs the Consumer Watchdog office, which looks out for consumers’ health, safety and financial security. Previously, she worked as a journalist covering consumer issues and personal finance for two decades for Ohio’s largest daily newspaper. She received dozens of state and national journalism awards, including Best Columnist in Ohio, a National Headliner Award for coverage of the 2008-09 financial crisis, and a journalism public service award for exposing improper billing practices by Verizon that affected 15 million customers nationwide. Teresa and her husband live in Greater Cleveland and have two sons. She enjoys biking, house projects and music, and serves on her church missions team and stewardship board.