This story began with what looked like yet another routine data breach, but became a lot more as I understood it better. Let’s start at the beginning.

My news feed last week included a story with this teaser: “The Social Security numbers and related data of 3 billion Americans was just stolen. Here’s what you need to know.”

What I needed to know was what drug those news editors were on, because I wanted some. There are only about 340 million people in the United States, not all of whom even have social security numbers. Here is a handy chart to illustrate the problem:

I love charts! You can see from this that there is something horribly wrong with the news. To find out what it might be, I went to Ground.News, a news aggregator that shows a neat list of each media organization that is running a particular story along with its evaluation of whether that organization is biased to the left, to the right, or is centrist. All of the 30 or so sources for this item were centrist (so far, good!) so I started scrolling through them. What I discovered was that there were 30 or so copies of the exact same text that had been reprinted by news outlets from all over the country. Ground.news’s AI bot had accurately summarized all of these stories, but unfortunately, they were all identical and therefore all equally preposterous.

Being the good citizen that I am, I sent a feedback note to the editors of Ground.News and received the most lovely letter in return. It said, in part: “Thank you for taking the time to report the error in the Ground Summary. We wanted to let you know that our team has seen your report and manually updated the summary with the correct information thanks to your help.” I will always treasure this letter, and I hope that it was written by a real person. After a few days, the news shifted to saying that the 3 billion was not the number of Americans, but rather the number of data records. I am going to take partial credit for making the world a more numerically literate place.

Let’s take a minor side trip and talk about why 30 news outlets would all repeat the same preposterously wrong information. Did someone substitute decaf coffee in the Starbucks daily orders for all of these people? Were they all at a convention of news editors, leaving the actual editing to their 10-year old kids? (I asked my 10-year old grandson to estimate the total number of Americans, and he was way off, despite being very smart, so I think that appointing our kids to edit the news would have some problems.) Were the news editors of all these publications going through emotionally messy divorces? I don’t think that we will ever know. Whatever it was, no one competent to edit the news was at the helm.

Going back to the story, the data breach was reported to come from a Ft Lauderdale company called “National Public Data,” or NPD. Here they are, as pictured on their own web site:

I wish I worked there! These people are loving their jobs. In the “About Us” section, it said that “Many different business use our services to obtain criminal records ….”

What? After reading this I am starting to be not so enthusiastic about working there- do they really help their clients to become criminals?

Of course not. I was joking. Actually, they are a data aggregator, aka data broker, or a company that collects massive amounts of private information about people and then sells it to anyone who pays them a very small fee, thereby rendering it not private anymore, and without the permission of the person whose information it is. I know that this sounds pretty unethical, but it is actually perfectly legal here in America! Who says America needs to be made Great Again? Only a country that is already great would allow this type of marketplace to thrive.

Being curious about why this job of un-privatizing our personal information would be so fun, I did a reverse image lookup on the four employees that are featured above on their web site, and discovered that the four happy young business people are actually an Adobe stock image titled “Group of Happy Young Business People”, who are models and have no connection with NPD. In other words, while NPD is happy to reveal your private information to anyone in the world, they are not revealing who they really are on their own web site.

NPD’s web site says that they specialize in background searches on individuals and on criminal records check. I quote them here: “All of our searches can be delivered in XML for you to embed into your applications or websites, which is perfect for those reselling public records.” This means that whatever information they might have is sold to people who then resell it. If your name pops up, there will not be any way to authenticate where the info came from, how trustworthy it is, or have any direct way to fix errors. What could possibly go wrong? (I apologize for not explaining XML; you will have to ask me about it outside of ‘Grandpa Blogs the News’. Sufficient to just say that it soups up the reselling.)

I tried to find out just how great the market for this stuff really is, and while I could not find a single authoritative source, there are multiple estimates that data brokers do more than $200 billion in sales annually, with likely growth to $500 billion in the next few years. To me, that is a lot of money, not to mention a lot of selling of people’s private information without their permission. Here is what EPIC, the non-profit Electronic Privacy Information Center, says about them: “As the data broker industry proliferates, companies have enormous financial incentives to collect consumers’ personal data, while data brokers have little financial incentive to protect consumer data.” They go on to clarify that we (Americans, that is) are the product and not the customers of this industry, giving us little recourse.

To bring us all up to date on the data breach, in April of this year, or about four months ago, a cybercriminal who calls himself “USDoD” claimed to have stolen the 3 billion social security numbers and related detailed information from NPD. In August, NPD admitted that this really happened, stating that it had “detected an intrusion” into its computers as early as December 2023. USDoD has evidently packaged this information and had started selling it on the “dark web.” (It is better left unsaid what the ‘dark web’ is, so I am not saying it.) USDoD was asking $3.5 million for the files. (This is about a tenth of a cent per data record – a relative bargain.)

The breach became more widely known when a second cybercriminal (I don’t know who this was or where he got the files from) made the same information available to anyone who knew where to look, but this time for free. Meanwhile, the expected legal dogpile has started. At least 14 complaints have been filed against NPD’s parent company Jerico Pictures Inc. and its owner Salvatore Verini, including a class-action lawsuit in Federal district court in Florida. It was the lawsuits that seem to have triggered most of the mainstream news about the event.

As far as I can tell, the lawsuits are alleging that NPD failed to adequately protect against unauthorized release of the private information. I am eager to find out what a Federal judge will make of this, since NPD is basically in the perfectly legal business of releasing unauthorized private information to anyone who is willing to pay a few cents per data record.

Let’s find out what we are talking about. It turns out that anyone (including you, the reader!) can query this stolen database to see what information it might have about you. If you go to ‘npd.pentester.com/breach’ you can enter a name, state of residence, and birth year, and get a listing of all entries that match those criteria. You don’t get all the data in the file because the people who run Pentester are just trying to let people know whether their info was stolen or not. To get a complete data set, you need to go directly to NPD and contract with them for a search. I have not tried this myself, but I think that anyone could do it (although they might be shutting down soon due to the bad publicity, the lawsuits, and all, so act quickly – this offer may expire soon).

I found 17 entries that had my personal information, including date of birth, my address, my social security number, my phone number, and whatever else what not shown by Pentester. Most of these had at least one item missing, and most were old. For example, there were entries for ’34’ instead of ‘134’ for my street address; this changed within a year or two of my moving into the house. Also, there were entries for my former home in Summit, NJ which I moved away from in 1969. A couple of them showed everything correct except for Tinton Falls, NJ, which I have never lived in. Some of them were blank in the Social Security number field, but not all, and the ones with an SSN looked correct. Ditto for my date of birth. The ones that had a phone number were all for my landline which is still active but unused, and which receives several spam calls every day. Maybe this is why.

When I put in Connecticut for the state, there was an entry for the address that my daughter lived in when she was in graduate school. This is because I co-signed a car loan while she was there. When I then changed the state to Florida, two entries came back with my mom’s address because I was listed for a time as a co-principal on one of my Mom’s credit cards. This was to help her purchase things after her eyesight started failing and ordering on the Internet was difficult for her.

This was getting to be fun, so I put in my Dad’s name and NJ. He died in 1996. Up popped 5 entries! These were all accurate, reflecting his addresses after about 1950. The addresses looked correct, although the dates of birth were wrong. I didn’t double check the social security numbers.

At this point you are probably asking yourself: “Why do I think that I have been hacked, sort of?” It is because the private information that is now available for free to criminals to use was already available to them, but just in a slightly different form, and from a perfectly legal company that would have been happy to sell it to anyone for a very small price per item.

Looking at what information was in this breach, it became evident to me that the data likely originated from one of the credit reporting agencies (“CRAs”). The three big ones are Equifax, Experian, and TransUnion, but there are others. When I compared the information on my credit reports to that of the data breach, I saw that they were nearly an exact match. The same addresses and information that are maintained by the CRAs showed up in the NPD data set. Voila!

What are these CRAs? As a reminder, the CRAs provide a service to banks and other lending organizations that streamlines the time needed by a bank to decide whether you are eligible to receive a loan or not. Without these CRAs, the loan officer would have to undertake lengthy research to find out whether you paid all your bills on time, had an excessive debt balance, and so forth, and this information is distributed across many, many financial entities. The CRAs have an agreement with pretty much all banks whereby the bank tells the CRAs about every financial transaction you incur, including account balances and debts owed, and in return, the CRAs sell this information back to the bank when it wants to decide on loan eligibility. Believe it or not, you and I have already agreed to this “un-privatization process” as part of the fine print we sign when we open any bank account. Other organizations can use this service, like car dealers when they want to issue a car loan, and the CRAs also sell your financial information to businesses for other applications.

There is no way to opt out of this arrangement unless you don’t want to ever have a bank account. Being un-banked would prevent most Americans from holding a job, buying goods and services, renting or owning a home or apartment, owning a car, and so on. So, un-privatization starts with CRAs, and then gets amplified by data aggregators. When any of these has a data breach, the un-privatization gets worse, but this data breach appears to rest on a foundation of CRAs sitting on private information for virtually every American.

Arrgghhhh!!! Sorry this blog has turned dark! I wish I didn’t know any of this! You probably are too! Here’s what you can do:

1. Contact the CRAs and ask them to freeze (not lock, freeze) your credit account;
2. Tell your members of Congress that the US should have some sort of data privacy law, at least allowing you to opt out, and hopefully making the organizations more accountable for protecting your private information;
3. Take out a cybercrime insurance policy, providing reimbursement and help in the event someone uses your information inappropriately;
4. Pay closer attention to what sources of news you believe;
5. Make sure your kids and grandkids know how many people live in America; and
6. Go back to step 1. I don’t think that you have done it yet. I put it first for a reason.

And don’t panic! You are going to be ok.