Was every American’s social security number leaked? Don’t panic yet
Global News
A hacker claimed to have the personal information of 'the entire population of' the U.S., Canada and the U.K. — but experts are dubious.
A viral but unsubstantiated claim that nearly every American had their social security number (SSN) leaked in a massive data breach spread like wildfire this week, stemming from the alleged hack of a background check company called National Public Data. While people should understandably be concerned about identity theft, the scope of the danger may not be as bad as it seems, experts say.
The leaked information was originally put up for sale for US$3.5 million on the dark web in April. It was posted by a threat actor called “USDoD,” who claimed to have the personal information of “the entire population of” the U.S., Canada and the U.K.
The trove allegedly has 2.9 billion rows of data including full names, home addresses, phone numbers and SSNs — though this doesn’t necessarily mean it contains the information of 2.9 billion people. Moreover, Canadians don’t have SSNs; our equivalent would be social insurance numbers. People in the U.K. have national insurance numbers.
At the time, news of the data breach was only picked up by outlets reporting on the dark web and cybersecurity. That all changed when a man from California filed a class-action lawsuit against National Public Data on Aug. 1 and a threat actor known as “Fenice” posted the entire stolen database online for free on Aug. 6.
On Tuesday, National Public Data acknowledged the breach and said “potential leaks of certain data” occurred in April 2024 and summer 2024. The company says it is co-operating with law enforcement and government investigators. National Public Data is a data aggregator that compiles personal information for background checks and marketing services.
With the alleged stolen data now freely available, more and more cybersecurity experts have analyzed it and are raising questions about its legitimacy. While some of the information in the trove appears to be correct, there also appears to be a lot of duplicated, incomplete and incorrect data. Some experts wonder if the data includes any new personal information at all, suggesting that it could have been compiled from publicly available sources or previous data breaches.
James E. Lee, the chief operating officer of the Identity Theft Resource Center, told Global News he doesn’t believe any of the data is new because National Public Data itself scrapes publicly available information from the internet and doesn’t collect data directly from people. Because of this, a lot of the information may be old or inaccurate, he added.
When asked if people should be concerned about identity fraud because of the hack, Lee said: “The reality is, the risk level did not go up because of this. The risk level has been high to begin with.”