• Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    179
    ·
    4 months ago

    A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.

    What’s with these companies nobody has heard of causing massive fuck ups?

  • grte@lemmy.ca
    link
    fedilink
    English
    arrow-up
    168
    ·
    4 months ago

    The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It’s worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.

    What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.

    What exactly makes this company so different from the hacking group that breached them? Why should they be treated differently?

    • ricecake@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      31
      ·
      4 months ago

      I feel like that might be bad phrasing on the part of the article. They mainly aggregate public records, like legal document style public records, and they also scrapped data from not-(public record) data, which isn’t the same as (not-public) record data.

      I feel like I would want more details to be sure though, but scrapping usually refers to “generally available” data.

      • fmstrat@lemmy.nowsci.comOP
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 months ago

        That all depends. If they’re pulling that private data for use in questionnaires, the terms may not allow them to save it, but they scrape it from the form.

        • ricecake@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Yeah, it definitely might still be a bad data source,and it’s shady either way, just pointing out that “not public data” has a few meanings, and not all of them are synonymous with “private data”.

    • jaybone@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      4 months ago

      Same with the big three credit reporting bureaus Equifax and whoever the fuck. Did anyone ever give them permission to horde all of their personal info? I don’t think so.

    • fmstrat@lemmy.nowsci.comOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      All depends on the terms of use from those that provide the data to them that they scraped from. I bet they never expected a customer to do it.

  • Fredselfish@lemmy.world
    link
    fedilink
    English
    arrow-up
    123
    ·
    4 months ago

    Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.

  • Spotlight7573@lemmy.world
    link
    fedilink
    English
    arrow-up
    105
    ·
    4 months ago

    With a breach of this size, I think we’re officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.

        • Nurgus@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          Indian accent: Hello, this is Microsoft support. Your private key is being hacked and you need to give it to us immediately for safe keeping.

          WCGW?

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      29
      ·
      4 months ago

      We have different authentication methods. The hard bit is persuading people to use them.

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Before people can be persuaded to use them, we have to persuade or force the companies and sites to support them.

      • ag10n@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        4 months ago

        Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

        • QuarterSwede@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          … passkeys basically do all this without you having to know how. Your device /is/ the physical key and /you/ are the secondary auth. It honestly doesn’t get any easier for the user.

          • ag10n@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            What options are there for migrating passkeys to a new device? Easy to lock you into that iPhone and you must use their migration tool when you upgrade. Or I just carry it on my keychain, no vendor lock in.

            • QuarterSwede@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 months ago

              3rd party password managers are already adding passkey support. Passkeys isn’t an Apple only security technology. FIDO has its place but passkeys is the future for most people like it or not.

              • ag10n@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 months ago

                Do I need a subscription service for this passkey supported password manager? Or I can just buy a hardware key that can be used on my phone or any device, password manager supported or not. Seems like the freedom and portability of a physical key, like a key to your home or car makes a ton of sense.

                Passkeys are based on and supported by the FIDO alliance.

                https://fidoalliance.org/passkeys/

                • QuarterSwede@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  4 months ago

                  You don’t need a subscription as you well know since you know what they’re based on. And I meant FIDO physical keys as you were alluding to. Why would I ever want another device to use with a device that already has biometric auth? That last a barrier of entry that’s too high for most people.

    • Uli@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      Pirate keys for sure. Not using one is just asking for a stranger to grab your booty.

  • Treczoks@lemmy.world
    link
    fedilink
    English
    arrow-up
    56
    ·
    4 months ago

    And again they will fail to punish the company responsible for protecting this data for their criminal neglience.

  • aesthelete@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    ·
    edit-2
    4 months ago

    Any company accumulating, aggregating, and centralizing every piece of private and public information under the sun about people is a ticking time bomb (and that is a lot of companies these days).

    We need harsher penalties for these assholes, and a privacy amendment so that we actually have some rights when dealing with them.

  • Confused_Emus@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    45
    ·
    4 months ago

    Go ahead, steal my identity. See if you have any better luck with it.

    I keep all my credit reports frozen. These days, everyone should.

      • Confused_Emus@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        12
        ·
        edit-2
        4 months ago

        Oh? Who’s the new one?

        ETA: I got woosh’d, didn’t I? I just came off night shift and it’s not even 8AM. That’s my story and I’m sticking to it.

        • werefreeatlast@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          ·
          4 months ago

          I am. Your login is locked unfortunately. Send me your username and password if you want to unlock it. It’s fairly common. You’ll get your credit score as well.

        • asqapro@reddthat.com
          link
          fedilink
          English
          arrow-up
          9
          ·
          4 months ago

          There are actually more than 3 providers and you should put a freeze on everything you can. You only need unfrozen credit for applying for new lines of credit (loans, credit cards, etc), and unfreezing is a quick process (15 minutes or so).

          Here’s a pretty comprehensive guide for protecting yourself: https://old.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

          It’s better to take these steps before you get your identity stolen rather than after. These steps can prevent your leaked information from being used against you.

            • asqapro@reddthat.com
              link
              fedilink
              English
              arrow-up
              4
              ·
              4 months ago

              Even if some of the information is outdated, although I believe it’s all still valid, the main points / TL;DR are absolutely relevant. It’s unlikely that the main bureaus will change, and although the exact steps for freezing may change over time, the emphasis on freezing is important.

          • other_cat@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Is anyone else completely unable to register on chexsystems? Usually when this happens I can’t tell if it’s because of my privacy settings or a legitimate fuckup on the server’s end.

  • CallateCoyote@lemmy.world
    link
    fedilink
    English
    arrow-up
    42
    ·
    4 months ago

    Dang, that’s quite a few people. Maybe we can stop linking our identity to a simple number in the US sometime? That would be swell.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    4 months ago

    There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.

    • JohnEdwa@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      4 months ago

      9 digit social security number specifically might be, but a unique number tied to you that is often used as identification when it really shouldn’t isn’t, it’s a shitshow that has been implemented in many countries around the world.
      The Finnish version was called an SSN originally for example, though now its a “henkilötunnus”, personal identity code.

      https://en.wikipedia.org/wiki/National_identification_number

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      4 months ago

      And not all 9-digit numbers are used, so there are fewer than a billion. It sucks when organizations store them because the search space is so small it’s relatively easy to unhash them in a stolen database.

      • prime_number_314159@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        A lot of businesses use the last 4 digits separately for some purposes, which means that even if it’s salted, you are only getting 110,000 total options, which is trivial to run through.

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Do TINs overlap with SSNs? Because businesses and non-citizen taxpayers have TINs instead of SSNs, but they’re used just the same.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        This I don’t know. I remember reading that around 70%(?) of SSNs have been allocated, and there are enough left for a few decades. No idea whether corporation TINs come from that. I believe non-citizen taxpayers get similar SSNs to citizens. IDK if they pay into social security and collect benefits the same way.

  • xthexder@l.sw0.com
    link
    fedilink
    English
    arrow-up
    36
    ·
    4 months ago

    How did this company leak 2.9 billion people’s info, including SSNs, when the population of the US is only ~350M?

    Is “National Public Data” collecting info on everyone internationally? So many questions…

    • HubertManne@moist.catsweat.com
      link
      fedilink
      arrow-up
      13
      ·
      4 months ago

      I just assume ssn is for a us audience and its worlwide with equivalent numbers but who knows. I mean there are only 8 bil on the planet so thats like everyone except maybe china, india, and africa

    • CluelessLemmyng@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      9
      ·
      4 months ago

      When applying to a US government position with a certain security clearance, they will do background checks of you, your family and extended family, if need be.

      And I’m sure that can be the case for any employer who needs background checks. That being said, I also suspect some of these people in the database are dead.

  • ClanOfTheOcho@lemmy.world
    link
    fedilink
    English
    arrow-up
    36
    ·
    4 months ago

    It sounds like a bad breach, and I’m not arguing against that. I just want to point out my doubts that there were ever 2.9 billion Americans since the founding of the nation, let alone since social security numbers became a thing. Maybe if I bothered to read the article, it would make more sense.

    • my_hat_stinks@programming.dev
      link
      fedilink
      English
      arrow-up
      27
      ·
      4 months ago

      Okay, but I’m not sure how revelant that is. The article doesn’t say only Americans were affected, it says the exact opposite.

      […] this data likely comes from both the U.S. and other countries around the world.

        • my_hat_stinks@programming.dev
          link
          fedilink
          English
          arrow-up
          9
          ·
          edit-2
          4 months ago

          Social security numbers being involved in a breach does not mean that the breach only affects Americans. Some records might not have an equivalent ID number associated with them at all, and some records could have similar ID numbers from other countries. They also list current address as part of the data leaked but the fact many people don’t have a current address didn’t seem to cause you any confusion. The original source lists “information about relatives”, if that was in this title would you have assumed only people with living relatives were included?

          “I didn’t read the article” is a poor excuse when you’re commenting on the believability of the article. What happened here is you saw an article, immediately assumed it was about the US, realised that doesn’t make any sense, then dismissed the article without even bothering to check because the title doesn’t fit the US exclusively. It’s crazy to me that you wouldn’t even consider the fact it’s not an exclusively US-based leak.

          • ClanOfTheOcho@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            I mentioned the not reading the article so people would not waste their time citing facts from the article that may explain the headline that suggested billions social security numbers were leaked. I made no assumptions about missing addresses, as the headline didn’t mention anything about missing addresses. I even mentioned that the event the article discussed was probably pretty bad – definitely not a negative against the article’s believability. I’m only guilty of judging a book by its cover, and in an existence of limited time, nobody has time to do any more than that except for limited exceptions. I did not choose to make this article an exception. The headline was mathematically deceptive, and my comment was about that. Nothing more.

            If you see an article highlighting a breach of social security numbers and don’t assume it’s about the U.S., that’s crazy to me.

    • Captain Aggravated@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      9
      ·
      4 months ago

      There’s something like 330 million Americans currently alive, give or take. Social Security began in 1935, so that’s 89 years ago. For the sake of making the math easy for a dumb Lemmy comment, let’s figure the population at the time was two thirds of what it is today at 220 million, and we can figure that within the margin of error virtually all of them are dead. Yes there are some Americans between the ages of 90 and 111 but they likely didn’t have social security numbers as children; the practice of assigning a SSN at birth happened later when they tied it to a tax credit for having kids; at first you got a SSN when you got your first job so anyone who was under the age of 15 or so in 1935 wouldn’t have been given one.

      So let’s figure 220 million Americans who have since died, and 330 Americans who are still alive, have held social security numbers. That’s 550 million SSNs total. Rough back of the napkin math.

      • mctoasterson@reddthat.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        The SSN itself is limited to under 1 billion possible permutations anyway because the format is 9 total digits. (3 digits hyphen 2 digits hyphen 4 digits.)

        And if I recall they also have something weird with the state you were born roughly corresponding to which 3 digit prefix you’re issued. Obviously that isn’t purely true either because that would only give you about 1 million unique numbers per prefix.

        Either way they’ve gotta be close to the theoretical maximum of the format without recycling numbers.

    • jabathekek@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      6
      ·
      4 months ago

      Lol, yeah “National Public Data” has records of over 3 billion people going back 30 years and these people live all over the world, so it seems.

  • Doxatek@mander.xyz
    link
    fedilink
    English
    arrow-up
    28
    ·
    4 months ago

    I like how my social security card explicitly says not to be for identification and tax purposes only. But I need for absolutely fucking everything and to identify I’m a citizen. Can hardly sign up for a new email without a SSN. (Exaggerating of course about the email)

    • qjkxbmwvz@startrek.website
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      to identify I’m a citizen.

      It’s kinda worse than that — it’s used to authenticate yourself as a citizen.

      My SSN should at most be an ID, no different from a name. I can identify myself as Darth Vader or 4200-69-1337, but that shouldn’t matter, because I should never be able to authenticate myself as either of those.

  • Ebby@lemmy.ssba.com
    link
    fedilink
    English
    arrow-up
    28
    ·
    4 months ago

    Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.

    I’m thinking 3 categories: Reporting, oversight, and accountability.

    Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.

    Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.

    Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.

    • RegalPotoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      edit-2
      4 months ago

      Ok, bit of an outlandish idea, but how about something like:

      • Decree that information about a person is the property of that person, and therefore cannot be possessed without compensation. Think of it like intellectual property, but for your personal information
      • Set a standard royalty - say $0.05/year - that must be paid to the owner of that information for as long as that information is held. This forms an incentive to not hold information you don’t need, and gives visibility to all the places that are now forced to contact you every year to pay you the royalty
      • Places where you have an explicit contractual relationship with (utilities, banks, …) could have a clause to set the royalty at $0.00, but this can’t be extended to third parties - strong incentive not to transfer information to third parties
      • Unauthorised transfer or loss of information could be considered IP theft, and result in significant civil penalties
      • Ebby@lemmy.ssba.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        4 months ago

        Wow, you just reminded me of a data use policy I wrote up when I was young and sent a data broker after a security breach!

        They laughed at me.

        You and I think alike here.

    • SwingingTheLamp@midwest.social
      link
      fedilink
      English
      arrow-up
      10
      ·
      4 months ago

      How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody’s name, without the lending institution verifying that it’s actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.

      I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It’s the system that’s broken, tightening up the laws on PII is just a band-aid.

      • Dave.@aussie.zone
        link
        fedilink
        English
        arrow-up
        7
        ·
        4 months ago

        The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can’t use it as an identifier anywhere else than the Australian tax office.

        If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it’s a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be “identified”.

        So my passport plus my driver’s licence is enough. My driver’s licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver’s licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.

        This kind of thing, while slightly more inconvenient, requires a number of physical items that can’t be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver’s licence provides photo ID. People who don’t drive or have a passport can scrape together enough bits and pieces to usually get by.

        So it’s time for a change. But it doesn’t have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don’t know.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          That’s basically how it works in the US too. For example, for a form I-9, Employment Eligibility Verification, you need a passport, OR both proof of identity and proof of citizenship: https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents

          It’s similar for stuff like state drivers’ licenses.

          The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of “muh privacy”, even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.

      • Brkdncr@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        This so much. In fact, go a step further and have a few competing auth services, with some regulatory oversight for managing that much pii.

    • Telorand@reddthat.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      4 months ago

      Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can’t “put on your best face” for a single day).

      The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).

      Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.

    • Asifall@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      I think we also need levels of PII or something, maybe a completely different framework.

      There’s this pattern I see at work where you want to have a user identifiable by some key, so you generate that key when an account is created and then you can pass that around instead of someone’s actual name or anything. The problem though, is that as soon as you link that value to user details anywhere in your system that value itself becomes PII because it could be used to correlate more relevant PII in other parts of your system. This viral property it has creates a situation where a stupid percentage of your data must be considered PII because the only way it isn’t is if it can be shown that there is no way to link the data to anybody’s personal information across every data store in the company.

      So why is this a problem? Because if all data is sensitive none of it is. It creates situations where the production systems are so locked down that the only way for engineers to do basic operations is to bend the rules, and inevitably they will.

      Anyway, I don’t know what the solution is but I expect data leaks will continue to be common passed the point when the situation is obviously unsustainable

  • BingBong@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    22
    ·
    4 months ago

    Identity theft monitoring services always scare me. It seems like you are dumping a huge amount of information into a single system and just hoping the vendor is secure. I have access to one but refuse to put much information in. Is this mindset incorrect?

    • AnarchistArtificer@slrpnk.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      It reminds me of the recent Crowdstrike fiasco: apparently kernel level access was needed for their anti-malware to be able to properly work (because that way their net can cover the entire OS basically), but that high level of access meant that when CrowdStrike fucked up with an update, people’s computers were useless. (Disclaimer, I am not a cybersecurity person and am not offering judgement either way on whether Crowdstrike’s claim about kernel level access was bullshit or not)

      In a similar way, in order for identity theft monitoring services to work, they surely will need to hold a heckton of data about you. This is fine if they can be trusted to hold that data securely, but otherwise… ¯\_ (ツ)_/¯

      I share your unease, though I don’t feel able to comment on the correctness of your mindset. Though I will say that on an individual level, keeping an eye on your credit reports in general (from the major credit agencies) will go a long way to helping there (rather than paying for serviced that give you a score and other fancy “features”, you can request either free or v. low cost report which just has the important stuff you need to know.)

      I also know that if you want to be extra cautious, you can manually freeze your credit so basically no new lines of credit can be opened in your name. This is most useful for people who have already been a victim of fraud, or they expect to be at risk (such as by shitty family, or a data breach). I don’t know how one sets this up, but I know that if you did want to set up a new line of credit, you can call to unfreeze your credit, and then freeze it again when your application for the new credit is all done. I have a friend who has had this as their default for years now because of shitty family.

      • TwitchingCheese@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Yea that’s a tough system to design for. Ideally you want sensitive stuff like that, where you don’t care what the data is just that something matches it, stored as the results of a one-way hash function.

        The problem is that most of the data you’re going to want to secure is pathetically tiny. 10 digit SSN? My phone can brute force that in a few minutes if you’re doing raw hashes. Gotta salt them. But now you have a tradeoff decision, salting every one uniquely is best but now your comparison needs to do [leaked data] × [customers] checks to find matches. Same salt on all of them and as soon as one is cracked they all are.