NPD acknowledged there had been a “security incident," saying a third party was “trying to hack into data” in December and that “potential leaks” popped up in April and August. The company said it conducted its own investigation into the incident and that “subsequent information has come to light," though it didn’t share what that information was.
NPD said it has cooperated with law enforcement, improved security, and would update on further developments. The company didn’t respond to a request for comment.
NPD did not say how many people were at risk, but companies like it have records on virtually all Americans. Unlike rules governing credit records, there are few regulations for the hundreds in the data-broker industry, which deals in email and street addresses, phone numbers, Social Security numbers, likely relatives, and property and legal records. The most sensitive information, including Social Security numbers, is typically obscured, at least in part.
Potential employers commonly search those sorts of data troves, but they are also valuable to retailers, marketers, and people-search companies that advertise on the web to general users. Such brokers have also been the subject of past hacks and leaks.
Criminal hackers have been offering what they claimed were billions of NPD records since April, though some security researchers who looked at the trove said some of the claims were exaggerated. The set is large enough to suggest some fake or reused data, security expert Troy Hunt told The Washington Post.
Awareness of the issue rose after a lawsuit seeking class-action status was filed on Aug. 1, as first reported by Bloomberg Law. The suit accuses NPD of failing to protect the personal information of consumers who have had no direct relationship with it.
Posters in hacking forums claimed responsibility for the breach and offered to sell or share the data, which they said included information on people in the United States, the United Kingdom, and Canada.
Some of the data has been made freely available, with millions of rows of data, some of which contain authentic names and Social Security numbers, multiple cybersecurity researchers told The Post. Still, the scale and severity of the alleged breach has been overstated in some reports, they said. It’s still unclear how much of the data is genuine and whether it all came from hacking, as opposed to scraping publicly available sources.
Cybersecurity experts say this incident is par for the course as companies amass data on consumers.
“Incidents like this should ideally stimulate a public conversation regarding the data aggregation industry,” said Robert Roccio, a threat analyst at cybersecurity company GroupSense. “It’s a massive business and it is worth considering whether these organizations are being responsible with the information they collect on ordinary Americans.”
Rob Shavell, CEO at consumer security company DeleteMe, said his team hasn’t seen signs that a wave of new stolen data is hitting online markets.
James E. Lee, chief operating officer at Identity Theft Resource Center, a nonprofit that helps consumers deal with fraud, said that there is “nothing new” about this particular data haul and that SSNs already circulate online.
“The steps you need to take today are the steps you needed to be taking for years,” Lee said.
Here’s how to protect yourself as best you can against fraud and identity theft.
Freeze your credit
A credit freeze blocks any new lines of credit, so a bad actor couldn’t open new cards or accounts in your name. You can initiate a freeze without impacting your credit score. Just visit the websites of the three major credit reporting agencies Equifax, Experian and TransUnion. You might have to scroll down the page or click on one of the menu tabs at the top to find a “manage freeze” or “add a freeze” button. You’ll fill out a form and might get asked to set up an account of verify your identity — it this case go ahead and do so.
You can pause or remove the freeze at will by going back to the website or by contacting the reporting agency by phone or mail.
You can also create an online “My Social Security” account here and keep an eye out for flagged suspicious activity.
Turn on two-factor authentication
This is the thing that sends you a text message with a code as you log in. “Two factors” just means you need to authenticate your identity in multiple ways before accessing an account.
Turning on two-factor authentication — either when you set up an account or later in the settings — is one of the best and easiest ways to keep accounts secure, according to the Identity Theft Resource Center, a nonprofit that helps consumers deal with fraud. Still, many people skip this step. Always say “yes” to two-factor authentication, whether that’s through text messages, emails, or a stand-alone authenticator app that asks “is that you?” every time you sign in
If you haven’t set up two-factor authentication, start with your most sensitive accounts such as banking and health care, Shavell said.
Consider dark web monitoring
Data brokers collect details about individuals to build profiles they sell to advertisers and even law enforcement. If your Social Security number turned up in a broker’s database, it would be hard to hunt down on your own. You can sign up for a service that monitors the web for your personal info and sends removal requests on your behalf.
Revisit your password hygiene
It’s 2024, and we’re not using the same password for multiple websites anymore. Each account you own should have a long, distinct password containing a mix of letters, numbers and special characters.
Worried about remembering all those? Get a password manager such as Dashlane or 1Password, which automatically generate secure passwords and autofill them next time you log in. (Both of these products cost about the same as a Netflix subscription, but Apple and Google have their own free password managers that come with your operating system.)
If you’re still refusing to use a password manager, try to keep your passwords free of personal information such as your pet’s name or your birthday — those make it easier for bad actors to guess, said Ginny Fahs, director of research and development at consumer advocacy nonprofit Consumer Reports.
Don’t forget about visibility
If you don’t mind making your social media accounts private, doing so can cut down on the personal information criminals can access. A bunch of public Facebook posts, for instance, could make it easier for a hacker to impersonate you in a phishing attack targeting one of your friends or family members. Don’t forget to check your privacy settings in apps such as Venmo and YouTube as well. Just last month, reporters at Wired found that the public Venmo transactions of vice-presidential candidate Sen. JD Vance (R-Ohio) provided a glimpse into the politician’s social connections.
Delete accounts you don’t use
Don’t just abandon accounts you don’t use anymore — go ahead and delete them. It reduces the amount of personal info you have sitting online, such as an old Myspace account, and in some cases prevents companies from sharing or selling your data down the line.
“If you’re no longer using that site, there’s no reason for that company to have your information,” Fahs said.
In many cases, deleting your profile doesn’t mean the company has deleted the data it stores about you. However, some states have privacy laws that require companies to honor a deletion request and purge your information from its servers. Consumer Reports made a tool called Permission Slip that lets you send multiple data deletion requests in one place.
0 Comments