The massive Social Security number breach is actually a good thing

A couple weeks ago, I got an unnerving message from my bank. My Social Security number had been compromised in an alleged data breach. I hung on to the word “alleged” as I tried to figure out if it was real. Now I know: It’s real.

As many as 272 million Social Security numbers are floating around hacker forums after someone stole them from a Florida-based background check company called National Public Data, which is owned by an actor and retired sheriff’s deputy named Salvatore “Sal” Verini. This data breach is not as catastrophic as some headlines might make it seem. One news station ran a hyperbolic headline that claimed, “Hackers may have stolen the Social Security numbers of every American.” They haven’t.

Nevertheless, now is a good time to freeze your credit files with the major bureaus (Equifax, Experian, and TransUnion) if you haven’t already. That will protect you from the scammers that tend to follow big breaches like this. If more people freeze their files, there will be fewer victims of cybercrime. It just may be the one good thing that comes from this massive Social Security number breach.

Freezing your credit simply means preventing potential creditors from accessing your credit report, which makes it harder for bad actors to open new accounts, like a new credit card or a loan, using your personal information. It also prevents credit bureaus from selling the data in your credit report, which they unfortunately do. If you want to grant access to your credit report, you can simply ask the credit bureaus to thaw your files. None of this will hurt your credit score.

Even if you don’t think you were impacted by the National Public Data breach, your data has almost certainly been involved in some kind of breach. That’s why you should freeze your credit files: It’s a free and easy way to protect yourself from identity theft and to keep hackers and scammers out of your bank account. And while this latest breach isn’t an urgent concern, big security scares like this tend to attract scammers who prey on the anxious. It’s also election season, which is already full of scammy spam. So why not take an extra step or two to lock down your accounts?

I did just that a few days ago, and it took no more than 10 minutes. But to understand why you should freeze your credit files — and why you should also freeze the credit files of your children, even if they’re under 18 — it helps to understand what big data breaches mean for you now and in the inevitable future when there will be an even bigger one.

The very big but not very scary Social Security number hack

Back in April, a cybercriminal known as USDoD tried to sell four terabytes of data on a hacker forum. The data was from the blandly named National Public Data and comprised 2.9 billion rows of records, including Social Security numbers, addresses, and phone numbers. Partial copies of the data leaked in the following months before another hacker posted a nearly complete version on August 6 for anyone to download for free. A few days later, National Public Data confirmed that it had suffered a data breach. That’s when security experts started to get worried. 

The hacker forum play-by-play is important here because it illustrates just how freewheeling data thieves can be. Once your information is compromised in a breach, you can expect it will end up in the wrong hands.

One of the first security experts to analyze the data was Troy Hunt, founder of HaveIBeenPwned.com, a website that lets you check to see if you’ve been implicated in a data breach. The sheer scale of the breach meant it was “very serious,” Hunt said in an interview. Researchers at the Atlas Data Privacy Corp. reported that the database contained 272 million unique Social Security numbers, which is not the 2.9 billion you might see in some headlines. Many of the records appear to belong to deceased people. Atlas also set up a website where you can check to see if you’ve been affected by the National Public Data breach. 

Hunt actually found his own data in the breach, although most of the information was either outdated or incorrect. 

“I wouldn’t lose sleep over it because I don’t think this is particularly different to what’s been happening for many years,” Hunt told me.

TJ Sayers, director of intelligence and incident response at the Center for Internet Security, had a similar response when I asked him about how worried we should be about this attack. 

“I don’t think necessarily that this is groundbreaking and game-changing,” Sayers said. “A lot of the information that’s in here is probably already out there in some form or fashion from other breaches that have taken place in the past.”

Indeed, data breaches are exceedingly common. There’s a familiar cycle of breaches happening, companies admitting to it, lawyers filing class action lawsuits, and individual consumers getting checks for $5 in the mail. That’s typically it — no arrests, no jail time, no consequences for the hackers who stole the data or the companies who failed to protect it. There is little regulatory oversight of the data broker industry, where companies big and small mine information from consumers and sell it to other companies, often without properly protecting that data — hence the frequency of breaches. Data brokers don’t necessarily care, though, since consumers are the product in this industry, not the customer.

The amount of stolen consumer data available online is also growing. In his coverage of this latest breach, Krebs, the security journalist, likens data brokers to oil tankers; breaches are oil spills with negative long-term effects. Krebs says, “[T]he cleanup costs and effort from data spills — even just vast collections of technically ‘public’ documents like the [National Public Data] corpus — can be enormous, and most of the costs associated with that fall to consumers, directly or indirectly.”

So even if this breach isn’t an immediate threat, the sum total of all data breaches is disastrous. And there isn’t much to protect consumers like you and me.

How to freeze your credit files

That brings us back to freezing credit files. Even in the absence of a major data breach, freezing your credit is a free and straightforward way to protect yourself from identity theft. It’s also surprisingly easy to do and just as easy to undo, in the event that you want to open a new account or apply for a loan.

The three major credit bureaus are Equifax, Experian, and TransUnion. You might remember Equifax from its own massive data breach, which compromised the private records of 148 million Americans in 2017. That hack, which was carried about by the Chinese military, according to the FBI, led to calls for stricter data breach laws — laws that still haven’t been passed. But thanks to a 2018 law that loosened some banking regulations in the wake of the Great Recession, the credit bureaus can no longer charge fees to freeze and unfreeze your credit files. You can also request a free credit report from each of the bureaus once a week now, rather than once a year. So things have gotten better in a way.

You can put a freeze in place by setting up an account at each of the credit bureaus’ websites. (Here are direct links to the pages to freeze your accounts for Equifax, Experian, and TransUnion.) Once your account is set up, it only takes a couple of clicks to freeze your files. You can also file a freeze by phone or by mail. Read more about how that works here. You might also consider freezing your files with secondary bureaus, of which there are many. You can opt out of LexisNexis, one of the biggest, here. Other secondary bureaus include ChexSystems, Innovis, MicroBilt, and NCTUE — you can read up about them and see how to freeze those files too.

By the way, don’t pay for anything while you’re doing this. The credit bureaus are required to let you freeze your files for free but they might try to sell you a paid service with the confusing name “credit lock.” Credit lock services, which cost as much as $30 a month, also restrict access to your credit report and promise to let you unlock it immediately. Credit freezes might take a business day or three to unfreeze, but they come with more legal protections.

If you have kids, you can freeze their credit files, too — even if they don’t have one yet. Although freezing a child’s credit is not as quick as two clicks on a website, it’s fairly straightforward and could save your family a lot of grief. 

“Childhood identity theft is outpacing adult identity theft,” said Sayers, from the Center for Internet Security. “A lot of parents and children don’t realize their identity is stolen until they turn 18 years old and they need to get a college loan or they need to get their first credit card.”

This is all scary stuff, although the latest batch of stolen Social Security numbers in the news shouldn’t frighten you into inaction. Freezing your credit files will not only provide peace of mind but also real protection. Now is also a good time to start using a password manager and multi-factor authentication if you don’t already. After all, your usernames and passwords are more than likely already out there, floating around the hacker forums, just waiting for an identity thief to target you next.

A version of this story was also published in the Vox Technology newsletter. Sign up here so you don’t miss the next one!