National Public Data Confirms Breach Exposing Social Security Numbers

BleepingComputer's Ionut Ilascu reports: Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.

In the statement disclosing the security incident, National Public Data says that "the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es)." The company acknowledges the "leaks of certain data in April 2024 and summer 2024" and believes the breach is associated with a threat actor "that was trying to hack into data in late December 2023." NPD says they investigated the incident, cooperated with law enforcement, and reviewed the potentially affected records. If significant developments occur, the company "will try to notify" the impacted individuals.

At this point

[RitchCraft]

At this point it would be easier just to shit-can the SSN system and come up with something new. My data, according to emails I receive offering "monitoring services" from breached companies, has been leaked well over 5 times in the last 2 years alone. What that new system would like I have no clue. It's obvious these companies are never going to be held truly accountable for their failures so the current system is pointless given the number of times everyone's data has been leaked.

Re:At this point

[4wdloop]

All that needs to be shit-canned are the systems with security based on secrecy of SSN. The whole Europe has personal ID numbers but they are public info not a secret code to all your accounts and data. It's only a USA idiocy.

Re:

[geekmux]

All that needs to be shit-canned are the systems with security based on secrecy of SSN. The whole Europe has personal ID numbers but they are public info not a secret code to all your accounts and data. It's only a USA idiocy.

The US appears to mostly use it for two reasons; tracking personal creditworthiness, and paying qualified citizens their SSN retirement, which they paid into when working.

Honest question; how does whole Europe track those things to the individual? Credit and retirement planning are global concepts.

Re:At this point

[rastos1]

Honest question; how does whole Europe track those things to the individual?

You literally quoted in your post:

The whole Europe has personal ID numbers

So what is not clear?

I can tell you how to works in one of the post-communist central European country: at birth you get a birth certificate that carries a "birth number". This number is used as your national identification number. You use it on any contract (*). Opening bank account, get a loan, signing a job contract, buy a house, sign a contract about phone or internet service, claim your pension, get healthcare, pay property taxes, get unemployment benefits, enter into school, ...

The number isn't really a secret, because apart from you it is known to police, your employer, doctor, bank, utility companies, ... but is recommended to not spill it willy-nilly everywhere. It is of course "personal data" and anyone leaking it will face personal data protection law penalties.

Presenting this number in a bank is not enough to get access. You need to present also a state-issued national ID card (issued at age of 15) with matching information and photo. How this part works in US is actually not clear to me. If I come to a bank and say "I'm geekmux" will they allow me to clear the account? Perhaps "verifying a signature"? (meh!)

Do you have more questions?

*) of course you can scribble a contract on a napkin with anyone without a lawyer or notary present and without the national id written down. But in case of dispute it will be considered a major flaw if you - as contract party - are not properly identified.

Re:

[4wdloop]

> The number isn't really a secret,
This is the key. It is unique identifier of any person and would not be necessary, in spirit, if your given names were guaranteed to be unique and permanent. But in no way it's used as a "secret" (or one of secrets) to perform any transaction, like obtaining credit. In my country or origin, this number is build up from date of birth and a rolling birth number on that day and few other algorithmic operation (such as coded sex-at-birth etc). So it could be partially recre

Re: At this point

[Midnight_Falcon]

A big part of the problem is that it's also been used heavily as a unique identifier, a crummy GUID if you will. There's too many James Smiths in the US etc, so places like doctors and universities had been using it to identify individuals for a long time. It's the only unique but unchanging number referencing themselves a person would typically have memorized. This probably helped some surgeons somewhere not give a circumcision instead of a circular incision to the wrong guy named Bryan Smith. But

Re:

[sjames]

SSN is fine as an ID number, but has always been useless as an authentication.

We may need a law stating that any company using SSN as authentication must write off whatever debt they claim if the alleged debtor denies the claim on the grounds that they have no proof of identity.

Re:

[ctilsie242]

Maybe with some teeth in it. I remember around ~2015, a push to have chip + PIN here in the US, and how vendors would be responsible for fraud if they didn't implement that, and how it was weakened over time. Mobile payments are helping, but many businesses just allow a waving of a card past a NFC sensor, and calling it done.

I do wonder what could be used as a "password". The parent is right -- a SSN is an okay username, however, even usernames can greatly trespass on privacy. Some form of authenticatio

Re:

[sjames]

The cards themselves could be securely identified if the chip is used to sign transactions and the chip itself performs the signature so that the secret key never leaves the card. It could be further secured if the card holder first inserts the card into their own device and enters a pin to unlock the card for say 5 minutes. OR, the card itself could have a membrane keyboard and simple status LEDs (powered by the POS) such that the card holder enters the pin directly on the card's built in keypad (so the sk

Re:

[jmccue]

SSN is fine as an ID number, but has always been useless as an authentication.

Actually it is not good for an ID Number, I heard when someone dies, their SSN is recycled to someone else. I think some kids being born now are getting a SSN from people who originally got then when they were created. Also, did you ever read you SSN Card ? It states "Not to be used for ID purposes". So, I think a whole lot of law suites should spawn against companies using the SSN to ID People.

I remember talk a very long time ago about the US having a "real ID" Number for people, but the whole bible th

Re:

[Ol Olsoc]

SSN is fine as an ID number, but has always been useless as an authentication.

Actually it is not good for an ID Number, I heard when someone dies, their SSN is recycled to someone else. I think some kids being born now are getting a SSN from people who originally got then when they were created. Also, did you ever read you SSN Card ? It states "Not to be used for ID purposes". So, I think a whole lot of law suites should spawn against companies using the SSN to ID People.

I remember talk a very long time ago about the US having a "real ID" Number for people, but the whole bible thing of numbers and people and the devil stopped it. Stupid superstitious people.

I have Real ID. When fully implemented, you'll have to have one to board Domestic flights and a number of government facilities or nuc plants. It got delayed a few times, like for Covid or various amendments. But after May 7th of next year, it goes into full effect. https://en.wikipedia.org/wiki/... [wikipedia.org]

So if for some reason, the deeply religious who believe in strange things object, they won't have to get one, just not do anything requiring Real ID . I remember as a little kid, some of the same group believe

Re:

[sjames]

Turns out, that's an urban myth. According to the SSA, we have 2 or 3 more generations where the SSN can be used as is without re-issuing numbers and no numbers have been re-issued. After that, I suppose we'd need to add more digits somewhere.

windfall for lifelock

[awwshit]

Sounds like a windfall for LifeLock. What a bunch of crap.

"Yes, we're responsible for not securing the data"

[Sebby]

Background check service National Public Data confirms that hackers breached its systems

Sweet - let the lawsuits begin!

Re:

[Joe_Dragon]

the TOS says you can't sue us.

Re:"Yes, we're responsible for not securing the da

[Sebby]

the TOS says you can't sue us.

Except I never signed any such agreement with them, because I'm not any sort of "customer" of theirs, because I've never even heard of them before this, and certainly never interacted with them before either.

Oh sure, they can try to claim that when they got my data, they got it from a third party with whom I had such an agreement - but that's between me and that third party - not National Public Data.

Oh sure, they can try to also claim that third party's agreement with me stipulated something about data sharing, but I'm sure that third party covered their ass by stating something like "...we may share your data with third parties...." - notice the "may share" (not "will share")? Notice the non-specific "third parties". That doesn't tell me they would definitively share my data, or know who those third parties would be, since they knew they might change that from one day to the next (if not one second to the next). So that never told me anything about National Public Data, much less get informed consent from me about any such potential sharing with National Public Data at the time, much less any agreement between myself and National Public Data to begin with!

Re:

[cascadingstylesheet]

Oh sure, they can try to claim that when they got my data, they got it from a third party with whom I had such an agreement - but that's between me and that third party - not National Public Data.

That's perfectly logical, and in principle, I totally agree.

That said, let me know how that works out for you ...

Re:

[NoMoreDupes]

I'll be far more interested in watching NPD's lawyers trying to defend its position; that should be several levels of embarrassment above Trump's lawyers' arguments.

But then again, if NPD managed to buy themselves some legislators and/or Supreme Court justices, you never know.

Re:

[zlives]

its not buying, its gratuity.

Re:

[volcan0]

This was precisely my argument to go against Equifax. But then I realized they have a special charter from the government. I do not agree, but I never got to vote against it.
I doubt these guys do.

Re:

[Sebby]

This was precisely my argument to go against Equifax. But then I realized they have a special charter from the government. I do not agree, but I never got to vote against it. I doubt these guys do.

Reading up on the whole debacle, learned this affected people from other countries as well... can't see the same "charter" (if it exists) being applicable globally.

Maybe for the best

[LindleyF]

SSNs are great as identification. Treating them as authentication as well is a mistake. Knowing the number doesn't prove you are its owner. Companies need to stop assuming otherwise.

Re:

[VeryFluffyBunny]

Yep. This.

In other countries, national ID numbers are public knowledge & no proof of anything; They're just a number linked to a specific person, nothing more.

If you want authentication, you need either a govt issued photo ID for in-person or, for online, a digital certificate/encrypted authentication. AFAIK, in the EU this is the norm & they're working on making them interoperable between countries to make it easier to travel & work in different EU member countries.

Re:

[e3m4n]

Lies work best when surrounded in truths. You take a bunch of real data and then make a convincing fake ID, then go into someones bank at a different branch in another city and make a withdrawal. This is the current level of fraud where 5k-10k is taken out of peoples accounts using very realistic fake ID that is RealID level convincing. Not a 1-man operation. Know an owner of a WISP had $5k stolen by going into an ATT store 4 states away and charing a bunch of iphones to his corp account. Even though camer

Re:

[organgtool]

SSNs are great as identification

Unfortunately, they're not even great at that. They get reassigned after someone dies and sometimes this leads to confusion. Not to mention it will be confusing when reviewed by long-term historians over the course of generations. We have the technology to store numbers large enough to be unique for every citizen alive today and for the rest of the likelihood of human existence. Just use a larger number already.

Treating them as authentication as well is a mistake. Knowin

Re:

[Anubis IV]

SSNs are great as identification

Unfortunately, they're not even great at that. They get reassigned after someone dies and sometimes this leads to confusion.

This isn’t true (yet). It’s one of those tales that gets passed around, and it’s true that they were running low on numbers in some states in the early 2000s due to the way they were generating them at the time, but then they switched to randomly generated numbers in 2011 and are now saying they have enough left to last several more generations before they’ll need to reuse any.

From their FAQ: https://www.ssa.gov/history/hf... [ssa.gov]

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 453 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:

[4wdloop]

> No one would do business with an organization this incompetent in the private sector.

Likely all private sector financial organizations and health use it for this. E.g. all banks use SSN as 'secret' for your identification - pretty much all you need to get credit.

Re:

[organgtool]

They may use it as a supplemental identifier, but I've never seen a bank use customers' SSNs as the username and password to access accounts electronically.

Re:

[4wdloop]

No, no - not as online login sure, but is a key data to obtain credit.

Re: Maybe for the best

[writeRight]

"SSNs are great as identification." In US, a passport is great for identification. SSN is not even required, though most parents want the tax deduction so they sign up their children for the #. No, a SSN is not needed to get a passport and a transposed or made up or blank SSN does not stop passport issuance. I have done all of these

Re:

[4wdloop]

^^^ this, indeed!

Re:

[lister king of smeg]

SSNs are great as identification. Treating them as authentication as well is a mistake. Knowing the number doesn't prove you are its owner. Companies need to stop assuming otherwise.

they aren't even that great as a id number. the first three digits are based on region it was issued in thus dramatically limiting the pool of possible numbers, also some numbers and number ranges are reserved and not issued (numbers are issued where the forth and fith digit are 00, also the final quartet will never be 0000 they also wont issue a number with 666 in it, etc...) all of these together result in a small enough of a number pool that it requires numbers to be recycled so it no longer even a uniqu

Re:

[CrazyCartwheels]

SSA abandoned the 3 digit prefix relating to the address where you applied from in 2011. They also opened up the unused numbers from the 7** block.

The 666* block is still in effect.

On the Bright Side

[organgtool]

We're probably approaching a point where there have been enough data breaches to expose just about every important detail about nearly every person. I wonder if the supply of stolen data will reach saturation and become so widely available that it's virtually worthless to hackers.

We Can't Be Surprised

[organgtool]

It's right in their name: National Public Data. It was a bit of a misnomer before the breach, but now the nation's data is definitely public.

Everyone in the US ought to ask for a new SSN

[schwit1]

Let's see how that goes over.

Re:

[PPH]

I'll keep using the one that came with the card in my new wallet. Thanks anyway.

Good thing my SSAN is for Social Security only.

[mmell]

Not for use as an ID.

Oh, wait . . .

Re:

[PPH]

It's a key to a database record. With a good probability of being unique and the same across multiple databases. So, good for linking.

But yeah. Me knowing my SSN (or even the last four digits) proves nothing.

Sorry, kid, it's an antiquated reference.

[mmell]

The Social Security card used to have the words "FOR SOCIAL SECURITY AND TAX PURPOSES - NOT FOR IDENTIFICATION" printed right on the front.

Try?

[kmoser]

the company "will try to notify" the impacted individuals.

Try? It's not like they don't have access to everyone's email, phone, and physical address or anything.

Probably bought it

[ZipNada]

Apparently the laws related to buying and selling personal info like SS numbers are pretty loose. I've seen data feeds from companies that gather and sell similar things with no restrictions.

National Public Data probably ingested all that data from legally 'legitimate' sources and has made a business out of reselling it in nicely packaged form. And then they got hacked which is bad for all of us, but the info they obtained was most likely already available from various places anyways.

SSN Is Not a Form of Identification!

[skrugen]

SSN Is Not a Form of Identification!

In the 1930's as Fascism was gaining traction in Europe the US decided to assign everyone a number. Not to be used for ID, but to give you Social Security benefits.

1962 the IRS starts using the number to gather tax info. 1969 the military uses the SSN to ID you. 1977 Federal food assistance is using it.

Now it is your ID, just like they said it wasn't

Change the impact to the companies

[CrazyCartwheels]

Calculate the average cost of credit monitoring when **bought by a consumer**.

Companies should then write checks for that amount to each individual impacted.

The individual can decide when/if to purchase the monitoring service. (I think I'm currently being monitored for 5 breaches.)

Fines are additional. Perhaps we also need to attach criminal negligence as well. (And it should also include the CIO and CEO.)

If that's too steep of a price to pay, keep the data offline.

1. Lock everyone's credit by default

[turp182]

2. And, make it a first degree felony (no parole) to use the credit of a child before they are 18.

3. And have National Public Data pay for it until all of their assets have been exhausted, and the company is no more.

Locking credit is much cheaper than credit monitoring.

Then the process to unlock is needed to get access to credit.

Pain in the ass? Yes.

Better than identity theft? Yes.

4. Oh, and put away the execs at the company, should be pretty easy on millions on low level felonies (I'm sure there's something about leaving people's property out for other's to steal, especially when it is all of the keys in one source).

Re:

[zeiche]

i financed a car while my credit remained locked. CLs don’t work, either.

Re:

[PPH]

i financed a car

Because auto dealers probably figured out that credit scores have a poor correlation with the likelihood of getting paid. Rich people will stiff them and poor people will keep up the payments so they can drive to work.

Corporate Death Penalty/Judicial Dissolution

[hwstar]

The threat of Judicial Dissolution should be incorporated into any data privacy legislation.

Wikipedia link; https://en.wikipedia.org/wiki/Judicial_dissolution

losing technology

[groobly]

All these hacking problems could easily have been avoided simply by keeping all such data on paper, as was done for millenia previously.

How much ...

[PPH]

... do SSNs sell for on the dark web? I have a comprehensive list of them, all the way from 000-00-0000 to 999-99-9999. Where do I go to get paid?

Difficult notifications

[manu0601]

the company "will try to notify" the impacted individuals.

According to KrebsOnSecurity [krebsonsecurity.com], the data is mostly from deceased persons.