this post was submitted on 15 Aug 2024
259 points (98.9% liked)

Privacy

31872 readers
351 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

You may have heard about a lawsuit filed regarding a data breach concerning social security numbers. I encourage you to read at least the first few pages of the linked class action complaint to see how massive a violation of privacy this is.

The data breach concerns National Public Data, a company which offers background checks. They collect personally identifiable information (PII) as a part of their business. The defendant claims that NPD scraped PII from non-public sources (¶11). NPD then stored the data in an insecure manner and did not adequately protect this personal information (¶25). Consequently, a hacking group by the name of "USDoD" stole records of 2.9 billion individuals from NPD. According to the document, the data was independently reviewed by VX-underground, the cybersecurity company. They confirmed the breach included full names, address and address history, and social security numbers. They were also able to identify familial connections, both living and deceased (¶ 22-24).

Based on this class action complaint, NPD's conduct was grossly negligent, leading to potential identity theft for almost anyone in the United States. It was also a massive privacy violation by scraping data from non-public sources. Even after they took millions of Americans personal information, they failed to secure the data from hackers.

Criminals can ruin your life if they target you with this information. They can open lines of credit without you knowing. You might only find out until creditors call you, demanding that you pay them back (¶60).

So, yeah. I am very concerned. I'll have to figure out how to defend against this identity theft. Overall, I'm new to the privacy community, but I'm feeling like "privacy" in the United States is an absolute mess. If your data wasn't somewhere on the dark web, it might be now. Protect your data. Stay safe.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 2 months ago

This shouldn't be our responsibility to "fix".

[–] [email protected] 36 points 2 months ago* (last edited 2 months ago) (2 children)

What is the data used to freeze your credit? Why couldn't a bad actor with your SSN unfreeze it?

Edit: I just froze with the big 3 credit agencies. It took name, address, phone number, email, SSN, birthday.

So all the stuff that leaks. Why do people think this provides security if a bad actor has the same data to unfreeze?

[–] [email protected] 8 points 2 months ago

The credit monitoring companies have your up-to-date contact information (and verified) when you put the freeze in place. Now, should a third party try to open an account, etc. in your name it should be blocked from happening and the credit monitoring company should contact you.

If a scammer tries to unfreeze or otherwise modify your account with them they should also contact you.

If/when they contact you or you request your account be unfrozen then they’ll use old credit history to confirm your identity. These are a series of three or four random questions that a scammer is unlikely to know. For example they might ask you what kind of car you purchased in 2005, then give you 4 options, like Ford, Honda, Jaguar, or BMW, and then also a “nine of the above” option. Then they might ask you which of the following street addresses you used to live at, and list 4 seemingly random addresses, one of which you might have lived at.

[–] [email protected] 1 points 2 months ago

God damn it. F U C K!

[–] [email protected] 25 points 2 months ago

I like how the only way to protect yourself is to freeze your credit but also the private websites to freeze your credit that also leak your data like a drippy faucet won't let you create an account to freeze your credit.

[–] [email protected] 2 points 2 months ago (2 children)

Was it actually a full 2.9 billion?

[–] [email protected] 3 points 2 months ago (3 children)

There aren't even 2.9billion people in the US.

[–] [email protected] 3 points 2 months ago

There is duplicate data and address history in the dump.

# of records ≠ # of people.

[–] [email protected] 3 points 2 months ago

maybe there was a mixup of individual datapoints and individual persons.

lets see if that could fit.

as far as i read things in this thread, the whole security is based on exactly these datapoints: Full Name, Date of Birth and SSN (three datapoints) plus username and password for 3 sites (six datapoints) makes 3+6= 9 datapoints per person.

2.9 billion (us) should be 2.900.000.000 (correct me if i'm wrong, but where i live one "billion" is actually "1.000.000.000.000" thus a "bit" more)

divided by 9 those 2.9billion would be ~ 320 million.

on wikipedia they say the us had 331 million people in 2020...

that would fit like an ass on a bucket! lol just to mention that.

have a nice day!

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

I know

That's why this seems megafishy. It would've had to be a international breach plus maybe some dead people

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago)

It has tons of dead people, duplicates, invalid entries, foreign residents, etc., basically anyone or anything that ever needed a SSN.

load more comments
view more: next ›