A class action lawsuit has sparked a viral but unsubstantiated claim that the Social Security numbers of all U.S. citizens were leaked as part of a data breach this year.
But preliminary expert analysis of the leak suggests it may include partial and incorrect data, alongside some legitimate information, leaving the scale of the leak and the authenticity of the claim unclear.
Security analysts who spoke with NBC News also said that while it is still concerning, the leak of Social Security numbers isn’t a reason for panic — many people’s numbers have already been leaked in previous hacks.
The alleged breach was first reported in April after a hacker who goes by USDoD announced on a web forum having accessed a database that included information for every person in the U.S., the United Kingdom and Canada. The news of the claim was published in several cybersecurity publications but didn’t travel widely at the time.
After a class action lawsuit was filed Aug. 1, the claim that a vast trove of Social Security numbers may have been exposed in the breach has taken off, being echoed across mainstream and social media.
The lawsuit was filed against a data broker called National Public Data, part of a shadowy collection of businesses that quietly collect, buy, trade and sell people’s personal information, usually without their knowledge. The information is often sold to marketers or used to help conduct background checks.
The lawsuit accuses the company of acquiring defendants’ personal information without their knowledge and permission — a common practice of data brokers —and failing to keep it safe from hackers. National Public Data didn’t respond to a request for comment.
It hasn’t been confirmed that the Social Security number of every American was leaked. The lawsuit says the plaintiff got an alert in July from an identity theft protection company saying his Social Security number had been leaked as a result of a breach of National Public Data.
NBC News hasn’t viewed the leaked data, and the hacker’s original post offering it for sale appears to have been deleted. However, it’s common for criminal hackers to exaggerate or even outright fabricate their exploits, especially if they’re trying to sell something.
Researchers who previously downloaded the data are skeptical. The news site TechCrunch downloaded and examined some of the leak in June and found that while some of it appeared legitimate, much of it was also incorrect, that it was missing people and data fields, and that some information about people was incorrect.
Troy Hunt, a Microsoft regional director for Australia and the operator of Have I Been Pwned, a massive public database that lets people check to see whether their identities have been compromised in various breaches, also obtained a large sample of the data. In a blog post Wednesday, he detailed a jumbled mess, some of it seemingly inaccurate and a substantial amount of it missing. It did include his email address, but it was paired with the wrong name, and it assigned two birthdays that were far from his real one. Such inaccuracies about people make correct information more difficult to leverage and use for nefarious purposes.
Despite the uncertain scope and state of the leaked data, the news of the lawsuit has caused intense interest in the Social Security number claim.
Experts caution that the news should be met with a dose of reality.
“We’ve all probably been part of a breach and received a notification,” said Amy Nofziger, the director of victim support at AARP, an organization that advocates for seniors. “My first piece of advice is don’t panic, because most likely your information was already out there.”
Nofziger said Americans should assume their information is already in the hands of bad actors, given that data breaches are so common, and begin implementing good habits that could help catch any criminal activity quickly.
People who are nervous that they may be victims of identity theft can quickly find out by checking their credit reports. There are three credit bureaus for Americans: Equifax, Experian and TransUnion.
“If it’s clean and you recognize everything on there, put a fraud alert on, which is always my first recommendation, because it’s quicker, it’s simpler, it’s easier,” Nofziger said.
According to Equifax, a fraud alert is “a notice on your credit report that alerts creditors you are or may be a victim of fraud, including identity theft. A fraud alert can make it harder for someone to open unauthorized accounts in your name. It encourages or requires lenders and creditors to take extra steps to verify your identity, such as contacting you by phone, before opening a new credit account in your name or making changes to existing accounts.”
Calling any of those three for a free fraud alert is easy, and any will share the alert with the two others, Nofziger said.
A second, more secure step takes slightly more time: calling each of the three bureaus individually and freezing your credit with each. It’s generally safer to have credit frozen by default and then “thaw” it only temporarily when you take out a new loan, she said, though that’s not everyone’s first choice.
“Not everyone wants to put a freeze on, because some people are accessing their credit and opening up new credit a lot, and they don’t like the hassle of it,” Nofziger said. “To me, it’s worth it to make sure that your credit report is safe.”
A third step is to make sure every financial account has the strongest account security available to customers. That means making sure every account has a password that is both unique and long and that the account has two-factor authentication enabled.
Kevin Collier
Kevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.
