2.9B hit in one of largest data breaches; full names and SSNs exposed
tomsguide.com>As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month.
I am so looking forward to getting my 2.99 USD check from this suit. Of course I need to apply for that check via an on-line site and give them all my personal information.
Great time to be alive.
Here's a fun thought experiment.
How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.
Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.
When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.
Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].
> The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
When I divide 3,500,000 USD by 2,900,000,000 people, I get $0.0012/person. How do you get $830/person?
I think it was suppose to be 830 persons / $1.
It was supposed to be 830 persons per dollar.
I don’t want their $3 or even $3000, if I am eligible for payout.
Instead, I’d like to force this company (and others similarly) to put all kinds of precautions in place. Also warn them that the next breach would result in severe penalties, assuming they could’ve prevented the breach in the first place.
I would rather put these clowns out of business, as they obviously can't be trusted in the first place, and are undeserving of a second chance after causing one of the largest leaks of PII in history. They should not have an option of paying a fine, putting in whatever "mitigating controls" a useless audit lets them skirt by with, and continuing business serving our data they never should have been allowed to posses in the first place.
Where do these scumbags even begin to get this information on every human's most intimate data, and what allows them to operate as a trusted source of protecting this information?
I also want to know who does their audits, and who regulates them?
It is unbelievable organizations can appoint themselves resellers of OUR information without any of us even knowing who they are or how many there are.
This is an industry the FTC should be involved in regulating heavily. Lina Khan always needs a new degenerate company to kick around, let's start with these guys.
There is a big effort from people like Reid Hoffman to get rid of Lina Khan. Hopefully it fails.
Yeah, I suppose just shutting them down is a better idea. In that case, we also need to make sure they don’t pop up with a different name and do the same thing all over again
> Do you think National Public Data even has that kind of money?
If they don't have insurance for this precise problem then I think we should go after the owners personally. I'm sick of the shell game. Pierce the veil.
A fun thought experiment: the company loses the suit, with both actual damages and punitive damages large enough to bankrupt the company. The company is sold for parts and other companies become a little more wary of repeating the same mistakes (hopefully better security around their core business value).
This suit opens the company to discovery in which several jurisdictions get access to their books and methods, opening them up to litigation and prosecution in places like the EU.
The $2.99 check is not the only benefit I get from a class-action lawsuit.
Only 450 million SSNs have been assigned (and only 1 billion are theoretically possible...)
No, they should sign you up for free Credit Monitoring for 7 years. All I would get is a letter stating something like this: "Your Credit is being monitored by firm xxxx, you will receive notices from them by Mail when items of concern are noticed" along with a real direct line phone number to call with questions.
I should not have to do anything nor give any information. Why 7 years, that is equal to the Statue of Limitations for saving US Tax Documents.
That alone will end these breaches almost over night.
(It's a myth that there's an IRS 7 years 'statute of limitations'. It's far more nuanced than that: https://www.irs.gov/businesses/small-businesses-self-employe... )
However, it's still a reasonable time frame, and also, probably coincidentally, 7 years after the last update on any individual record is how long it will take to essentially reboot your U.S. credit report, so seven years sounds quite reasonable.
The time frame should (of course) match how long the information will remain valid.
And SSNs are for life aren't they?
So, it's not like the information is going to expire.
This is exactly why insurance was invented.
You don't get a check, you get a gift card for a credit monitoring service that you will never use because all your data leaks all the time already.
Motherfuckers asked my wife her SSN when she was getting a store card the other week. Not a credit card, a store card.
I had a pawn shop try to take my social to buy a air paint sprayer. They said it was a city ordinance.
I left empty handed, even though I think SSN shouldn't be used as a password.
Now that would be a violation of federal law. I would inform the store that my wife is a lawyer, and we can have her law firm contact their law firm to discuss why they are in violation of federal law.
Then I would ask them if they want to reconsider this possibility.
Now, if you actually want to use this tactic, I would suggest you look up the federal law in question, so that you can quote it by section and paragraph. Maybe keep a printed copy with you.
air paint sprayer seems innocuous, but given the problem of graffiti (no matter where you actually live), they likely weren't lying to you.
I said something like "really? for a paint sprayer?"
He said "for anything in the store."
Technically, they’re still a creditor, and creditors get special privileges when it comes to things like that. So, while I would refuse, it’s probably not a violation of federal law.
What is a store card in that case, and how does it differ from credit card (other than, I assume, the place you apply)?
The store cards I have seen are simply store-branded credit cards.
Based on the intonation, I'm guessing it's a "loyalty" card - it tracks your purchases, unlocks some level of default discounts, and will often accrue points you can then use for various purposes. Giant Eagle in the US is a good example - you earn points for every dollar spent, then you can redeem the points for percent off gas at their gas station, a percent off coupon, etc.
(the above description is very bland - add in anti-capitalist/m messaging wherever you deem appropriate, I won't argue)
Some store chains still have their own credit cards that aren't just co-branded. Far less common these days but I've still occasionally signed up for discounts on large purchases.
> What is a store card in that case, and how does it differ from credit card (other than, I assume, the place you apply)?
It's not a credit card, debit card, or any other kind of payment card. It's not even, like, a COSTCO membership card.
It's a tracking card that is used by the store to track your purchases in exchange for a small discount on some items if you swipe it at checkout.
Thank you, and that does seem like a ridiculous thing for which to request an SSN.
Actually, you get one free year of credit monitoring.
After the first year, you'll be asked to pay for monitoring.
Actually, you'll need to input your credit card or other payment details for the one year, and after the first year they'll automatically remove money from it. Cancellation is not posible.
That’s why I sign up with virtual credit cards from privacy.com.
If I don’t like the service, then I can cancel the card. And I can limit them to how much money can be taken out per transaction, or per month, or per year, or total. Or the card could be a one-time only card. And it will be merchant locked, so if anyone else tries to charge that card, they get refused.
Given how many data breaches I've been in, I'm pretty sure I have more unclaimed years of free credit monitoring than there are grains of sand on a beach.
At what point can we start demanding that SSNs be redefined? I've lost track of how many data breaches I've unwittingly been the victim of, and I'm usually more careful and paranoid than most.
We "just" need to stop pretending they are secret like passwords and using them to authenticate that someone is who they say they are. Banks should not be issuing loans based on a bunch of personal information (including SSN) that the collected and concluded "Yup, that data matches itself--therefore you are actually you!"
The whole system is broken in hilarious ways.
Unrelated but similar: I live in a rural area, so we don't get street delivery of mail. Instead, we need to apply for a PO Box. Every year, to verify that only residents are using the PO Boxes, the Post Office sends out a renewal form, and you have to show up with a current bill and your driver's license. The latter makes sense—the State, presumably, goes through the validation of your address, and you sign their forms under penalty of perjury, etc., the the former is hilarious.
So, to receive the very bill used to authenticate "current residency," the bill has to go through the Post Office (remember what I said about no street delivery? anything that's mailed to our street address goes... to our PO Box!), and then we show it to them to validate that we are receiving email to that address—which cannot be independently validated outside the driver's license.
The PO Box we're renewing is therefore used to validate itself. And the fun part is that if you delay in returning the form, they'll block off your box.
I have been arguing for a while that we need to implement some sort of public-key cryptography system for identity verification. It's the obvious solution, though admittedly implementing it will take a lot of effort. But it would at least eliminate a lot of issues with how SSNs are used in practice right now.
They (the government and banks) still use the phone number to authenticate you. I would not be surprised if they consider using SSNs to issue loans, etc.
Is there some reason my bank needs this information in the first place? I want them to verify that I am the owner of the account, I do NOT need them to verify my precise federal identity.
They are legally required to know your identity and, I believe, report interest to the IRS. If they don’t check your government ID, they’ll be popular with organized crime.
Now, I’m sure banks also love that for data mining purposes but it’s not entirely without a valid reason.
This is so the IRS can keep track of the $15.40 of interest I earned on savings?
What mechanism causes KYC/ID checks to make banks unusable to organized crime? What purpose was organized crime using banks for? Is the government unable to get search warrants for bank accounts?
These are probably not what most people would consider valid reasons. The problems created outweigh the value of the solution.
They're less interested in things like verifying your couple dollars of interest and more interested in things like money laundering and identifying assets to seize. Particularly setting money limits leads to what is known as "smurfing" to try to hide the activity. Not that I'm saying you must therefore consider these reasons good enough but throwing out strawment like a couple dollars interest is not highlighting what you'd like it to.
And we already have well regulated tools for getting away from the ssn nonsense. They're called notaries.
I'd love to see the government force companies to stop treating them like an ID number that's secret.
Maybe they should allow people to request a new number any time they wish and even hold multiple SSNs. Or create a virtual number system like some credit cards have where you would give every company that asks for a SSN a unique number that only they have. It would be cool to be able to tell exactly who had the data breach when your number shows up in a dump.
SSNs have always been clear that they’re identifiers, not authenticators - it’s printed on the card! The problem are the businesses who tried to skimp by treating them as secrets, and they invented the mainstream concept of identity theft to make it sound like their negligence should be your problem.
The fix should be simple: stop taking companies seriously when they only used an SSN for authentication. Ideally there’d be a law adding penalties: try to bill someone for a loan authenticated only by common metadata and they have to pay the target a penalty fine, allow insurers to deny claims, etc. As soon as it costs them money, they’d suddenly find the money to check ID like everyone else.
There's a really good video by CGP Grey that touched on this:
I'm more and more convinced that the only way to do this is the "Swedish way", make all SSNs public and/or available on request.
Until that happens, companies will still pretend they're private information.
When can we move away from SSNs being a pseudo secret? They have obviously been leaked everywhere at this point.
Relatedly, is there an up to date guide on how I am supposed to freeze my credit? Last I looked, it required handing over all of my PII, which I found super distasteful, but I should accept none of it is secret and do the minimum to protect myself from ~financial institutions falling for fraud~ identity theft.
You freeze your credit by making an account on TransUnion, Experian, and Equifax's websites. It sucks, and they suck, but it's free. Unless you take out loans quite frequently, there's no reason not to do it. My credit has been frozen for years, and I only ever unfreeze it for a month or two at a time when I need to refinance a mortgage or something like that.
This is good as far as it goes, but what about all those times customer support for companies unrelated to your credit asks you for the last four of your SSN (birthrate, address, etc.) to confirm your identity?
If they aren't doing a credit pull, it's fine. If they are, you unfreeze for the month, but credit pulls hurt your credit. You shouldn't just do them randomly.
I just write that stuff in my password manager.
It's amazing to me how just getting your name and SSN leaked opens you up to much risk. It's equally amazing how this is a decades-long problem that hasn't been addressed.
I have to wonder what systems other countries use for identifying citizens and how secure they are compared to SSNs.
In Poland you have a national ID card you carry with you if you don't have it with you won't get anything done anywhere. If you lose it/it gets stolen you have an obligation to report it. We have something like SSN number (personal id number) assigned at birth but it's not enough to get a loan or anything.
In Finland banks are the ones who usually handle the strong authentication (not necessarily just the initial one). They are required by law to know the customer. In-person authentication in the branch is required to be done via either ID card or passport, those can be requested from police and expire after 5 years. Driver's license is not official ID card. Logging into you bank account requires 2FA (I'm not sure if any bank sends codes via text messages, at least it's not very common).
It can also be done with ID card (which is a smartcard) or mobile certificate (https://mobiilivarmenne.fi/en/) if the service supports it.
Usually an identity card. In the EU this is an authentication mean but in order to be liable you must be present with the card at transaction time (i.e. a scan is not enough).
Then you have solutions of increasing robustness such as certificates for e-signature.
The national "id" (of there is one) is just to make it easier to find you. Poland has one, France does not have any for instance.
The problem isn’t the SSN but corporate responsibility shirking: they don’t want to check ID because that costs more, they want things like instant credit applications to allow impulse purchases, etc.
This seems to slowly be improving because so many people have been breached by now that they don’t enjoy the assumption of security. In the 90s, if they took you to court saying you weren’t paying a loan it’d be assumed that a crook wouldn’t have known your SSN but now it’s at least a lot more likely that nobody will believe that without additional proof.
Just one number away from being able to cancel the voter registration of anyone you want in Georgia.
https://www.usatoday.com/story/news/politics/elections/2024/...
Original Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/back... (https://archive.is/jIfW8)
Are there 2.9B SSNs?
They are claiming this is from a data aggregator called National Public Data, so it probably originated in many other places and contains a variety of different information depending on the source. So it includes SSNs for some people, but not every record is necessarily connected to a SSN.
"data including SSNs"
But 2.9B is a number so high that the only way it can be true is that they got some Facebook data or the method they used for scraping data led to A LOT of duplicates
I was wondering this, too. A nine-digit number can only represent 1 billion unique values. Even if you consider Employer Identification Numbers too that wouldn't add up. Probably they mean ID #s from other tax-ID systems in non-US countries, or some equivalent identifier. Maybe pooled with driver's ID numbers? I only have guesses.
The plural used implies that at least 2 people had their full name and SSNs exposed. The horror!
I am not sure how to approach it anymore. Frankly, since equifax breach and settlement I mostly gave up on hoping for any real change[1]. Whatever the catalyst will be for a shake up, it clearly won't be another -- sufficiently big -- breach. I was too optimistic about that.
It will need to be something public, scandalous and, ideally, affecting someone powerful enough to effect change and privacy-conscious enough to be pissed off enough to want to do anything about it.
edit:[1]https://www.reuters.com/legal/government/illinois-governor-a...
edit2: By scandalous I mean something that average person cares about. Based on initial reaction to this particular breach, I do not think it meets the criteria.
Ashley Maddison happened just under 10 years ago, that's as scandalous as it gets, and nobody cared either.
I'm with you on this.
At this point the only thing I think that could happen to change the status quo is a full blown war against a country that's going to use hacked data against the United States in such a disruptive way that the legislators would have to react due to national security concerns.
I think the opposite is a lot more likely.
WHen it comes to it, the US gov has incredible leverage with the data they have access to. If they forced all the major tech companies to release everything they have on the most powerful politicians of some country, including email contents, text messages, full search and location history and so on, they could cause quite a scandal.
You can probably overthrow quite a few governments with a judicious use of that power alone.
Was this US only? I'm from EU, and since yesterday I received 2 threat e-mails in broken English with part of my phone number linked. Never had anything like that happen before.
My oldest email has been exposed in 37 data breaches (so far) according to haveibeenpwned.com, not receiving more spam and/or threats than usual today or yesterday.
"National Public Data" sounds like the name of a nonprofit with a nationwide presence, like NPR or PBS, but it's just the trade name for "Jerico Pictures," a small Florida company with (judging from Crunchbase) 1-10 employees. Shouldn't there be regulations for names like this, similar to how the National Bank Act controls the use of "National" in names of financial institutions?
Names like this are so exhausting. See "Patriot Act" and "Americans for Prosperity Action".
I think that there is potential bipartisan support (among voters, not representatives...) for federal privacy laws that institute heavy fines for leaking personal data based on median household income, as well as requiring chain of custody to be tracked for all personal data. Unfortunately, I don't think our representatives are very interested in implementing this for us.
It wasn’t a data breach so much as the owner of this business allowing data fraud and identity theft to occur. The company is guilty of allowing this data theft through their business malpractices. They’re also guilty for having this data wholly in the first place. Punitive damages to bankrupt these companies are needed so that all industries get the message.
Here is the complaint:
https://ia800801.us.archive.org/26/items/gov.uscourts.flsd.6...
Good. The sooner systems design people stop thinking that SSNs are UUIDs the better.
How much has to happen before we pass legislating forbidding SSN as ID?
Anyone know if we could have requested our data deleted from National Public Data per CCPA? If so, what other huge databrokers have the same data that we can request deletion?
You can request it from any of them. Almost all of them will deny the request because the CCPA is rarely prosecuted and because you can't bring any private lawsuits based on the CCPA. Even "real" corporations like Atlassian operate that way.
Something you have, something you know, something you are: SSN!
My point is, OK I know my information has been sold left and right, plus leaked. But I want my $4.99 every time it gets sold! I need a piece of the action.
There are only 450 million social security numbers (so far). How can 2.9 billion of them been exposed?
Maybe we should stop using SSNs for things they were never intended for. Crazy talk, I know.
> HSA provider HealthEquity
It’s really hard to read LLM generated articles.
Let me guess they will offer some credit monitoring and move on because we do not have any real consequences for breaches of privacy or security.