Wide-scale leak of personal data in the US – what does this mean for cyber security and identity management?
Frank S. Jorga
Inventor. Founder. CEO. Chairman. Mentor. Author. Podcaster. Media & keynote requests ????
?
In December 2023, National Public Data (NPD), a company responsible for managing personal data for background checks, suffered a hack that potentially exposed 2.9 billion personal records, including social security numbers (SSNs), email adresses and mobilephone numbers. This breach presents significant risks to US citizens, as SSNs are crucial for many services, making them a prime target for identity theft. The incident underscores the vulnerability of centralized identity systems that rely on a single unique identifier and has gained recent momentum due to recent leaks of parts of the data.
?
Why is the Social Security Number (SSN) so crucial?
In the United States, the SSN is comparable in importance to a passport and is essential for obtaining a job, accessing government benefits, and opening bank accounts. The nationwide storage of such critical information at private data brokers creates a highly attractive target for cyber criminals.
While the compromise of SSNs alone is alarming, their misuse in combination with other sensitive data like names, email addresses, phone numbers, credit scores, and even biometric information greatly amplifies the risk for both individuals and businesses. This could lead to a surge in identity fraud.
The NPD leak apparently consisted of at least two different data packages. One dataset that included social security numbers and one that included more than 100 million phone numbers. While these two datasets were already up for sale on different dark net forums, the great danger lies in the merging of different datasets from different breaches such as the Facebook data breach (2019) or LinkedIn (2021).
Through the merge of big datasets and unique identifiers like email addresses or phone numbers it is possible to scrape all information needed to commit identity fraud. The U.S. Federal Trade Commission (FTC) reports that companies will lose 10 billion dollars to fraud in 2023 alone, with identity theft being the most important and biggest threat.
Why two-factor authentication is not sufficient
Two-factor authentication (2FA) is often seen as a strong security measure, requiring users to provide two forms of verification - such as a password and a code sent to their phone. However, even 2FA has vulnerabilities, particularly in the context of a massive data breach.
If attackers have access to both the primary data, like passwords, and secondary data, such as phone numbers or email addresses, they could potentially intercept 2FA codes or use social engineering tactics to bypass these security measures. Moreover, the sheer volume of compromised information could lead to large-scale, automated attacks that can overcome even 2FA defences.
领英推荐
What can be done to prevent upcoming identity frauds instead
This situation should prompt businesses and lawmakers to implement more robust measures to prevent a wave of identity theft in the coming months and years ahead. While security experts recommend continous monitoring of financial transactions for US citizens in the aftermath of the breach – it will have lasting consequences for the development of online fraud in the US.
Solutions like WebID 's online video identification can help prevent the misuse of leaked data by verifying identities through secure, real-time processes that are much harder for attackers to compromise.
While human based identification solutions via video calls might be more expensive in comparison to completely automated solutions, many financial institutions rely on processes like online video identification to prevent social engineering and scalable automated attack scenarios.
?
Sources:
?