National Public Data Hack Exposes Millions: Essential Steps to Safeguard Your Identity and Combat Fraud

The recent massive data breach at National Public Data (NPD), a background check company, has potentially compromised the personal information of millions, if not billions, of individuals, including their Social Security numbers, dates of birth, phone numbers, current and past addresses, the names of siblings and parents, and other information. The hacker responsible for the compromise claims the stolen files include 2.7 billion records. According to the nonprofit National Cybersecurity Alliance, it is likely “everyone with a Social Security number was impacted.” Already, Social Security numbers and other sensitive personal data are appearing on the dark web, ready for potential identity theft and other exploitation.

While the data breach poses substantial risk to consumers, those risks can be mitigated by quickly placing “credit freezes” with the major credit bureaus, using two-factor authentication on financial accounts, and purchasing ID theft protection from reputable service providers (e.g., LifeLock, Aura, and others). More particularly, consider the following steps to protect your identity and reduce the risk of being a victim of identity theft:

Review Your Account Statements and Credit Reports

Remain vigilant by continuing to review your account statements and credit reports closely. If you detect any suspicious activity on an account, promptly notify the financial institution or company with which the account is maintained.

We recommend contacting the fraud department of those companies to explain that someone has stolen your identity and asking the company to close the account. If the company will not immediately close the account, ask for a freeze on the account. If the account will be closed, request a letter from the company stating (i) the fraudulent account was not yours; (ii) you are not liable for it; and (iii) it was removed from your credit report. Write down who you spoke to at the company for your records.

Purchase and Enroll in Identity Theft Protection Services

There are many products on the market, but IdentityForce UltraSecure + Credit and LifeLock Ultimate Plus have recently received the highest ratings for identity theft protection services. See for example:

• “The Best Identity Theft Protection Services in 2024,” Tom’s Guide, August 3, 2024
• “Best Identity Theft Protection and Monitoring Services for August 2024,” CNET, August 15, 2024

ID theft protection services can monitor the dark web for your information, file credit freezes on your behalf, remove your data from popular databases, and furnish many other useful services.

Obtain a Free Copy of Your Credit Report

We recommend obtaining a free copy of your credit report from each of the three major credit reporting agencies (Experian, TransUnion, and Equifax) once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877.322.8228, or completing a printed copy of the Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.

Place a Fraud Alert on Your Credit Report

You can place an initial or extended “fraud alert” on your credit report at no cost by contacting any of the three nationwide credit reporting agencies identified below. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. For that reason, placing a fraud alert can protect you but also may delay you when you seek to obtain credit. If you are a victim of identity theft, to the extent an identity theft report has been filed with law enforcement on your behalf, you may want to consider placing an extended fraud alert on your credit file, which lasts for seven years. You may place a fraud alert through any of the consumer reporting agencies’ websites or over the phone, using the contact information below:

• Equifax: P.O. Box 105069, Atlanta, GA 30348 | 800.525.6285
• Experian: P.O. Box 9554, Allen, TX 75013 | 888.397.3742
• TransUnion: P.O. Box 2000, Chester, PA 19016 | 800.680.7289

Place a Security Freeze on Your Credit Report

In addition to placing a fraud alert, we also recommend placing a “security freeze” on your credit report, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. You may also lift or remove a security freeze, at no charge.

You must place your request for a freeze separately with each of the consumer reporting agencies. To place a security freeze on your credit report, you may send a written request by regular, certified, or overnight mail to the addresses below. You may also place a security freeze through each of the consumer reporting agencies’ websites or over the phone, using the contact information below:

• Equifax: P.O. Box 105788, Atlanta, GA 30348 | 800.298.0045
• Experian: P.O. Box 9554, Allen, TX 75013 | 888.397.3742
• TransUnion: P.O. Box 160, Woodlyn, PA 19094 | 888.909.8872

In order to request a security freeze, you will need to provide some or all of the following information to the credit reporting agency, depending on whether you do so online, by phone, or by mail (note that if you are requesting a credit report for your spouse, this information must be provided for them as well):

• Full name, with middle initial and any suffixes
• Social Security number
• Date of birth
• Current address and any previous addresses for the past five years
• Any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles

The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible and display your name, current mailing address, and the date of issue. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.

The credit reporting agencies have one business day after receiving your request by toll-free telephone or secure electronic means, or up to three business days after receiving your request by mail, to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five business days and may provide you with a unique personal identification number (PIN) or password (or both) that can be used by you to authorize the removal or lifting of the security freeze. It is important to maintain this PIN/password in a secure place, as you will need it to lift or remove the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, or to lift a security freeze for a specified period of time, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to the credit reporting agencies and include proper identification (name, address, and Social Security number), the PIN or password provided to you when you placed the security freeze, and the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have one business day after receiving your request by toll-free telephone or secure electronic means, or three business days after receiving your request by mail, to lift the security freeze for those identified entities or for the specified period.

To remove the security freeze, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to each of the credit bureaus and include proper identification (name, address, and Social Security number) and the PIN or password provided to you when you placed the security freeze. The credit bureaus have one business day after receiving your request by toll-free telephone or secure electronic means, or three business days after receiving your request by mail, to remove the security freeze.

Report to Law Enforcement and the Federal Trade Commission (FTC)

We recommend filing a police report with your local police department and obtaining a copy of the report for your files. You may also consider filing a report with the FTC by visiting www.ftc.gov/idtheft or by calling 877.ID.THEFT (877.438.4338). Reports filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.

Notify the Internal Revenue Service (IRS)

Consider completing and submitting IRS Form 14039, Identity Theft Affidavit. This form is really intended for victims of tax-related identity theft, but you may want to consider submitting it anyway. Additional information about the Affidavit can be found here.

Correct Credit Reports, If Necessary

Write to each of the three credit bureaus explaining which information on the credit reports came from identity theft, if applicable. Ask the bureaus to block that information that came from identity theft. Once the information is blocked, it will not show up on your credit reports and companies cannot try to collect the debt from you.

For more tips on protecting your personal data, online accounts, and home computers, check out Foley & Lardner’s Information Security Checklist. For guidance on information security and data protection at the enterprise or organization level, contact any of the authors listed below or another senior member of our core Cybersecurity & Data Privacy Team.