My Social Security number’s been hacked!  

Co-authored by Trusted Internet CEO, Jeff Stutzman and Scott Scheferman.

“On or about April 8, 2024, a criminal gang that goes by the name of USDoD posted a database entitled  “National  Public  Data”  on  the  Dark  Web  hacker  forum  named  “Breached.” USDoD alleged to have the PII (personally identifiable information) of approximately 2.9 billion individuals and offered the database for purchase  at  a  price  of  $3.5  million. Specifically VX-Underground, an  educational  website  about malware and cyber security, reported the following: April  8th,  2024,  a  Threat  Actor  operating  under  the  moniker  “USDoD”  placed  a  large database up for sale on Breached titled: "National Public Data". They claimed it contained 2,900,000,000 records on United States citizens. They put the data up for sale for $3,500,000.”[1]

And now today everybody’s worried that our social security numbers’ have been stolen.

Here’s my answer:

Everybody's social security numbers have been stolen already! The list of breaches where you’ve been compromised is nearly endless.

• In 2015, the Office of Personnel Management, the government organization that maintains our records for our security clearances, government, got hacked - bad. Everything was leaked: my social security number, all my background information, and so were everybody else that I knew.

• In April 2024, TechCrunch reported that a U.S. consulting firm, Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole as many as 341,650 Social Security numbers. The data breach was disclosed on Friday on Maine’s government website, where the state posts data breach notifications.[2]

There is also the reality of wide-open data buckets and data combination.

• Hackers target data sources left open in cloud storage solutions like Amazon S3 buckets, which are often improperly configured and lack necessary security measures. These open buckets can be accessed by anyone, allowing hackers to collect sensitive data such as personally identifiable information (PII), financial records, and yes, even social security numbers. Once obtained, hackers can re-combine this data with other publicly available information to construct complete identities, which can then be exploited for various malicious purposes, including identity theft and fraud.

• A notable example of such a breach occurred with Capital One in 2019. Paige Thompson, a former Amazon Web Services employee, exploited misconfigured S3 buckets to access over 100 million customer records. This breach exposed sensitive information, including names, addresses, credit scores and indeed even social security numbers.

So, your social security number's been hacked. What are we going to do? Here's what I know.

Have you ever given your social security number to a bank? An insurance company? The hospital? Have you opened a credit card or do you use a cell phone? We give our social security number away to anyone that asks without regard for how well they protect it. And you know what? They don’t.

• FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. It has been called one of the most successful criminal hacking groups in the world. And prior to 2020, they were behind many of the data breaches from companies like Red Robin, Chili’s Omni Hotels, and Sachs Fifth Avenue. (After 2020, they turned their efforts to ransomware operations).

And what about your home? Most of the cable modems in the country have been compromised for years. These hackers have direct access to your home computers, phones, and internet of things (camera systems!).

There’s a 100% probability that your social security number was lost well before this article last night.

Every day, your computers are bombarded with automated robot networks called botnets that go out and they steal personal information like social security numbers, driver's licenses, credit card information. They sell these full identities that they've stolen by the record. And I don't know what the price is anymore, but years ago, they might have been upwards of $50, $100, or more. Now they're becoming cheap. Why? Because they've been doing it for so long. Your social security number's been being stolen forever. You just didn't know about it.

So what do you do? Okay, here's some practical steps:

Our standard baseline playbook for identity theft: 

Identity theft is most often caused by the loss of usernames, passwords, social security numbers or other private information that may allow someone to pose as you, online or in person. 

What's the playbook? Here's a starter: 

1.          Freeze any accounts and credit ratings (not something we do, but you should recommend this) 

2.          Immediately change passwords across the board --every one of them.

3.          As soon as possible, or while changing passwords, turn on Two Factor Authentication. Most banks offer it. Where not possible, request it or call Trusted Internet and ask them to help set you up.  

4.          Have someone perform a dark web search for potential areas of loss and remediation options. 

5.          Purchase a credit monitoring service. Here's Money Magazine's comparison of five they recommend: https://money.com/best-credit-monitoring-services/ 

Where user credentials have been compromised, assume your office and home to be compromised as well. 

1.          Next Generation Firewalls (NGF) block botnets from entering (or exiting) networks. Install one now. 

2.          Load or update antivirus on every device: to a commercial product and load Minerva's Armor where possible. If you need help, contact Trusted Internet’s Executive Cyber Support Team at help@trustedinternet.io for assistance if needed. Executive Cyber Support can send you a no-cost 30-day trial. 

a.          Download and install Sophos Intercept X for Mobile for your iOS and Android devices.  

b.          Download and install Sophos Endpoint for your Mac or PC.  

3.          Monitoring is a must. Because most Identity Theft occurs because of lost passwords, there is a high probability the attacker will try again. 

Once you've changed your passwords, turned on two factor authentication and updated or loaded antivirus and run initial scans, watch for additional activity for a few days.

Here’s what the US Government Recommends (usa.gov) 

Prevent Identity Theft 

Keep these tips in mind to protect yourself from identity theft: 

·       Secure your Social Security number (SSN). Don't carry your Social Security card in your wallet. Only give out your SSN when necessary. 

·       Don't share personal information (birthdate, Social Security number, or bank account number) because someone asks for it. 

·       Collect mail every day. Place a hold on your mail when you are away from home for several days. 

·       Pay attention to your billing cycles. If bills or financial statements are late, contact the sender. 

·       Use the security features on your mobile phone. 

·       Update sharing and firewall settings  

·       Use a virtual private network (VPN) if you use public wifi. 

·       Review your credit card and bank account statements. Compare receipts with account statements. Watch for unauthorized transactions. 

·       Shred receipts, credit offers, account statements, and expired credit cards. This can prevent “dumpster divers” from getting your personal information. 

·       Store personal information in a safe place. 

·       Install firewalls and virus-detection software  on your home computer. 

·       Create complex passwords that identity thieves cannot guess. Change your passwords if a company that you do business with has a breach of its databases 

·       Review your credit reports  once a year. Be certain that they don't include accounts that you have not opened. You can order it for free from Annualcreditreport.com. 

·       Freeze your credit files with Equifax, Experian, Innovis, TransUnion, and the National Consumer Telecommunications and Utilities Exchange for free. Credit freezes prevent someone from applying for and getting approval for a credit account or utility services in your name. 

Need help? Contact your Virtual CISO™ or at help@trustedinternet.io.

[1] Bloomberg Law covering UNITED STATES DISTRICT COURTSOUTHERN DISTRICT OF FLORIDA FORT LAUDERDALE DIVISION, Case 0:24-cv-61383-XXXX

[2] https://techcrunch.com/2024/04/08/hackers-stole-340000-social-security-numbers-from-government-consulting-firm/