NPD Breach Reveals Data on Hundreds of Millions, Here’s How to Respond

A few months ago, news broke about the latest massive data breach, this time from a company called National Public Data, a company that collects vast amounts of personal data about individuals from public data sources, including addresses, employment history, criminal records, and Social Security numbers. NPD then sells access to that data to employers conducting background checks, landlords screening potential tenants, banks verifying loan information, and more.

Unfortunately, NPD’s data security was lax, with the company publishing its own passwords in a file that was freely available from its homepage. How many people are affected remains unclear, though it seems likely to be hundreds of millions, if not the three billion reported by some outlets. Precisely what is included in the breach varies by person, but it includes names, physical addresses, phone numbers, dates of birth, and Social Security numbers for many. Email addresses may be included as well.

Put bluntly, this is terrible. It’s bad enough when a firm to which you’ve entrusted your data suffers a breach, but no one affected by the NPD breach had a relationship with the company. NPD was just hoovering up everything it could find and reselling it. NPD is far from alone in this field—numerous other companies do the same thing, and some of them have also suffered data breaches.

What can you do? Honestly, not much. Your data appeared in the breach through no fault of your own, so apart from generally trying to keep the amount of your personal data available online to a minimum (watch social media in particular), nothing you do will make a big difference.

You might be tempted by services that promise to “scrub the Internet!” of your data at people-search sites, but a Consumer Reports study found that they were largely ineffective, working for only about a third of the profiles tested. (The study was admittedly fairly small.) The best of the services was effective less than 70% of the time, and manually opting out at each site was slightly more effective. Plus, the study only looked at sites that offer opt-out options—with companies like NPD, there’s no way to know if they have your data or will remove it if asked.

However, several sites will now tell you if your data was included in the NPD breach, including npdbreach.com and npd.pentester.com. Keep in mind that both come from companies that also offer data removal services, although neither were included in the Consumer Reports study.

Breached companies will often offer free credit monitoring services to affected customers. That’s highly unlikely to happen with NPD because it has no business relationship with the people whose data it lost. But there’s a better approach anyway: placing a freeze on your credit reports. Doing so is free and prevents an identity thief from opening new financial accounts in your name by blocking access to your credit file from prospective creditors. Freezing your credit report has no impact on your credit score.

However, before you freeze your credit reports, check them to ensure they’re accurate. You can get free weekly credit reports from all three credit bureaus at AnnualCreditReport.com, authorized by the federal government, which also offers other useful information about protecting yourself from identity theft. If you discover any mistakes, work with the credit bureau to resolve them.

Once you’ve checked your credit reports, you can freeze them, which you need to do with each of the three credit bureaus:

Security freezes remain in place indefinitely, and many people can leave them that way. However, you’ll need to remove the freeze temporarily if you plan to rent a new apartment or house, take out a loan, apply for a credit card, set up a new mobile phone plan or utility account, apply for a new job, or undergo a background check. All three services provide such a capability online, or you can contact them via phone or postal mail, as mentioned above. It can be hard to think about removing a freeze proactively, so if something that might involve checking your credit score fails unexpectedly, remember the freezes. You might even make an annual reminder in your calendar so you don’t go too long without remembering.

It’s a shame that data breaches have become a fact of life, but that’s unavoidable without significantly stronger privacy regulations that prevent large companies from unnecessarily storing personal data and punishing them when they don’t protect it effectively.

(Featured image by iStock.com/BackyardProduction)