Data Breach Exposes 3 Billion Personal Information Records

News of a major data breach that could affect nearly three billion records comes to light from a somewhat unusual source — a class-action complaint filed in Florida. Even as details come to light, we advise people to act as if this is indeed a large and significant breach and thus will need to take precautions. In this case, we will guide you on what to do if your sensitive personal information has been exposed in a data breach and how you can stay protected in the future.

The National Public Data breach

First, the details. The filed complaint concerns the National Public Data (NPD), a public records data provider that offers background checks and fraud prevention services. Per their website, “[NPD obtains] information from various public record databases, court records, state and national databases, and other repositories nationwide.” The complaint alleges that NPD was hit by a data breach in or around April 2024. The complaint filed in the U.S. District Court further alleges that:

• The company had sensitive information breached, such as full names, current and past addresses spanning at least the last three decades, Social Security numbers (SSNs), info about parents, siblings, and other relatives including some who have been deceased for nearly 20 years, and other personal info.
• The company “scraped” this information from non-public sources. This info was collected without the consent of the complainant and the billions of others who might qualify to join in the class action complaint.
• The company “assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

When combined, these data points create a comprehensive profile of an individual, significantly increasing the risk of sophisticated identity theft. With this information, criminals could open new lines of credit, file fraudulent tax returns, or access other sensitive accounts in your name. While details of the NPD breach are still emerging, the potential scope of this personal data breach means it’s wise to act now to protect your identity.

Unreported data breach discovered by McAfee

In the United States, there is no single federal law governing data breach notifications. Instead, a patchwork of laws across all 50 states, the District of Columbia, and U.S. territories requires companies to notify consumers if their personal information is compromised. These laws specify who must be notified, when, and how.

Typically, companies self-report these breaches, thanks to regulations and legislation that require them to do so in a timely manner. Consumers then receive notifications via email or physical mail. However, as this alleged National Public Data breach shows, information about an incident can sometimes surface through other channels, such as court filings, security researcher reports, or identity theft protection alerts, occasionally even before a formal announcement from the affected company.

That way, initial word of breaches may reach customers through emails, news reports, and sometimes through notifications to certain state attorney generals. In this case, it appears that no notices were sent to potential victims. Further, we were unable to find any filings with state attorneys general.

The primary plaintiff discovered the breach when he “received a notification from his identity theft protection service provider notifying him that his [personal info] was compromised as a direct result of the ‘nationalpublicdata.com’ breach …”

Further, in June, The Register reported that a hacker group by the name of USDoD claimed it hacked the records of nearly 3 billion people and put them up for sale on the dark web. The price tag—U.S. $3.5 million. The group further claimed that the records include information about U.S., Canadian, and British citizens.

From an online protection standpoint, this alleged breach could contain highly sensitive information that, if true, would put three billion people at risk of identity theft. The mere possibility of breached Social Security numbers alone makes it something worth acting on.

Data breaches and how they happen

A data breach is a security incident where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

The main goal for attackers is often financial gain; they can sell vast datasets of personal information on the dark web or use it directly for identity theft and fraud. Large, aggregated records like those allegedly exposed in the NPD breach are especially valuable because they provide a complete picture of an individual, making fraudulent activities easier to execute.

Data breaches happen in several ways:

• Phishing and social engineering: Criminals trick employees or individuals into revealing sensitive information, like passwords or account details, through deceptive emails, texts, or calls.
• Stolen or weak credentials: Hackers use passwords and usernames exposed in previous breaches (a technique called credential stuffing) to gain access to other systems. Using simple or reused passwords makes this easy.
• Software vulnerabilities: Cybercriminals exploit security flaws in outdated software, applications, or operating systems to gain unauthorized access to a company’s network.
• Misconfigured databases and cloud services: Sometimes, sensitive data is left on servers that are not properly secured, making them publicly accessible to anyone who knows where to look.
• Insider threats: A data breach can be caused intentionally or unintentionally by a current or former employee with access to sensitive information.

Data breach impact on Social Security numbers

The legal complaint against National Public Data explicitly alleges that Social Security numbers were part of the compromised information. An SSN is one of the most critical pieces of personal data because it is a unique, lifelong identifier used for employment, banking, credit, and government benefits.

Unlike a credit card number, an SSN cannot be easily changed. If your SSN is exposed in a data breach, it puts you at a much higher risk for serious financial and legal fraud that can be difficult to resolve. Given the severity of this allegation, it is essential to take immediate preventative actions as if your SSN has been compromised.

Check if your Social Security data is exposed

It’s natural to want to know immediately if your information was part of a data breach. However, you should be extremely cautious. Never enter your Social Security number or other sensitive data into an unknown website that claims to have the capability to check for breach exposure.

Many of these are scams designed to steal your information. The safest approach is to use a trusted identity monitoring service, which scans the dark web and breach databases for your information without requiring you to share sensitive details insecurely. Be wary of phishing emails that pretend to be official notifications about the breach. Instead of clicking links, go directly to the company’s official website for information.

Follow these steps if your Social Security number is exposed

1. Place a security freeze on your credit. Contact all three major credit bureaus (Equifax, Experian, and TransUnion) to freeze your credit. A freeze restricts access to your credit report, making it much harder for identity thieves to open new accounts in your name.
2. Set up fraud alerts. A fraud alert requires potential creditors to verify your identity before issuing new credit. You can place an initial one-year alert for free by contacting just one of the credit bureaus, which will then notify the other two.
3. Change your passwords: Secure your online accounts, starting with your email, financial, and government accounts. Use strong, unique passwords for each one and enable two-factor authentication (2FA) wherever possible.
4. Monitor your financial accounts and credit reports. Keep a close eye on your bank accounts, credit card statements, and credit reports for any suspicious activity. You are entitled to free weekly credit reports from all three bureaus at AnnualCreditReport.com.
5. File a report if you see fraud. If you find evidence of identity theft, file a report immediately with the Federal Trade Commission (FTC) at IdentityTheft.gov. This report is crucial for disputing fraudulent charges and accounts.
6. Consider an IRS Identity Protection PIN (IP PIN). This is a six-digit number known only to you and the IRS, which provides an extra layer of protection against tax refund fraud.
7. Check your Social Security benefits. Create a “my Social Security” account on the Social Security Administration’s website to check your statement for any unauthorized activity.
8. Document everything: Keep detailed records of all calls, emails, and correspondence related to the theft. Note dates, times, and the names of people you speak with.

Protect yourself against data breaches moving forward

The NPD breach shows the risks and frustrations that we, as consumers, face in the wake of such attacks. It often takes months before we receive any kind of notification. And of course, that gap gives hackers plenty of time to do their damage. They might use stolen info to commit identity crimes, or they might sell it to others who’ll do the same.

Either way, we’re often in the dark until we get hit with a case of identity theft ourselves. Indeed, word of an attack that affects you might take some time to reach you. With that, a mix of measures offer the strongest protection from data breaches. To fully cover yourself, we suggest the following:

Check your credit, consider a security freeze, and get ID theft protection

With your personal info potentially on the dark web, strongly consider taking preventive measures now. Checking your credit and getting identity theft protection can help keep you safer in the aftermath of a breach. Further, a security freeze can help prevent identity theft if you spot any unusual activity. You can get all three in place with our McAfee+ Advanced or Ultimate plans. Features include:

• Credit monitoring keeps an eye on changes to your credit score, report, and accounts, providing timely notifications and guidance so you can take action to tackle identity theft.
• Security freeze protects you proactively by stopping unauthorized access to existing credit card, bank, and utility accounts or from new ones being opened in your name. And it won’t affect your credit score.
• ID Theft & Restoration Coverage gives you $2 million in identity theft coverage and identity restoration support if it is determined that you’re a victim of identity theft.​ This way, you can cover losses and repair your credit and identity with a licensed recovery expert.

Monitor your identity and transactions

Breaches and leaks can lead to exposure, particularly on dark web marketplaces where personal info gets bought and sold. Our Identity Monitoring can help notify you quickly if that happens. It keeps tabs on everything from email addresses to IDs and phone numbers for signs of breaches. If spotted, it offers advice that can help secure your accounts before they’re used for identity theft.​

Also in our McAfee+ plans, you’ll find several types of transaction monitoring that can spot unusual activity. These features track transactions on credit cards and bank accounts, along with retirement accounts, investments, and loans for questionable transactions. Finally, further features can help prevent a bank account takeover and keep others from taking out short-term payday loans in your name.

Keep an eye out for phishing attacks

With some personal info in hand, bad actors might seek out more. They might follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal info — either by tricking you into providing it or by stealing it without your knowledge. So look out for phishing attacks, particularly after breaches.

If you are contacted by a company, make certain the communication is legitimate. Bad actors might pose as authorized services to steal personal info. Don’t click or tap on links sent in unsolicited or unexpected emails, texts, or messages. Instead, go straight to the appropriate website or contact them by phone directly.

For even more security, you can use our new Scam Detector. It puts a stop to scams even before you click by detecting any suspicious links and sending you an alert. If you accidentally tap a bad link, it blocks the sketchy sites they can take you to.

Update your passwords and use two-factor authentication

Changing your password is a strong preventative measure. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager helps you keep on top of it all, while also storing your passwords securely.

While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts helps your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone.

Remove your personal info from data broker sites

According to the filed complaint, National Public Data “scrapes” personal info from non-public sources. Further, the home page of the website mentions that it gathers info “from various public record databases, court records, state and national databases, and other repositories nationwide.” While we can’t confirm this ourselves, we can cautiously call out that these sources might include data broker sites.

While any damage here has already been done, we recommend removing your personal info from these data broker sites. This can prevent further exposure in the event of future breaches elsewhere. Our Personal Data Cleanup can do this work for you. It scans data broker sites and shows you which ones sell your personal info.

From there, it shows how you can remove your data. McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, and automatically sends removal requests on your behalf..

Additional steps to help prevent future data breaches

• Minimize data sharing: When signing up for new services or apps, provide only the minimum information required. The less data you share, the less can be exposed in a breach.
• Set up account alerts: Enable notifications for your financial and credit card accounts to get real-time alerts for transactions or login attempts.
• Keep software updated: Regularly update your operating system and applications to patch security vulnerabilities.
• Limit your digital footprint: Use a service like McAfee’s Personal Data Cleanup to find and request the removal of your personal info from data broker sites that collect and sell it.

Final thoughts

News of a massive personal data breach can be unsettling, but it’s important to respond with calm, proactive steps rather than panic. The best defense is a strong offense: actively monitor your financial accounts and credit reports, consider placing a security freeze on your credit as a powerful preventative measure, and strengthen your online account security with unique passwords and two-factor authentication. By using identity monitoring services and taking these incremental actions today, you can significantly reduce your risk and stay ahead of potential threats, empowering you to live your digital life more confidently.

Introducing McAfee+

Identity theft protection and privacy for your digital life

Introducing McAfee+