Privacy expert wants to clarify how bad the National Data breach really was

That last giant breach -- the one that reportedly got "billions" of records? An ID theft expert says many news organizations got the story wrong. (c) ConsumerAffairs

If you think your information was stolen, there's a number to call

You've probably seen that headline about 2.9 billion people's data getting stolen. It's a pretty scary number, isn't it?

But one privacy expert has decided to express his inner Shakespeare and suggest that the headline got it all wrong – that “A breach by any other name would not be this stinky.”

“Juliet was arguing that it did not matter that her love interest, Romeo, was from a rival family. In today’s cybersecurity terms, it does not always matter how many people have been impacted by a data breach or what data was compromised,” Identity Theft Resource Center (ITRC) Chief Operating Officer James E. Lee said in the organization’s latest Weekly Breach Breakdown podcast.

“What’s important is the fact that there has been a data breach, how it occurred, and whether victims were notified. Often lost in translation is the difference between how many records have been exposed and how many victims have been impacted.”

Lee says that where the media got it wrong was that there weren’t 2.9 billion users, but that the criminals made off with 2.9 billion records covering 30 years of information. He contends that there were likely multiple records about the same people over 30 years, meaning fewer individuals are likely to have been impacted than the “billions” claimed in news articles.

Think of it like this: if you have 2.9 billion apples, it doesn't mean you have 2.9 billion apple trees. You could have just bought those apples at the grocery store.

It's also possible that many of those records are duplicates or just plain irrelevant. Plus, not all data are created equal. Some data, like your name and address, are more valuable to hackers than other data, like your favorite color.

Julio Casal, the chief intelligence officer for Constella, a provider of AI powered identity risk intelligence services, confirmed that. “The data comes from a poor collection operation from a mix of sources and includes many errors,” he said.

It’s the who behind this, instead

Part of the data that the hackers stole included that from a data broker called National Public Data. They scrape information from websites and sell it to private investigators, background check websites, data resellers, mobile apps, applications, etc.

The problem is, National Public Data hasn't told anyone about the hack. No government agency, no victims. We only know about it because someone found their information for sale online and traced it back to National Public Data.

So why is there no National Public Data breach notice to victims? That's kind of weird, right? Why wouldn't they tell people? 

There are several reasons why, Lee says. “The company may not have notified officials or individuals – including the fact that organizations that suffer a data breach are also allowed under state laws to determine if there is a risk to a person from the release of the information. If the decision is there is no risk, there is generally no requirement to notify anyone, including victims.”

The U.S. Department of Justice, along with several U.S. lawmakers and at least two state attorneys general, are digging deeper into the National Data cyberattack, so eventually, the truth should come out.

The bottom line 

So, while the National Public Data breach is certainly a cause for concern, it's important to stay informed and take steps to protect your personal information. That might mean changing your passwords, monitoring your accounts for suspicious activity, and being careful about what information you share online.

If you want to learn how to secure your personal or business info, or if you think you have already been the victim of an identity crime like a data breach, Lee invites you to speak with an expert ITRC advisor via text or on the phone (888.400.5530), chat live on the web, or exchange emails. Just visit www.idtheftcenter.org to get started.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.