This past week, it was announced that a significant data breach occurred about 4 months ago when a major data broker was hacked. Below is a link to the full LA Times article. This email will also include some quotes from the article.
https://www.latimes.com/business/story/2024-08-13/hacker-claims-theft-of-every-american-social-security-number (This link will take you to a third party site. We do not guarantee the accuracy of any third party websites, and you will need to rely on the editorial staff of the LA Times for its accuracy.)
“According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data, which offers personal information to employers, private investigators, staffing agencies and others doing background checks. The group offered in a forum for hackers to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.
National Public Data didn’t respond to a request for comment, nor has it formally notified people about the alleged breach. It has, however, been telling people who contacted it via email that “we are aware of certain third-party claims about consumer data and are investigating these issues.”
From different reports I have read, the information stolen could be a full dossier including Social Security numbers, dates of birth, employment information, and family members. This information could make it so much easier for hackers to access your information online or create new accounts, loans, etc. The linked article has actions you can take, and below are a few that I am taking along with some general cyber security advice.
Froze Credit
I froze my credit with the three major credit bureaus – Equifax, Transunion, and Experian. I did this by creating a login with each bureau and following their instructions to put on a freeze. When doing this, it looked to me like you could also call them to start a freeze of your credit. My understanding is that as long as you are not applying for a loan or credit card, this should cause no disruptions. Reading through these bureaus’ FAQs on data freezes, they state that you can always turn the freeze off.
Overall, the process was pretty easy, it just took a while to create the new logins and find out where to go on their websites to do the credit freeze. Links to the websites are in the LA Times article.
There was no charge to set up my login and do the credit freezes; however, Experian tried to drive me to their paid premium membership. For example, even now after setting up my login and doing the credit freeze yesterday, when I just accessed the Experian site, it prompted me to sign up for the premium membership again. To access my account information, I had to scroll to the bottom and select “keep my current membership”. After selecting that, I could access my information. Experian makes you it hard to find where to go to freeze your credit. You want to look for Security Freeze because if select Credit Freeze, it will drive you to their paid premium service. The process with the other bureaus was much more straight forward. Once placing the freeze on the credit, I recommend printing the confirmation pages to a PDF and saving it to your computer or printing a hardcopy.
2 Factor Authentication
I will review my online accounts and make sure that I have two-factor authentication turned on. I do this for business sites and personal financial sites, but I will be checking my personal sites and apps even if they are non-financial. When available, I will use 2 factor authentication even on non-financial sites.
Password Review
I use password management software to create and track my passwords. OnePassword and Bitwarden are popular password management software programs. In Apple’s new operating system being released in September, they will have a built in password app. Currently, Apple has their “keychain” that stores passwords and can autocomplete them, but it is hard to find the “keychain”, which is buried in their Settings App. Their new password app should be a much better experience.
This week, I will use the password software to update my passwords that don’t automatically require routine password resets. Creating difficult and unique passwords for each site is important. Do not use the same password for all your sites because if that login is hacked, then the hacker could use the password to access your other sites. I recommend updating your passwords for more sensitive sites, such as banks, on a regular basis.
Create Logins for all Financial Institutions You Work With
This might sound counter intuitive, because how can somebody access your financial institution if you cannot access it online? Unfortunately, with this data breach, a hacker could have enough information to create a login and access the financial institution’s website. If you create the login with a good password, you will make it much harder for the site to get hacked and you might be contacted by the financial institution if there are repeated failed attempts to access the site.
Keep an Eye Out for Suspicious Activity
If you see something suspicious, contact the company directly. If you receive an email from a company stating that your security has been breached and you need to select the link in the email to contact them to fix it, don’t. This could be a phishing attack with a link that could take you to a site that may look like the company’s site but could be a fake one. Instead, look up the phone number for the company and call them to explain the email you received.
Be Careful with Email Links and Attachments
Email can be one of the weakest security links. Don’t open attachments that you are not expecting. If a friend sends you what might be a funny attachment or link, call them first to see what it is. Opening attachments can allow hackers to install programs on your computer without you being aware. You should also be cautious with links and attachments in texts.
Be Sure You Are Receiving Correspondence from Us
If you receive an email or text from Retirement Collaborative LLC that does not look right, call me at 717-545-1447. We will never open an account, create a link between an investment account and your bank account, or take other similar actions without first speaking with you. If you receive paperwork to sign electronically for something we have not discussed, don’t sign it and call me. When talking to our Errors and Omissions Insurance agent, he was saying that there is an increasing concern with cyber threats. As Artificial Intelligence improves, cyber threats will become more convincing. New threats could even include calls that mimic someone’s voice. If you receive a call from me regarding something that is out of the ordinary or not from my phone numbers – 717-545-1447 or 717-503-6986, end the call and call me at either of these numbers.
It is unfortunate that we need to be this vigilant with cyber security, but by taking these steps now, it can reduce the likelihood of identity theft or having assets stolen via hacked accounts. If you have any questions about this email or your accounts, please contact us.
Stephen Hetrick
Investment Advisory Representative for Retirement Collaborative LLC
