Ever since the massive National Public Data (NPD) breach was disclosed a few weeks ago, news sources have reported an increased interest in online credit bureaus, and there has been an apparent upswing in onboarding of new subscribers.
Related: Class-action lawsuits pile up in wake of NPD hack
So what’s the connection? NPD reported the exposure of over 2.7 billion records. The breach was initially caused by a third-party malicious actor who infiltrated NPD’s systems in December 2023.
The data began leaking in April 2024, and by summer, it was being sold on the dark web for $3.5 million. The stolen information included full names, Social Security numbers, mailing addresses, phone numbers, and email addresses of millions of U.S., Canadian, and British citizens.
While NPD claimed that around 1.3 million individuals were directly affected, analysts like Troy Hunt found evidence of much wider exposure, including 134 million unique email addresses and even criminal record data. Investigations are ongoing, and several class-action lawsuits have been filed, alleging that the company failed to implement sufficient security measures.
There is little doubt that high-profile breaches like this will persist. This drives public awareness of the risks associated with identity theft. As a result, many people rush to protect themselves by subscribing to services that offer credit monitoring, identity theft protection, and fraud alerts. Online credit bureaus, like Equifax, Experian, and TransUnion, often see an uptick in new users after breaches because consumers realize the potential risks to their financial well-being and identity.
The growing threat of cybercrime, including ransomware attacks and large-scale data leaks, is also pushing individuals to take more control of their personal data. Credit monitoring services provide ongoing tracking of credit reports for suspicious activity, and some even offer insurance for identity theft-related losses. As breaches become more frequent, credit protection services become a more attractive option for those seeking peace of mind and financial security.
What’s more, some credit bureaus have started offering more comprehensive packages that include dark web monitoring, fraud detection, and restoration services, which are enticing consumers to subscribe to these services at a higher rate.
Devaluing SSNs
This breach had such wide implications, it caused millions of consumers and thousands of organizations to look more closely at how to protect themselves, their identities and sensitive data. The sad reality is we have been de-sensitized by these constant breaches.
NPD certainly could have done many things better but there is one thing that is on us. Perhaps the time has come to get rid of using our social security numbers. It is the simplest and least expensive solution that will have a highly positive impact on overall security. Today, we use the same SSN across dental clinics, car dealerships, and mortgage applications. It is no stretch to predict that it’s guaranteed to get compromised eventually.
Rather, we should treat SSN as just another piece of personally identifiable information (PII) like an email address – confidential information but not a sensitive one that unlocks your bank accounts. Governments can create a digital identity at birth to replace SSN in its current use. That identity is tied to specific vendors. As an example, you have two tokens – one for NPD and another for your bank, and after such a breach, the NPD token would be revoked so NPD cannot use your data, but everything will work fine at the bank.
The NPD breach serves as a stark reminder of the critical importance of data security in today’s digital world, particularly in regulated industries such as financial services and healthcare. As more personal data is collected, stored, and shared online, providers and their organizations must take proactive steps to safeguard this information from cyberattacks.
Trust principles
Given the complex cybersecurity environment, with data breaches unfortunately happening at a record pace, organizations need to continue to build and establish trust with everyone from individuals to partners, employees and those in the supply chain. All organizations with access to personally identifiable information (PII) should adhere to essential identity trust principles that include:
•Advanced and strict fraud prevention: Doing so will help prevent threat actors from not only creating fake accounts to impersonate legitimate users but make it much more difficult for them to gain access in the first place.
•Attach and hold to compliance frameworks: Compliance frameworks are designated to protect stakeholders against misuse of any kind – data included. Most industries have strict regulations in place, and in many cases, organizations will be subject to fines if adherence to regulations are violated.
•Trust: Users must know that their data is safe with the entities interacted with – this provides confidence to share information in the first place.
Many affected individuals were unaware of the breach or even the fact that NPD had collected their data in the first place. NPD’s practice of scraping data elements from non-public sources without consent raises serious ethical and legal concerns. This brings up the issue about how our governmental and private institutions handle PII. Even when strict compliance frameworks achieve their goals, they are not enough to put the necessary restrictions on the usage of this type of data. Again, should SSN be the key identity point?
When there is a breach of this magnitude that involves SSNs, there is a scramble for individuals to protect themselves through efforts such as:
•Freezing consumer credit reports: Contacting the major credit bureaus (Equifax, Experian, and TransUnion) to prevent new credit accounts from being opened without consent.
•Accessing free weekly credit reports: Gaining access to free weekly credit reports to monitor any suspicious activity.
In the case of NPD, the hackers targeted a data broker whose role is to aggregate information from many data sources. Initial reports indicated the company’s apparent security missteps increased the impact.
This begs the question, did NPD have too much data? Did they understand the data they had, and why was it not properly protected?
If an organization falls victim to a data breach, they would be in a better position to respond if they have less sensitive data and better-quality data – and without SSN as the key identifier. As it was, in the case of NPD the leaks came in spurts, with several types of data – much of it was erroneous. This may go against a data broker’s interests, but the first lesson is to ensure they reduce the amount of PII and remove redundant, obsolete, and trivial data (ROT). It would be safer and more effective to handle the minimal amount of data they are allowed to possess.
About the essayist: Ambuj Kumar is Co-founder and CEO of Simbian, AI Agents for cybersecurity
September 24th, 2024 | Guest Blog Post | Top Stories