What do I do now? How to respond to the NPD database breach.

In light of the National Public Database breach, in which the personal information of nearly every person in Canada and the United States was deeply compromised, I am offering this document to help people determine 1) if they were compromised, 2) how to react, and 3) action they can take to reduce future exposure.

1. Was I compromised?

a. Go to npd.pentester.com and enter your first name, last name, year of birth and the state(s) in which you have lived. The site will present a list of all the records that match the data you supply.

b. You may also go to www.haveibeenpwned.com to check but also sign up for emails about future breaches.

c. There will likely be scam artists who offer other websites in which you can allegedly check the breach data. To avoid those sites, use the URLs provided in the two paragraphs above.

2. How do I react to being compromised?

a. Contact Experian, Equifax, and Transunion (the three credit reporting agencies) and FREEZE your credit account. All of them will allow you to do it online and for free. DO NOT pay someone else to do it for you or pay for freezing your credit report. Remember to unfreeze your credit report if you need to apply for a loan or credit card.

b. Go to annualcreditreport.com to get a free copy of your credit report from each of the three agencies. Typically, you would not get all three at once (because you only get one free one per year) but instead reach out to a different agency every four months so you can keep a recurring eye on your credit report.

c. Contact your telephone provider (ATT, Verizon, T-Mobile) to prevent someone from calling to change your mobile phone number to their phone (called SIMjacking). Each has a different procedure…for more info, go to https://www.wired.com/story/sim-swap-attack-defend-phone/

d. Ensure all of your accounts have Two-Factor Authentication enabled. Ideally, you will use an authenticator app on your phone instead of SMS texts (to prevent the issue of SIMjacking) but any protection is better than none.

e. Change passwords to your online accounts, making them complex and random. Use a password manager like 1Password (that’s what I use) to create and store your passwords for you. Apple is releasing a password manager with the next version of macOS that promises to be very good (and free).

3. How do I prevent/reduce the chance of this happening again?

a. Do not ever provide more data than you must for any accounts. Your doctor’s office, for example, will ask for your SSN. Don’t give it. They don’t need it.

b. Never give account info to anyone over the phone UNLESS YOU CALLED THEM YOURSELF. If you believe it’s a legitimate call, tell them you will hang up and call them back at the phone number listed on their company’s website.

c. Consider signing up for a service like www.incogni.com which will, on your behalf and for a fee, reach out to all the companies recording this kind of data and use a legal power of attorney to have you removed from their databases.

These are only recommendations and do not represent a specific endorsement of any product or service. Your mileage may vary and you are responsible for any action you take. If you follow all these tips, you will reduce your exposure but in a digital world there is no guarantee. This is neither legal nor financial advice and you should consult a lawyer or financial adviser before you take action. If you don't like my suggestions and you have a better idea, just be kind....