Is the NPD Breach NBD? How Your SSN Is at Risk From This and Other Major Breaches

Is the NPD Breach NBD? How Your SSN Is at Risk From This and Other Major Breaches

by | Aug 29, 2024 | Breach, Identity Theft

“No big deal!” Maybe this thought ran through your head after reading recent headlines about the National Public Data (NPD) being breached.

When big breaches like this are a regular headline, it’s easy to shrug it off. So I wouldn’t blame anyone for feeling that way.

As for myself, I’m really not worried about it. I say it for a few reasons but one of the biggest is that I have various protections in place that give me that peace of mind.

Today, we’ll talk about what this means and share some tips on how to say, “No big deal!” to big breaches with a bit more confidence than just complacency.

What Happened with NPD?

NPD is a database used for background checks. They have access to data that may include:

  • Social Security Numbers (SSNs)
  • names
  • email addresses
  • phone numbers
  • and mailing addresses

The details of a breach came out after a proposed class action lawsuit claimed that 2.9 billion personal records may have been exposed (other reports suggest 2.7 billion records, according to CNBC)

The official breach notice said 1.3 million records were possibly exposed.

NPD believes a bad actor hacked them in December 2023 with potential leaks of information in April 2024 and over the summer.

According to the CNBC article, representatives from NPD claim that much of the data was already public or was inaccurate data to begin with.

(All of the above was gathered from CNBC’s article “‘Was my Social Security number stolen?’ Answers to common questions on the National Public Data breach” which is worth a read here: https://www.cnbc.com/2024/08/23/was-my-social-security-number-stolen-national-public-data-breach-questions.html)

What “IF”?

What can happen IF your data gets compromised from this or any one of the other breaches we find in the news each week or month?

The stories vary by victim, but ID Theft and Fraud is a pretty serious problem today.

When major breaches like this put data out there, it can be used by other bad actors to target us or access our accounts, credit, or even medical records. Sometimes it’s used to impersonate you, or it could be used to build a false sense of trust with someone malicious.

Attacks with this kind of data can usually involve theft, extortion, manipulation, or someone impersonating you to attack your friends and family if not also completely random victims.

It really depends on who’s behind the attack and what they have to work with, but the impacts tend to do much more than financial harm. It’s particularly scary when it comes to emotional damage and stress related to recovering.

What’s worse is that the elderly and minors tend to be targets, often sought out because they are easier to trick or because more can be done before a problem is discovered.

Two quick side comments on this:
  • If you want to know more about the impacts of ID Theft, follow me because on Thursday, October 31st at 9 MT we’re doing a Halloween and Cybersecurity Awareness Month Special on the “Horrors of ID Theft!” where we’ll dig into some of the crazy cases out there and share more tips on protecting yourself. I’m doing a ton all October but this will be a great one for all to attend!
  • And, if you like R-rated action movies, ‘Beekeeper’ with Jason Statham has some ties into the storyline with ID theft. A personal cyber-attack that happens very early on in the movie (before any R-rated stuff if you want to check it out but don’t want to see some hackers get their butts kicked). Some of the threat actor side of it is a bit theatrical but the attack and victim’s perspective is a great example of one way these attacks can play out.

So Why Am I Not Worried?

Of course, things can still happen to me, but I’m focusing on what I can control and there are layers of security I have in place to help me that I’d recommend considering for yourself.

First, we need to acknowledge what we can’t control and let that go so we can focus on what we do control.

I can’t control what companies like NPD do to protect my data. In many cases, people in that database could have no clue NPD even had their data. There are more and more laws around data privacy and disclosures as well as requirements for how to protect this type of data, but it’s going to take time and no one can be 100% secure – so that data is still at risk.

The spokesperson from NPD is probably right, much of this data may already be out there (that doesn’t let them off the hook though!). I can’t tell you how many times I get a letter in the mail that a data breach occurred and I may have had my data exposed.

We’re a bit helpless as consumers and it’s easy to throw our hands up – so that’s why I don’t really worry about these things I have no control over.

That being said, what can we control?

What I can do is monitor for suspicious activity and make it harder for anyone who gets my data to use it. I do this through defend-id and have their ID Theft Protection services. The services alert me when my data is out there, being used, and give me help to recover as quickly as possible to minimize damage.

I also have my and my family’s credit frozen, making it harder to access any of my credit.

To protect my banks, I’m picky with who I bank with but also have made sure to set up MFA and other restrictions on my accounts. Each one has a very random and long password that is unique.

Same with any social accounts or anything else that’s tied to the most sensitive types of data or ways of communicating with me. I keep them locked up as best as possible with MFA and strong passwords.

(While MFA makes it a little harder for me to log in, it makes it MUCH harder for threat actors and, while there are still ways around it, it will slow most of them down)

I’m not impervious to having a breach like this come back to haunt me, but I feel better knowing I’m harder to attack and that someone’s not only got my back but is also watching it.

I still need to be careful with day-to-day activity and watch out for scams or other personal cyber attacks, just like you. That’s where it pays to stay on top of security awareness, and threats and keep an eye out for news articles like the NPD breach. And, it’s one of the reasons it’s important to me to share tips with others and promote awareness.

Want some tips on what to do to protect yourself?

First, be careful with FUD (Fear, Uncertainty, and Doubt) around all of these kinds of breach stories.

Make no mistake, breaches like this get a lot of attention in news articles as well as marketing where your fears are used to get attention for solutions. It’s this kind of behavior around breaches like this that desensitizes us and wears us down.

We have to practice being smart consumers and users of technology by filtering through the noise and looking for what we can control and taking the right action.

Also, keep in mind that scammers use the FUD and confusion to trick more victims. Don’t get caught entering your SSN into someone’s website to search if it’s compromised because you may very well compromise it yourself in the process.

The safest way to find out if your data is out there is to use a legit service that can search for you.

With all that in mind, here are some things I highly recommend doing right now:

Freeze your credit until you need it

  • Many of the same monitoring services will help with this but you can still do this yourself if you don’t have resources helping you. Essentially, you need to work with each credit bureau to do so. There’s a good resource here on the USA.gov page that includes other consumer resources: https://www.usa.gov/credit-freeze
  • If you need help with this or want our guide on protecting your minors and their identity, let me know by messaging me here or emailing me at info@rlsconsulting.co. I’ll send out our guide directly to you if you want a copy.

Get a password manager

Yes, all of your keys go in one basket, but using randomly generated passwords is much safer. Just protect your Password Manager as much as possible with MFA and a VERY good password or passphrase that you do not share or use elsewhere.

  • Most Password Managers will typically tell you if any of your passwords are compromised
  • Need help finding one, let me know!

Monitor for activity

Check for data you have that’s out there or if you have any suspicious activity around it:

  • It’s worth repeating: be careful giving out your SSN to do searches for it! You very likely would expose it by entering it into various search sites.
  • There are many sites and services out there that will let you search for any credentials or sensitive info tied to email addresses. If you don’t have a service you trust, defend-id has a new tool where we can run a search for you. It’ll be available to run by yourself online soon but just let me know if you want me to run a search on your behalf in the meantime.

NOTE: There are easy ways to find if your email is affiliated with any other data out there, but it can still be inconclusive. Just because there are no results, it doesn’t mean it’s not still out there, results that are found could be limited, and again doesn’t mean it’s found ‘everything’.

Get ID Theft Protection or Personal Cyber

The best recommendation for getting back some peace of mind and having help to turn to if your data is used would be to get monitoring and recovery services in place through ID Theft Protection, also often called Personal Cyber:

  • Get 20% off of defend-id with code “RLS20” here: https://defend-id-personal.merchantsinfo.com/Default.aspx
  • When it’s offered as an employee benefit, it’s super cheap, and the price of a cup of coffee per month per employee is about the same, so if you want to do something cool for your staff this year, let me know!

If your Insurance Agency does not offer ID Theft or Personal Cyber as a solution and you’d like to sell it, I can help you there too.  You can learn more in one of my recent articles: Should I Offer Personal Cyber?

Looking for a DYI Identity theft response plan?

Click here

Should I Offer Personal Cyber?

Should I Offer Personal Cyber?

by | Aug 8, 2024 | Employee Benefits, General, Identity Theft

Where do you start with Personal Cyber or Identity Theft Protection? I’ve been getting this question more and more. Agencies I’ve been talking to are noticing the trend:

  • Our data is out there due to breach after breach, and it’s only a matter of time before it gets used against us.
  • Threat actors are targeting us (especially the elderly and minors) with sneaky social engineering attacks and using AI to get better and faster.
  • The fear of ID Theft, Fraud, and the hassle of recovery are on more and more people’s minds.
  • With cyber liability becoming more crucial for businesses, offering coverage for individuals makes good sense.

What do people need? And is it a viable option in today’s market? Let’s dig into it in today’s article!

What Do People Need to Protect?

For individuals, cyber threats and fraud risks can be similar to the cyber risks businesses face. It’s easier to start with the “What if I have an incident?” perspective and look at the CIA Triad of Cybersecurity for three easy categories to consider:

  1. Confidentiality: What data do I need to keep protected, and where is it?
  2. Integrity: What do I trust, and what if that trusted resource becomes compromised?
  3. Availability: What technology do I rely on, and what does it mean if it’s not there?

When thinking about home and family, consider these questions:

  • Is sensitive data about me out there? What is out there? Is anyone using it?
  • Could someone hack my computer or another account? What would they do if they did?
  • If I trust a scammer by mistake, can I get any lost money back?
  • If someone pretends to be me and accesses my accounts, how do I get my money back and restore my identity? How long will it take, and what do I do in the meantime?

It all comes down to monitoring for suspicious activity and recovering by restoring my identity and getting my money back. The second component is preventing this from happening, which involves awareness, security tools, and being cautious.

The good news is that the same types of coverage that provide monitoring and recovery often offer resources to help individuals reduce their chances of falling victim. Even when we do a good job of protecting ourselves, identity theft can still happen. This is why having protection and recovery services is crucial for everyone.

What Is Often Covered?

When looking into Personal Cyber or Identity Theft Protection, ensure your coverage includes three core capabilities:

  1. Detect, Monitor, and Alert: Every second counts, so knowing about suspicious activity quickly helps minimize damage. You need a service that can watch for misuse of your information and alert you promptly.
  2. Recover: Fixing your identity can take time and often pulls people away from work. You may need to change bank accounts, social security numbers, or other items related to your identity and accounts to protect yourself. Repairing your credit or getting money back can be stressful and difficult without experience. A team doing this on your behalf helps you get your life back to normal faster.
  3. Insure Against Loss: Recovering your identity can be costly. Expenses can mount up, and it can take weeks to get frozen bank accounts active again. Reimbursement insurance can help cover expenses related to restoring your identity.

The level of service behind these capabilities may vary from policy to policy. Many offerings have different levels of coverage offered at various prices to give consumers options. In addition to coverage, consider a few other areas to compare to find the right offering for you:

  • Options for consumers (Levels of coverage, Family or Individual options, Group options for Employer Paid or Voluntary, and resources or services available to consumers)
  • Price
  • Minimum Group Size (when offered to individuals as a group benefit)
  • Minimum Book Size
  • Commission
  • Reseller Costs
  • Ease of Enrollment
  • Reseller Tools and Resources
  • Exclusivity (can you only have one option?)

How Do You Roll It Out?

Depending on the offering you choose, many agencies can find quick wins. I work with defend-id to help agencies become resellers, and here are three strategies I always recommend:

Personal Lines

Start with an announcement and content that will draw in quick wins with your current book of business and give you a good reason to advertise to current prospects. A webinar can bring awareness to the current risks of ID theft and fraud, how attacks happen today, and ways to help people protect themselves with tips, resources, and your new offering. Follow up with articles, newsletters, or tips shared through social media or other channels. For those who don’t engage initially, create a drip marketing or call campaign to share tips and build awareness so they’re primed to consider it upon renewal. Since this type of coverage can be sold to a business as a group benefit, create a referral system to get individuals discounted or paid-for coverage through their workplace.

Groups

If you already sell benefits and don’t offer Personal Cyber or Identity Theft Protection, you may find this easy to add. Many businesses don’t offer it yet, but it can add value for employers since identity theft impacts them too. Employees miss work, are stressed, and it affects others around them. There’s a good incentive for businesses to invest in this for their employees. Ask, “Should we include ID Theft Protection and Recovery?” Employer-paid rates can be as cheap as a cup of coffee per employee per month, so many people are open to it and want it for themselves. If they say no, offer the Voluntary option: “No problem! We have a voluntary option where the employee can get it at a discounted price.”

Cyber Liability

Consider leveling up your cyber liability offer by adding coverage for individuals at the business. If businesses are protecting themselves from cyber risks, one of their biggest challenges is culture. To change the culture, get employees bought in. Investing in them through personal cyber or Identity Theft Protection coverage gets their attention. By adding this, the business can say: “We are building a smarter culture around cybersecurity and want to start by investing in protecting you at home. Our company will provide coverage to help you detect and monitor for suspicious activity and services that will help you recover your identity if needed. This also gives you access to resources to learn how to protect yourself at home. In return, we ask you to take what you learn and apply it here. Help us protect the company and your coworkers from cyber threats by taking part in our training and supporting necessary changes to be safer.”

This approach not only helps change the business’s culture but also adds value to your cyber liability offering without much cost.

Is It Worth It?

I can’t speak to other offerings outside of defend-id, but here are some figures around the value of this kind of offering:

  • defend-id’s average group size is 65 employees, with an average rate of $5/employee/month or $325/month.
  • Our commission varies between 20% on our Retail (Individual) and Voluntary offerings and 25% on Employer Paid.
  • Pricing depends on coverage choices, but every option we have is below $22/month (the average cost is $5/person/month).
  • For our offering, there’s no cost to resell or minimum requirements, so there’s no real downside.

The biggest hurdle for many agencies isn’t seeing the financial potential but finding the time to get it going. We work to make it easy for you to implement this as a new offering. Our enrollment process is simple to learn and takes only a moment to set up a group, so the learning curve is minimal.

With strategies like those I laid out above, you should have some ideas about how to get initial sales. We’re always happy to work with agencies to provide templates, content, or other tools to help make launching easy. Just like cyber liability riders vs. a standalone option, having options helps you be more versatile in meeting customers’ needs and nurturing their accounts.

How Do People Get Going?

For defend-id, if you’d like to consider reselling, you can check out our site and sign up as a partner to start reselling right away. Check it out here: defend-id. If you want to explore it further first, I help with onboarding new agencies and would be happy to answer any questions you have. Just message me through my LinkedIn page, below.

Whatever you decide to offer, this is a product many people need today, and I encourage you to look deeper into finding a product that fits you and your agency. Best of luck!

-Ryan
RLSConsulting – strategic partner with defend-id

 

error

Enjoy this blog? Please spread the word :)