What To Do If Your Data Was Leaked In the NPD Breach

Several weeks ago I received an alert from my online fraud service that my social security number had been found on the dark web. While I’ve always assumed some of my private information was available online, this was the first time I had confirmation that information of any significance had been leaked. The root cause was of course the now infamous National Public Data breach, which exposed the private information for hundreds of millions of people. If you are wondering if your information was made available in this breach, you can proactively check at NPDBreach.com.

So what should you do if your data, like mine, was part of this breach? Here are the actions I took:

1. Freeze Your Credit

When you apply for any form of credit - e.g. a mortgage, a bank loan or a credit card - the financial institution will check your credit with one or more of the three credit agencies. Credit agencies aggregate your current and past financial history in order to compute your credit score and risk for vendors. They are not, however, responsible for verifying that the financial institution requesting the check is providing credit to the real you. While you can’t stop a criminal from applying to a financial institution under your name, you can prevent the credit check from being successful. To do this, set up accounts with each of the three major credit agencies - Equifax, TransUnion, Experian - and freeze your credit. While this service is free, these companies will often try to upsell you to chargeable services with similar names (e.g. a lock).

If in the future you do apply for credit, you can ask the financial institution which agencies they use, and unfreeze your credit for the time frame they require for the check.

2. Request Your Free Credit Report

After you have frozen your credit, make sure no one has already committed identity theft under your name. To do this, go to AnnualCreditReport.com, where you will be walked through a step-by-step process to retrieve your credit report from each of the three vendors. Based on federal law, all consumers have a right to do this for free once a year.

3. Setup An Account With the IRS

It has become increasingly common for criminals to use the personal information they obtain from the dark web to file false tax returns in someone else’s name. They simply supply all your information with fake financials and request that the IRS to send the tax return to a bank account under their control. It often takes victims years to recover funds from the US government. The good news is this can be easily prevented by setting up an online account with the IRS and enrolling in their PIN code program. This program issues you an annual six digit code that must be provided with your tax return in order for it to be authenticated.

Note: Please make sure you use some form of multi-factor authentication to secure this account (ideally using an authenticator app).

4. Claim Your Social Security Administration Account

While you may be decades from retirement, you still run the risk of someone claiming your account with the Social Security Administration in order to divert your benefits. The best way to prevent this is to claim your account. The SSA uses ID.me, which will require taking a photo to match against uploaded identification (best set up using a smartphone with a camera).

5. Enable Notifications on Your Biggest Asset

For most of us, our biggest asset is our home. While property fraud is extremely rare, it does happen in most counties. The typical scam involves a criminal forging deed transfer documents in order to claim ownership of your home / land. Sometimes they use the deed to make a quick sale (primarily only used for land only), and other times they use it to take out loans against the property. Since their deed was fraudulently obtained, you technically still have the title to your property, but own the responsibility of correcting it via a lengthy and often expensive legal process. A recent example of this happened in Concord, Massachusetts, where criminals transferred the deed to a two acre empty lot, engaged a realtor to sell it, after which the new owners started building a home on the property. The actual owners now have to sue the realtor and new owners in order to regain the deed to their property.

While there are companies that offer property deed monitoring services for a fee, many county registries of deeds in the US will offer a consumer notification service for free. These services require that you sign up with an account and setup the property you want to be notified on. Here for example is the consumer notification service for Suffolk County in Massachusetts. Once enabled you will be proactively notified of any change to your property at the registry. While this type of fraud is highly unlikely to impact you, it is also an easy one to monitor.

6. It’s Time to Use a Password Manager

Do you have a complex and unique password for every app / website? If the answer is no, it’s long past time for you to graduate to using a password manager. You can use a more feature-rich commercial solution like 1Password, or just use a basic free one such as the Apple Password app (new with iOS 18). But a failure to invest in a password manager in 2024 is as negligent as leaving your front door unlocked when you go on vacation.

7. Make Sure All Critical Accounts Are Enabled With MFA

If you have accounts that have access to any important assets or information - e.g. bank accounts, investments, credit cards - it is essential you enable them with multi-factor authentication (MFA). Where possible you should choose to use an authentication app instead of texting a code to your phone for the maximum possible security. For additional detail, see my earlier this year on this topic.

Last Thoughts

While a determined criminal will almost always find a way to exploit a vulnerability in your financial life, you don't have to make it easy for them. By following a few basic security measures like the above, you can reduce the likelihood you are the next victim of identity theft. The recent NPD breach is as good a reason as any to get started on better securing your online life.