2.9 billion people may have had Social Security numbers, other financial data compromised. What it means for you

About 2.9 billion people may have had their personal information hacked, a new proposed class action lawsuit alleges.

If true, reports suggest all Americans may have had valuable personal information compromised — including full names, current and past addresses, Social Security numbers and information on parents, siblings and other relatives.  

The alleged April 2024 breach occurred when a background check company doing business as National Public Data, owned by Jerico Pictures Inc., failed to properly safeguard information it scraped, the lawsuit states. The company provides instant search access to billions of records.

Neither National Public Data nor Jerico Pictures returned requests for comment by CNBC.

“If this turns out to be accurate … then it would just basically mean that everyone’s affected,” said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, a nonprofit focused on cybersecurity awareness and education.

However, this breach may not be as far-reaching as reports suggest, said James E. Lee, chief operating officer at the Identity Theft Resource Center, a nonprofit working to minimize the risk of identity theft.

For example, if there were multiple records per individual compromised, that could reduce the total number of people affected. If other countries were affected too, that could reduce the number of Social Security numbers involved. In addition, much of the information leaked may have already been available elsewhere, he said.

Massive data breaches are not new.

A 2017 Equifax data breach was estimated to have affected half the U.S. population. In 2013, a Yahoo data breach may have hit all the company’s accounts, or a total of 3 billion people.

Still, experts say the news of this latest breach should put consumers on high alert.

“It’s not a matter of if, it’s a matter of when,” Steinhauer said. “I’d be surprised [if] there are many people who haven’t been affected by a data breach like this already, just because of the sheer number of breaches that have happened that contain similar data.”

More from Personal Finance:
Social Security cost-of-living adjustment may be 2.6% in 2025
Here’s the inflation breakdown for July 2024
A U.S. construction boom is sending rents lower

Consumers tend to find out their information may have been compromised through data breach notices from the companies affected.

“We’ve got enough data now to say if you get a data breach notice, there’s a high likelihood that you’re going to suffer an identify crime at some point within 12 months,” Lee said.

While it’s still not possible to directly correlate a breach to an identity theft, he said, the risks have no expiration date once your information has been exposed.

“You’re vulnerable forever,” Lee said.

The best tip to protect your personal records is to put a security freeze on your credit reports, which will limit access to your records, experts say.

It’s also the best first step if you think your data has been compromised.

“Freezing your credit is the single most important thing you can do when you get a data breach notice,” Lee said.

The process can be done quickly and for free by submitting separate requests to each of the three credit bureaus, which includes Equifax, Experian and TransUnion.

While freezing your credit will limit access to your credit reports, it won’t block it completely. Your records will still be available to certain companies and under certain circumstances.

The freeze doesn’t just block bad actors. Notably, if you want to apply for a new credit card or auto loan, you may get rejected if you do not unfreeze your credit first.

As you freeze your credit, you should proceed with caution. Make sure you’re not clicking on a lookalike domain that purports to be one of the three major credit bureaus that could instead be operated by hackers, Steinhauer said.

Additionally, do not open your personal records on public Wi-Fi, he said.

Consumers can purchase additional protection through dark web monitoring services, which will let you know when your information is compromised. While that step can provide peace of mind, it’s not going to stop anything from happening, Lee said.

Consumers should also make sure they have strong and unique passwords that use multifactor authentication, where two or more steps are used before access to an account is granted. Consumers may want to consider using a password manager, which can help generate strong passwords and store those codes, Steinhauer said.