>As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month.
I am so looking forward to getting my 2.99 USD check from this suit. Of course I need to apply for that check via an on-line site and give them all my personal information.
How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.
Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.
When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.
Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].
I don’t want their $3 or even $3000, if I am eligible for payout.
Instead, I’d like to force this company (and others similarly) to put all kinds of precautions in place. Also warn them that the next breach would result in severe penalties, assuming they could’ve prevented the breach in the first place.
> Do you think National Public Data even has that kind of money?
If they don't have insurance for this precise problem then I think we should go after the owners personally. I'm sick of the shell game. Pierce the veil.
A fun thought experiment: the company loses the suit, with both actual damages and punitive damages large enough to bankrupt the company. The company is sold for parts and other companies become a little more wary of repeating the same mistakes (hopefully better security around their core business value).
This suit opens the company to discovery in which several jurisdictions get access to their books and methods, opening them up to litigation and prosecution in places like the EU.
The $2.99 check is not the only benefit I get from a class-action lawsuit.
No, they should sign you up for free Credit Monitoring for 7 years. All I would get is a letter stating something like this: "Your Credit is being monitored by firm xxxx, you will receive notices from them by Mail when items of concern are noticed" along with a real direct line phone number to call with questions.
I should not have to do anything nor give any information. Why 7 years, that is equal to the Statue of Limitations for saving US Tax Documents.
That alone will end these breaches almost over night.
Technically, they’re still a creditor, and creditors get special privileges when it comes to things like that. So, while I would refuse, it’s probably not a violation of federal law.
At what point can we start demanding that SSNs be redefined? I've lost track of how many data breaches I've unwittingly been the victim of, and I'm usually more careful and paranoid than most.
We "just" need to stop pretending they are secret like passwords and using them to authenticate that someone is who they say they are. Banks should not be issuing loans based on a bunch of personal information (including SSN) that the collected and concluded "Yup, that data matches itself--therefore you are actually you!"
Unrelated but similar: I live in a rural area, so we don't get street delivery of mail. Instead, we need to apply for a PO Box. Every year, to verify that only residents are using the PO Boxes, the Post Office sends out a renewal form, and you have to show up with a current bill and your driver's license. The latter makes sense—the State, presumably, goes through the validation of your address, and you sign their forms under penalty of perjury, etc., the the former is hilarious.
So, to receive the very bill used to authenticate "current residency," the bill has to go through the Post Office (remember what I said about no street delivery? anything that's mailed to our street address goes... to our PO Box!), and then we show it to them to validate that we are receiving email to that address—which cannot be independently validated outside the driver's license.
The PO Box we're renewing is therefore used to validate itself. And the fun part is that if you delay in returning the form, they'll block off your box.
I have been arguing for a while that we need to implement some sort of public-key cryptography system for identity verification. It's the obvious solution, though admittedly implementing it will take a lot of effort. But it would at least eliminate a lot of issues with how SSNs are used in practice right now.
They (the government and banks) still use the phone number to authenticate you. I would not be surprised if they consider using SSNs to issue loans, etc.
Is there some reason my bank needs this information in the first place? I want them to verify that I am the owner of the account, I do NOT need them to verify my precise federal identity.
I'd love to see the government force companies to stop treating them like an ID number that's secret.
Maybe they should allow people to request a new number any time they wish and even hold multiple SSNs. Or create a virtual number system like some credit cards have where you would give every company that asks for a SSN a unique number that only they have. It would be cool to be able to tell exactly who had the data breach when your number shows up in a dump.
SSNs have always been clear that they’re identifiers, not authenticators - it’s printed on the card! The problem are the businesses who tried to skimp by treating them as secrets, and they invented the mainstream concept of identity theft to make it sound like their negligence should be your problem.
The fix should be simple: stop taking companies seriously when they only used an SSN for authentication. Ideally there’d be a law adding penalties: try to bill someone for a loan authenticated only by common metadata and they have to pay the target a penalty fine, allow insurers to deny claims, etc. As soon as it costs them money, they’d suddenly find the money to check ID like everyone else.
When can we move away from SSNs being a pseudo secret? They have obviously been leaked everywhere at this point.
Relatedly, is there an up to date guide on how I am supposed to freeze my credit? Last I looked, it required handing over all of my PII, which I found super distasteful, but I should accept none of it is secret and do the minimum to protect myself from ~financial institutions falling for fraud~ identity theft.
You freeze your credit by making an account on TransUnion, Experian, and Equifax's websites. It sucks, and they suck, but it's free. Unless you take out loans quite frequently, there's no reason not to do it. My credit has been frozen for years, and I only ever unfreeze it for a month or two at a time when I need to refinance a mortgage or something like that.
This is good as far as it goes, but what about all those times customer support for companies unrelated to your credit asks you for the last four of your SSN (birthrate, address, etc.) to confirm your identity?
It's amazing to me how just getting your name and SSN leaked opens you up to much risk. It's equally amazing how this is a decades-long problem that hasn't been addressed.
I have to wonder what systems other countries use for identifying citizens and how secure they are compared to SSNs.
In Poland you have a national ID card you carry with you if you don't have it with you won't get anything done anywhere.
If you lose it/it gets stolen you have an obligation to report it. We have something like SSN number (personal id number) assigned at birth but it's not enough to get a loan or anything.
In Finland banks are the ones who usually handle the strong authentication (not necessarily just the initial one). They are required by law to know the customer. In-person authentication in the branch is required to be done via either ID card or passport, those can be requested from police and expire after 5 years. Driver's license is not official ID card. Logging into you bank account requires 2FA (I'm not sure if any bank sends codes via text messages, at least it's not very common).
It can also be done with ID card (which is a smartcard) or mobile certificate (https://mobiilivarmenne.fi/en/) if the service supports it.
Usually an identity card. In the EU this is an authentication mean but in order to be liable you must be present with the card at transaction time (i.e. a scan is not enough).
Then you have solutions of increasing robustness such as certificates for e-signature.
The national "id" (of there is one) is just to make it easier to find you. Poland has one, France does not have any for instance.
The problem isn’t the SSN but corporate responsibility shirking: they don’t want to check ID because that costs more, they want things like instant credit applications to allow impulse purchases, etc.
This seems to slowly be improving because so many people have been breached by now that they don’t enjoy the assumption of security. In the 90s, if they took you to court saying you weren’t paying a loan it’d be assumed that a crook wouldn’t have known your SSN but now it’s at least a lot more likely that nobody will believe that without additional proof.
They are claiming this is from a data aggregator called National Public Data, so it probably originated in many other places and contains a variety of different information depending on the source. So it includes SSNs for some people, but not every record is necessarily connected to a SSN.
But 2.9B is a number so high that the only way it can be true is that they got some Facebook data or the method they used for scraping data led to A LOT of duplicates
I was wondering this, too. A nine-digit number can only represent 1 billion unique values. Even if you consider Employer Identification Numbers too that wouldn't add up. Probably they mean ID #s from other tax-ID systems in non-US countries, or some equivalent identifier. Maybe pooled with driver's ID numbers? I only have guesses.
I am not sure how to approach it anymore. Frankly, since equifax breach and settlement I mostly gave up on hoping for any real change[1]. Whatever the catalyst will be for a shake up, it clearly won't be another -- sufficiently big -- breach. I was too optimistic about that.
It will need to be something public, scandalous and, ideally, affecting someone powerful enough to effect change and privacy-conscious enough to be pissed off enough to want to do anything about it.
edit2: By scandalous I mean something that average person cares about. Based on initial reaction to this particular breach, I do not think it meets the criteria.
At this point the only thing I think that could happen to change the status quo is a full blown war against a country that's going to use hacked data against the United States in such a disruptive way that the legislators would have to react due to national security concerns.
WHen it comes to it, the US gov has incredible leverage with the data they have access to. If they forced all the major tech companies to release everything they have on the most powerful politicians of some country, including email contents, text messages, full search and location history and so on, they could cause quite a scandal.
You can probably overthrow quite a few governments with a judicious use of that power alone.
Was this US only? I'm from EU, and since yesterday I received 2 threat e-mails in broken English with part of my phone number linked. Never had anything like that happen before.
My oldest email has been exposed in 37 data breaches (so far) according to haveibeenpwned.com, not receiving more spam and/or threats than usual today or yesterday.
"National Public Data" sounds like the name of a nonprofit with a nationwide presence, like NPR or PBS, but it's just the trade name for "Jerico Pictures," a small Florida company with (judging from Crunchbase) 1-10 employees. Shouldn't there be regulations for names like this, similar to how the National Bank Act controls the use of "National" in names of financial institutions?
I think that there is potential bipartisan support (among voters, not representatives...) for federal privacy laws that institute heavy fines for leaking personal data based on median household income, as well as requiring chain of custody to be tracked for all personal data. Unfortunately, I don't think our representatives are very interested in implementing this for us.
It wasn’t a data breach so much as the owner of this business allowing data fraud and identity theft to occur. The company is guilty of allowing this data theft through their business malpractices. They’re also guilty for having this data wholly in the first place. Punitive damages to bankrupt these companies are needed so that all industries get the message.
Anyone know if we could have requested our data deleted from National Public Data per CCPA? If so, what other huge databrokers have the same data that we can request deletion?
You can request it from any of them. Almost all of them will deny the request because the CCPA is rarely prosecuted and because you can't bring any private lawsuits based on the CCPA. Even "real" corporations like Atlassian operate that way.
My point is, OK I know my information has been sold left and right, plus leaked. But I want my $4.99 every time it gets sold! I need a piece of the action.
>As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month.
I am so looking forward to getting my 2.99 USD check from this suit. Of course I need to apply for that check via an on-line site and give them all my personal information.
Great time to be alive.
Here's a fun thought experiment.
How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.
Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.
When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.
Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].
[1] https://www.npr.org/transcripts/1197961271
> The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
When I divide 3,500,000 USD by 2,900,000,000 people, I get $0.0012/person. How do you get $830/person?
2 replies →
I don’t want their $3 or even $3000, if I am eligible for payout.
Instead, I’d like to force this company (and others similarly) to put all kinds of precautions in place. Also warn them that the next breach would result in severe penalties, assuming they could’ve prevented the breach in the first place.
2 replies →
> Do you think National Public Data even has that kind of money?
If they don't have insurance for this precise problem then I think we should go after the owners personally. I'm sick of the shell game. Pierce the veil.
A fun thought experiment: the company loses the suit, with both actual damages and punitive damages large enough to bankrupt the company. The company is sold for parts and other companies become a little more wary of repeating the same mistakes (hopefully better security around their core business value).
This suit opens the company to discovery in which several jurisdictions get access to their books and methods, opening them up to litigation and prosecution in places like the EU.
The $2.99 check is not the only benefit I get from a class-action lawsuit.
Only 450 million SSNs have been assigned (and only 1 billion are theoretically possible...)
No, they should sign you up for free Credit Monitoring for 7 years. All I would get is a letter stating something like this: "Your Credit is being monitored by firm xxxx, you will receive notices from them by Mail when items of concern are noticed" along with a real direct line phone number to call with questions.
I should not have to do anything nor give any information. Why 7 years, that is equal to the Statue of Limitations for saving US Tax Documents.
That alone will end these breaches almost over night.
2 replies →
This is exactly why insurance was invented.
You don't get a check, you get a gift card for a credit monitoring service that you will never use because all your data leaks all the time already.
Motherfuckers asked my wife her SSN when she was getting a store card the other week. Not a credit card, a store card.
I had a pawn shop try to take my social to buy a air paint sprayer. They said it was a city ordinance.
I left empty handed, even though I think SSN shouldn't be used as a password.
3 replies →
Technically, they’re still a creditor, and creditors get special privileges when it comes to things like that. So, while I would refuse, it’s probably not a violation of federal law.
What is a store card in that case, and how does it differ from credit card (other than, I assume, the place you apply)?
The store cards I have seen are simply store-branded credit cards.
4 replies →
Actually, you get one free year of credit monitoring.
After the first year, you'll be asked to pay for monitoring.
3 replies →
At what point can we start demanding that SSNs be redefined? I've lost track of how many data breaches I've unwittingly been the victim of, and I'm usually more careful and paranoid than most.
We "just" need to stop pretending they are secret like passwords and using them to authenticate that someone is who they say they are. Banks should not be issuing loans based on a bunch of personal information (including SSN) that the collected and concluded "Yup, that data matches itself--therefore you are actually you!"
The whole system is broken in hilarious ways.
Unrelated but similar: I live in a rural area, so we don't get street delivery of mail. Instead, we need to apply for a PO Box. Every year, to verify that only residents are using the PO Boxes, the Post Office sends out a renewal form, and you have to show up with a current bill and your driver's license. The latter makes sense—the State, presumably, goes through the validation of your address, and you sign their forms under penalty of perjury, etc., the the former is hilarious.
So, to receive the very bill used to authenticate "current residency," the bill has to go through the Post Office (remember what I said about no street delivery? anything that's mailed to our street address goes... to our PO Box!), and then we show it to them to validate that we are receiving email to that address—which cannot be independently validated outside the driver's license.
The PO Box we're renewing is therefore used to validate itself. And the fun part is that if you delay in returning the form, they'll block off your box.
I have been arguing for a while that we need to implement some sort of public-key cryptography system for identity verification. It's the obvious solution, though admittedly implementing it will take a lot of effort. But it would at least eliminate a lot of issues with how SSNs are used in practice right now.
They (the government and banks) still use the phone number to authenticate you. I would not be surprised if they consider using SSNs to issue loans, etc.
Is there some reason my bank needs this information in the first place? I want them to verify that I am the owner of the account, I do NOT need them to verify my precise federal identity.
3 replies →
And we already have well regulated tools for getting away from the ssn nonsense. They're called notaries.
I'd love to see the government force companies to stop treating them like an ID number that's secret.
Maybe they should allow people to request a new number any time they wish and even hold multiple SSNs. Or create a virtual number system like some credit cards have where you would give every company that asks for a SSN a unique number that only they have. It would be cool to be able to tell exactly who had the data breach when your number shows up in a dump.
SSNs have always been clear that they’re identifiers, not authenticators - it’s printed on the card! The problem are the businesses who tried to skimp by treating them as secrets, and they invented the mainstream concept of identity theft to make it sound like their negligence should be your problem.
The fix should be simple: stop taking companies seriously when they only used an SSN for authentication. Ideally there’d be a law adding penalties: try to bill someone for a loan authenticated only by common metadata and they have to pay the target a penalty fine, allow insurers to deny claims, etc. As soon as it costs them money, they’d suddenly find the money to check ID like everyone else.
There's a really good video by CGP Grey that touched on this:
https://youtube.com/watch?v=Erp8IAUouus
I'm more and more convinced that the only way to do this is the "Swedish way", make all SSNs public and/or available on request.
Until that happens, companies will still pretend they're private information.
When can we move away from SSNs being a pseudo secret? They have obviously been leaked everywhere at this point.
Relatedly, is there an up to date guide on how I am supposed to freeze my credit? Last I looked, it required handing over all of my PII, which I found super distasteful, but I should accept none of it is secret and do the minimum to protect myself from ~financial institutions falling for fraud~ identity theft.
You freeze your credit by making an account on TransUnion, Experian, and Equifax's websites. It sucks, and they suck, but it's free. Unless you take out loans quite frequently, there's no reason not to do it. My credit has been frozen for years, and I only ever unfreeze it for a month or two at a time when I need to refinance a mortgage or something like that.
This is good as far as it goes, but what about all those times customer support for companies unrelated to your credit asks you for the last four of your SSN (birthrate, address, etc.) to confirm your identity?
2 replies →
It's amazing to me how just getting your name and SSN leaked opens you up to much risk. It's equally amazing how this is a decades-long problem that hasn't been addressed.
I have to wonder what systems other countries use for identifying citizens and how secure they are compared to SSNs.
In Poland you have a national ID card you carry with you if you don't have it with you won't get anything done anywhere. If you lose it/it gets stolen you have an obligation to report it. We have something like SSN number (personal id number) assigned at birth but it's not enough to get a loan or anything.
In Finland banks are the ones who usually handle the strong authentication (not necessarily just the initial one). They are required by law to know the customer. In-person authentication in the branch is required to be done via either ID card or passport, those can be requested from police and expire after 5 years. Driver's license is not official ID card. Logging into you bank account requires 2FA (I'm not sure if any bank sends codes via text messages, at least it's not very common).
It can also be done with ID card (which is a smartcard) or mobile certificate (https://mobiilivarmenne.fi/en/) if the service supports it.
Usually an identity card. In the EU this is an authentication mean but in order to be liable you must be present with the card at transaction time (i.e. a scan is not enough).
Then you have solutions of increasing robustness such as certificates for e-signature.
The national "id" (of there is one) is just to make it easier to find you. Poland has one, France does not have any for instance.
The problem isn’t the SSN but corporate responsibility shirking: they don’t want to check ID because that costs more, they want things like instant credit applications to allow impulse purchases, etc.
This seems to slowly be improving because so many people have been breached by now that they don’t enjoy the assumption of security. In the 90s, if they took you to court saying you weren’t paying a loan it’d be assumed that a crook wouldn’t have known your SSN but now it’s at least a lot more likely that nobody will believe that without additional proof.
Just one number away from being able to cancel the voter registration of anyone you want in Georgia.
https://www.usatoday.com/story/news/politics/elections/2024/...
https://cancelmyregistration.sos.ga.gov/s/
Original Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/back... (https://archive.is/jIfW8)
Are there 2.9B SSNs?
They are claiming this is from a data aggregator called National Public Data, so it probably originated in many other places and contains a variety of different information depending on the source. So it includes SSNs for some people, but not every record is necessarily connected to a SSN.
"data including SSNs"
But 2.9B is a number so high that the only way it can be true is that they got some Facebook data or the method they used for scraping data led to A LOT of duplicates
I was wondering this, too. A nine-digit number can only represent 1 billion unique values. Even if you consider Employer Identification Numbers too that wouldn't add up. Probably they mean ID #s from other tax-ID systems in non-US countries, or some equivalent identifier. Maybe pooled with driver's ID numbers? I only have guesses.
The plural used implies that at least 2 people had their full name and SSNs exposed. The horror!
I am not sure how to approach it anymore. Frankly, since equifax breach and settlement I mostly gave up on hoping for any real change[1]. Whatever the catalyst will be for a shake up, it clearly won't be another -- sufficiently big -- breach. I was too optimistic about that.
It will need to be something public, scandalous and, ideally, affecting someone powerful enough to effect change and privacy-conscious enough to be pissed off enough to want to do anything about it.
edit:[1]https://www.reuters.com/legal/government/illinois-governor-a...
edit2: By scandalous I mean something that average person cares about. Based on initial reaction to this particular breach, I do not think it meets the criteria.
Ashley Maddison happened just under 10 years ago, that's as scandalous as it gets, and nobody cared either.
I'm with you on this.
At this point the only thing I think that could happen to change the status quo is a full blown war against a country that's going to use hacked data against the United States in such a disruptive way that the legislators would have to react due to national security concerns.
I think the opposite is a lot more likely.
WHen it comes to it, the US gov has incredible leverage with the data they have access to. If they forced all the major tech companies to release everything they have on the most powerful politicians of some country, including email contents, text messages, full search and location history and so on, they could cause quite a scandal.
You can probably overthrow quite a few governments with a judicious use of that power alone.
Was this US only? I'm from EU, and since yesterday I received 2 threat e-mails in broken English with part of my phone number linked. Never had anything like that happen before.
My oldest email has been exposed in 37 data breaches (so far) according to haveibeenpwned.com, not receiving more spam and/or threats than usual today or yesterday.
"National Public Data" sounds like the name of a nonprofit with a nationwide presence, like NPR or PBS, but it's just the trade name for "Jerico Pictures," a small Florida company with (judging from Crunchbase) 1-10 employees. Shouldn't there be regulations for names like this, similar to how the National Bank Act controls the use of "National" in names of financial institutions?
Names like this are so exhausting. See "Patriot Act" and "Americans for Prosperity Action".
I think that there is potential bipartisan support (among voters, not representatives...) for federal privacy laws that institute heavy fines for leaking personal data based on median household income, as well as requiring chain of custody to be tracked for all personal data. Unfortunately, I don't think our representatives are very interested in implementing this for us.
It wasn’t a data breach so much as the owner of this business allowing data fraud and identity theft to occur. The company is guilty of allowing this data theft through their business malpractices. They’re also guilty for having this data wholly in the first place. Punitive damages to bankrupt these companies are needed so that all industries get the message.
Here is the complaint:
https://ia800801.us.archive.org/26/items/gov.uscourts.flsd.6...
Good. The sooner systems design people stop thinking that SSNs are UUIDs the better.
How much has to happen before we pass legislating forbidding SSN as ID?
Anyone know if we could have requested our data deleted from National Public Data per CCPA? If so, what other huge databrokers have the same data that we can request deletion?
You can request it from any of them. Almost all of them will deny the request because the CCPA is rarely prosecuted and because you can't bring any private lawsuits based on the CCPA. Even "real" corporations like Atlassian operate that way.
Something you have, something you know, something you are: SSN!
My point is, OK I know my information has been sold left and right, plus leaked. But I want my $4.99 every time it gets sold! I need a piece of the action.
There are only 450 million social security numbers (so far). How can 2.9 billion of them been exposed?
Maybe we should stop using SSNs for things they were never intended for. Crazy talk, I know.
> HSA provider HealthEquity
It’s really hard to read LLM generated articles.
Let me guess they will offer some credit monitoring and move on because we do not have any real consequences for breaches of privacy or security.