My SSN was found in the National Public Data Breach — Here’s what happened, and what needs to.

11 min readSep 2, 2024

This morning, I woke up to an email from the “Credit Wise” monitoring service from Capital One.

While there are a number of things about Capital One that I’m not a fan of (their gougy interest rates, their outsourced customer support, their refusal to lower your APR), this feature was useful to me. I logged in, and found this:

This breach is from a background check company called National Public Data, (link to a CNBC article about this) who is one of the hundreds of companies in the business of quietly sitting on your info, without your knowledge or consent. Based on the fact that the three pieces of data they managed to get on me were two old former addresses from a decade ago, and one address I never lived at. Here’s a screenshot of the bad page, with info redacted. Note that that address doesn’t even exist.

So, they have my social, and a couple of old addresses. Why should I be concerned?

For starters, nowadays, one of the little “security features” that lots of companies ask you to validate your identity is things like “which of the following addresses have you ever been associated with?” Also, by indication that they had inaccurate information, it tells me that I might not pass some of those identity verifiers.

I’m concerned because today is September 1st, and this was reported to me 11 days after the breach. And it was reported to me not by National Public Data, or the Social Security Administration, but by my credit card company. This is a free service that they offer you, to hook you into other value-added service like helpfully removing your info from some sites.

My bigger problem is: My info was being held on to, by a company that clearly cannot secure their data, and that info is indelible. And I don’t know what they’re doing about it.

There are many, many sites that simply harvest public records (phone listings, voter registration forms, and the like). Those sites are equally useful in providing all sorts of info, and most people don’t know about those either — but those don’t typically include your social security number.

I can request a new credit card number if that leaks. I cannot request a new social or simply invalidate former addresses. If my other info at one of the three main credit reporting agencies breaches, there are other bits of info in there, that include things like my employer and my reported salary. I can’t re-anonymize those.

This bell cannot be un-rung.

Locking my credit file is the next step, at the three “big” credit reporting agencies, and it was also frought with frustration.

By the way, if you think there are only three credit bureaus, you’re wrong. There are dozens. The US Consumer Financial Protection Bureau lists all of them here, all for different purposes, but even this doesn’t include all the “people search” sites that just hoover, harvest, and sell info because “it was out there for the taking.

However, the three that are likely to be used if someone tries to leverage my credit to open a new account are the old Transunion, Equifax, Experian combo, so that’s where I’m focusing my efforts.

Experian

I already had an account with Experian, where every single time I log in, I am offered this upsell, before I can view my data. Just north of $325 a year to get more alerts and more paranoia.

Thankfully, freezing your report with them is quick and easy (one click) but they definitely still try to upsell you with that big pink button.

TransUnion

Creating an account with TransUnion was quick and easy too, but this zinger when I first created an account was just obnoxious:

I didn’t choose you. I was forced to use you by being a consumer in this country, with no option to opt out. Even if you have a massive data breach. Which they haven’t yet, unlike…

Equifax

When I created my account with Equifax, they sent me a verify-your-phone-number 2fa code, and my phone’s battery was dead. I plugged it in and went to make breakfast while it charged.

Now, when I log in with the username and password I created, I immediately get this screen.

It is…checks watch 4:17 Pacific, on a Sunday, on Labor Day weekend. I will not be able to do anything about this for a day, and possibly two. Good thing those people trafficking my info also take the same holidays.

Adding security freezes to the two accounts I was able to log in to was easy enough. It’s a shame it is this easy. Almost like this need is commonplace.

Further actions

That’s it. I’ve frozen two of my credit accounts and the third might happen, I guess, Monday or Tuesday? If I feel like spending more money, I can sign up for a bunch of monitoring products, all of which claim they’re the best, but it feels like these should be free, default features, given the amounts of money all these companies make by holding on to my data.

But as a technologist, I see problems in systems. So, here’s a list of everything that I think needs to happen in the future.

Remember above where I said there are more like thirty credit reporting agencies? Yeah, it needs to be possible to, in one shot, pull your report from them all, annually, or as often as you’d like if there’s been a breach.
We need stronger privacy laws. If you are an organization that is holding on to my information (whether it includes my social or not), and selling it to someone without my consent or knowledge, that should be licensed by the federal government. I should be able to get a list of all such companies holding that information, as well as how long they’ve held it, and the ability to review my own files for inaccuracies, just as I could with a credit report. Holding a bunch of people’s historical financial and address info without that permission (and without their knowledge) amounts to, effectively, stalking. This isn’t like google where you can log in, click a button, and have your history deleted.
That licensure needs to come with a security audit, and a massive insurance policy that will pay out in the event of a breach. These audits are a giant pain in the butt, but they need to be seen as “the cost of doing business”.
If you are in the “peoplefinder” class of security trolls who innocently claim “we’re just aggregating public records”, there needs to be a single way to opt out of this, much like the “do not call” registry. If you add your name to the list, you are deleted from their records, not just hidden. And you should not have to visit each site, individually, to do it (because again, how do you visit sites you do not know about?). Now, arguably, there should still be a means to do skip tracing and background checks, but those, too, should come with licensure.
Right now, when a breach like this happens (either with a big-3 credit bureau, or some third party company like this) what is typical is a class action lawsuit. Some big law firm goes and sues the company “on behalf of all affected” and the payout is often minimal and not commensurate with the potential loss — but the lawyers always make tons for bringing the settlement. Sometimes the only thing the consumer gets is just “we’ll give you a year of free credit monitoring” with a company like LifeLock (owned by Norton, who has been capitalizing on bad computer security for decades). This needs to be given more teeth, and when it happens, companies need to adhere to a “one strike, you’re out” policy. You are no longer worthy of protecting the can’t-opt-out financial information of millions of Americans.
If Equifax, Experian, and TransUnion are in the business of protecting our credit information, and offering it up to lenders along with our history and FICO scores, then that needs to be their only business. They need to no longer be in the business of “upselling” us additional monitoring. It either needs to be something that comes for free, for everyone, and subsidized by the people (big banks and loan companies) who use their services, or they need to just stop doing it. We don’t have a choice to not use their services, they should not have a choice to not do their very best to keep our data secure.
And finally, the big one: Social Security numbers *suck* as an identifier for any number of reasons. They are of a limited sequence, have no built-in checksums, and were never intended to be used outside of the Government. And frankly, it’s time to move past them as an identifier. They need to be the same as credit card numbers. Longer, with built-in checksums, and some sort of PIN required for use. Any breach triggers a reissue, or at least, validity for one. YouTuber CGP Grey did a great video about how terrible this number and card are as a national identifier, and its time has come and gone.

A Final Thought: What if we could make it so having the number out in the open wasn’t scary?

Credit is a necessary evil in today’s society. You can’t really apply for a job without having a social security number so that taxes can be withheld. Having other people have access to that number, even in the short term, is a risk.

You are hard-pressed to be able to rent a car or check into a hotel room without having available credit — the hold on a credit card vanishes quickly, but the funds withdrawn from a debit card could take weeks to post back. Employers want to look at your credit rating to make sure you’re not a high risk. The system treats people without credit (even secured credit) as second class citizens. And because credit is necessary, so is interacting with these agencies, and letting them hoard some data on you, which provides for the possibility that that data can be breached.

So what if the social security number was *still there* but useless — just a “counter” field in the database table? What if you could no longer use a social security number to apply for a loan? Just like credit cards stopped using physical carbon impressions of the raised numerals card and went to mag-stripes, and then to smart cards, it’s time for technology to move on.

I propose we set a flag day ten years in the future, and tell anyone who extends credit (banks, mortgages, loan companies, utilities, lenders) that they can no longer pull a credit report with a social security number, and in order to open an account, they need to provide something else, which has been provided by the consumer. So that unless you give *that number*, your account acts as it currently does when you put a freeze on it.

Imagine instead if, instead of giving a 9-digit number, you had the option of:

Either flashing a QR code which would expire in the next few minutes so screenshots would not work. Or:
Having the official ssa.gov app on your phone show you (alongside the QR code) a 9-digit alphanumeric code (useful for written documents). With 36⁹th possible numbers, this scales easily into the future. Or:
Inserting a smart card into a reader, and typing a PIN (And while yes, that card could be stolen and the pin compromised, it’s way better than the piece of cardboard we’ve got now, which is more than enough to give someone a job and a bank account.) In turn, that card doesn’t give out your social, it gives out a unique code, just like above, that is unique to your card and your time and location of access.

In all cases, this number would be used not only to prove that access to the social security number was *authorized* and *requested by the owner* but it would also be a unique number, so it would be loggable, back to the place and time of use. Much like 2-factor identification codes, once that code was used, it could not be re-spent.

Not everyone has smart phones, but the card is a useful backup. In the event your grandma, with her nothing-but-a-flip phone, needs her number to open a new Christmas Club Account, she can take her card to her local bank or DMV and print out a one-time-use code, good for 7 days or something like that. (It doesn’t count as a double-spend until it’s run). Yes, it’s more annoying than just having her read her number over the phone, but honestly, it’s as annoying as everything else when dealing with the elderly. It’s workable.

It would cost money. Mailing everyone smart cards, and parking people at local DMV’s, and Social Security offices to be the location to set initial PINs would be expensive, but absolutely possible. It might cost a tiny percentage of what we’re spending on our national defense, or on refueling our nuclear arsenal, and it serves to protect literally our entire population from data breaches that, let’s face it, will happen, no matter how careful we are. There’s always a zero-day somewhere. Security is only as cheap as its weakest link. Even if the SSL and the firewall is perfect on one of these sites, a rogue employee can still dump the database and sell it on the dark web.

If this plan goes through, the new plastic-and-chip social security card is still not a national ID card, but now the old 9-digit number becomes an archaic record, and as dangerous to have out in the open as your middle name or your home address. You would still use the raw number when dealing directly with the government (like when claiming dependents on your taxes), but that’s about it.

Obviously, If we go with the card, we print in big letters to never give your pin over the phone. We give you an easy way to report a lost card (honestly, replacing a social security card is pretty painless these days already). We give you a website with a vetted list of kiosks where you can change a pin, replace a damaged card, or even update your address details.

On the plus side of security, it does look like the ssa.gov website now uses login.gov, which supports TOTP (aka “google authenticator”), as well as SMS-based authentication. It’s a baby step, and it’s taken way too long, but it’s something.

Now, to fix the rest of it. We just need to decide to.