2.9 billion people allegedly had Social Security numbers, other data stolen

About 2.9 billion people may have had their personal information hacked, a new proposed class action lawsuit alleges.

If true, reports suggest all Americans may have had valuable personal information compromised — including full names, current and past addresses, Social Security numbers and information on parents, siblings and other relatives.  

The alleged April 2024 breach occurred when a background check company doing business as National Public Data, owned by Jerico Pictures Inc., failed to properly safeguard information it scraped, the lawsuit states. The company provides instant search access to billions of records.

Neither National Public Data nor Jerico Pictures returned requests for comment by CNBC.

“If this turns out to be accurate … then it would just basically mean that everyone’s affected,” said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, a non-profit organization focused on cybersecurity awareness and education.

However, this breach may not be as far-reaching as reports suggest, said James E. Lee, chief operating officer at the Identity Theft Resource Center, a non-profit organization working to minimize the risk of identity theft.

For example, if there were multiple records per individual compromised, that could reduce the total number of people affected. If other countries were affected too, that could reduce the number of Social Security numbers involved. In addition, much of the information leaked may have already been available elsewhere, he said.

A 2017 Equifax data breach was estimated to have affected half the U.S. population. A 2013 Yahoo data breach may have affected all the company’s accounts, or 3 billion people total.

Still, experts say the news of this latest breach should put consumers on high alert.

“It’s not a matter of if, it’s a matter of when,” Steinhauer said. “I’d be surprised [if] there are many people who haven’t been affected by a data breach like this already, just because of the sheer number of breaches that have happened that contain similar data.”

More from Personal Finance:
Social Security cost-of-living adjustment may be 2.6% in 2025
Here’s the inflation breakdown for July 2024
A U.S. construction boom is sending rents lower

Consumers tend to find out their information may have been compromised through data breach notices from the companies affected.

“We’ve got enough data now to say if you get a data breach notice, there’s a high likelihood that you’re going to suffer an identify crime at some point within 12 months,” Lee said.

While it’s still not possible to directly correlate a breach to an identity crack, he said, the risks have no expiration date once your information has been exposed.

“You’re vulnerable forever,” Lee said.

While freezing your credit will limit access to your credit reports, it won’t block it completely. Your records will still be available to certain companies and under certain circumstances.

The freeze doesn’t just block bad actors. Notably, if you want to apply for a new credit card or auto loan, you may get rejected if you do not unfreeze your credit first.

As you freeze your credit, you should proceed with caution. Make sure you’re not clicking on a lookalike domain that purports to be one of the three major credit bureaus that could instead be operated by hackers, Steinhauer said.

Additionally, do not open your personal records on public Wi-Fi, he said.

Consumers can purchase additional protection through dark web monitoring services, which will let you know when your information is compromised. While that step can provide peace of mind, it’s not going to stop anything from happening, Lee said.

Consumers should also make sure they have strong and unique passwords that use multi-factor authentication, where two or more steps are used before access to an account is granted. Consumers may want to consider using a password manager, which can help generate strong passwords and store those codes, Steinhauer said.