Business
Massive data breach that includes Social Security numbers may be even worse than suspected
The company whose data breach potentially exposed every American’s Social Security number to identity thieves finally has acknowledged the data theft — and said hackers obtained even more sensitive information than previously reported.
National Public Data, a Florida-based company that collects personal information for background checks, posted a “Security Incident” notice on its site to report “potential leaks of certain data in April 2024 and summer 2024.” The company said the breach appeared to involve a third party “that was trying to hack into data in late December 2023.”
According to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Fla., the hacking group USDoD claimed in April to have stolen personal records of 2.9 billion people from National Public Data. Posting in a forum popular among hackers, the group offered to sell the data, which included records from the United States, Canada and the United Kingdom, for $3.5 million, a cybersecurity expert said in a post on X.
Last week, a purported member of USDoD identified only as Felice told the hacking forum that they were offering “the full NPD database,” according to a screenshot taken by BleepingComputer. The information consists of about 2.7 billion records, each of which includes a person’s full name, address, date of birth, Social Security number and phone number, along with alternate names and birth dates, Felice claimed.
None of the information was encrypted.
Such a release would be problematic enough. But according to National Public Data, the breach also included email addresses — a crucial piece for identity thieves and fraudsters.
Having a person’s email address makes it easier to target them with phishing attacks, which try to dupe people into revealing passwords to financial accounts or downloading malware that can extract sensitive personal information from your devices. In addition, because many people use their email address to log into online accounts, it could be used to try to hijack those accounts through password resets.
It’s not clear what, exactly, has been leaked on the dark web from the breach. In a very small sampling of scans using Google One, email addresses taken during the National Public Data breach did not appear. But a free tool from the cybersecurity company Pentester found that other personal data purportedly exposed by the breach, including Social Security numbers, were on the dark web.
National Public Data said on its website that it will notify individuals if there are “further significant developments” applicable to them. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems,” it said.
Previously, in an email sent to people who’d sought information about their accounts, the company said that it had “purged the entire database, as a whole, of any and all entries, essentially opting everyone out.” As a result, it said, it has deleted any “non-public personal information” about people, although it added, “We may be required to retain certain records to comply with legal obligations.”
The company did not respond to a request for comment. Under a number of state laws, including California’s, companies must notify any individual whose personal information is reasonably believed to have been taken by an unauthorized person.
At this point, it appears that the only notice provided by National Public Data is the page on its website, which states, “We are notifying you so that you can take action which will assist to minimize or eliminate potential harm. We strongly advise you to take preventive measures to help prevent and detect any misuse of your information.”
The steps recommended by National Public Data include checking your financial accounts for unauthorized activity and placing a free fraud alert on your accounts at the three major credit bureaus, Equifax, Experian and TransUnion. Once you’ve placed a fraud alert on your account, the company advised, ask for a free credit report, then check it for accounts and inquiries that you don’t recognize. “These can be signs of identity theft.”
Security experts also advise putting a freeze on your credit files at the three major credit bureaus. You can do so for free, and it will prevent criminals from taking out loans, signing up for credit cards and opening financial accounts under your name. The catch is that you’ll need to remember to lift the freeze temporarily if you are obtaining or applying for something that requires a credit check.
In the meantime, security experts say, make sure all of your online accounts use two-factor authorization to make them harder to hijack.
It’s also important to look for signs that an email or text is not legitimate, given the spread of “imposter scams.” Using messages disguised to look like an urgent inquiry from your bank or service provider, these scams try to dupe you into giving up keys to your identity and, potentially, your savings. Any request for sensitive personal information is a giant red flag.
Aleksandr Valentij of cybersecurity company Surfshark suggested checking the sender’s email address carefully to see if it doesn’t precisely match the name of the organization they purportedly represent, and looking for typos or grammatical errors — two telltale signs of a scam. And if the message is from someone you’ve never interacted with before, Valentij said, avoid clicking on links, including an “unsubscribe” link or button, because bad actors will use them for malicious purposes.
“If you suspect that you’ve received a phishing email, don’t interact with it and report it to your email provider,” Valentij said. “If it’s someone pretending to be a legitimate organization, you should also report it to that organization. Once that’s done, delete the email and stay vigilant for similar emails in the future.”
Times Insider explains who we are and what we do, and delivers behind-the-scenes insights into how our journalism comes together.
Politicians in Washington and the reporters who cover them have an often adversarial relationship.
But on the last Saturday in April, they gather for an irreverent celebration of press freedom and the First Amendment at the Washington Hilton Hotel: The White House Correspondents’ Association dinner.
Hosted by the association, an organization that helps ensure access for media outlets covering the presidency, the dinner attracts Hollywood stars; politicians from both parties; and representatives of more than 100 networks, newspapers, magazines and wire services.
While The Times will have two reporters in the ballroom covering the event, the company no longer buys seats at the party, said Richard W. Stevenson, the Washington bureau chief. The decision goes back almost two decades; the last dinner The Times attended as an organization was in 2007.
“We made a judgment back then that the event had become too celebrity-focused and was undercutting our need to demonstrate to readers that we always seek to maintain a proper distance from the people we cover, many of whom attend as guests,” he said.
It’s a decision, he added, that “we have stuck by through both Republican and Democratic administrations, although we support the work of the White House Correspondents’ Association.”
Susan Wessling, The Times’s Standards editor, said the policy is a product of the organization’s desire to maintain editorial independence.
“We don’t want to leave readers with any questions about our independence and credibility by seeming to be overly friendly with people whose words and actions we need to report on,” she said.
The celebrity mentalist Oz Pearlman is headlining the evening, in lieu of the usual comedy set by the likes of Stephen Colbert and Hasan Minhaj, but all eyes will be on President Trump, who will make his first appearance at the dinner as president.
Mr. Trump has boycotted the event since 2011, when he was the butt of punchlines delivered by President Barack Obama and the talk show host Seth Meyers mocking his hair, his reality TV show and his preoccupation with the “birther” movement.
Last month, though, Mr. Trump, who has a contentious relationship with the media, announced his intention to attend this year’s dinner, where he will speak to a room full of the same reporters he often derides as “enemies of the people.”
Times reporters will be there to document the highs, the lows and the reactions in the room. A reporter for the Styles desk has also been assigned to cover the robust roster of after-parties around Washington.
Some off-duty reporters from The Times will also be present at this late-night circuit, though everyone remains cognizant of their roles, said Patrick Healy, The Times’s assistant managing editor for Standards and Trust.
“If they’re reporting, there’s a notebook or recorder out as usual,” he said. “If they’re not, they’re pros who know they’re always identifiable as Times journalists.”
For most of The Times’s reporters and editors, though, the evening will be experienced from home.
“The rest of us will be able to follow the coverage,” Mr. Stevenson said, “without having to don our tuxes or gowns.”
A former female staffer who worked for Beast Industries, the media venture behind the popular YouTube channel MrBeast, is suing the company, alleging she was sexually harassed and fired shortly after she returned from maternity leave.
The employee, Lorrayne Mavromatis, a Brazilian-born social media professional, alleges in a lawsuit she was subjected to sexual harassment by the company’s management and demoted after she complained about her treatment. She said she was urged to join a conference call while in labor and expected to work during her maternity leave in violation of the Family and Medical Leave Act, according to the federal complaint filed Wednesday in the U.S. District Court for the Eastern District of North Carolina.
“This clout-chasing complaint is built on deliberate misrepresentations and categorically false statements, and we have the receipts to prove it. There is extensive evidence — including Slack and WhatsApp messages, company documents, and witness testimony — that unequivocally refutes her claims. We will not submit to opportunistic lawyers looking to manufacture a payday from us,” Gaude Paez, a Beast Industries spokesperson, said in a statement.
Jimmy Donaldson, 27, began MrBeast as a teen gaming channel that soon exploded into a media company worth an estimated $5 billion, with 500 employees and 450 million subscribers who watch its games, stunts and giveaways.
Mavromatis, who was hired in 2022 as its head of Instagram, described a pervasive climate of discrimination and harassment, according to the lawsuit.
In her complaint, she alleges the company’s former CEO James Warren made her meet him at his home for one-on-one meetings while he commented on her looks and dismissed her complaints about a male client’s unwanted advances, telling her “she should be honored that the client was hitting on her.”
When Mavromatis asked Warren why MrBeast, Donaldson, would not work with her, she was told that “she is a beautiful woman and her appearance had a certain sexual effect on Jimmy,” and, “Let’s just say that when you’re around and he goes to the restroom, he’s not actually using the restroom.”
Paez refuted the claim.
“That’s ridiculous. This is an allegation fabricated for the sole purpose of sparking headlines,” Paez said.
Mavromatis said she endured a slate of other indignities such as being told by Donaldson that she “would only participate in her video shoot if she brought him a beer.”
“In this male-centric workplace, Plaintiff, one of the few women in a high-level role, was excluded from otherwise all-male meetings, demeaned in front of colleagues, harassed, and suffered from males be given preferential treatment in employment decisions,” states the complaint.
When Mavromatis raised a question during a staff meeting with her team, she said a male colleague told her to “shut up” or “stop talking.”
At MrBeast headquarters in Greenville, N.C., she said male executives mocked female contestants participating in BeastGames, “who complained they did not have access to feminine hygiene products and clean underwear while participating in the show.”
In November 2023, Mavromatis formally complained about “the sexually inappropriate encounters and harassment, and demeaning and hostile work environment she and other female employees had been living and experiencing working at MrBeast,” to the company’s then head of human resources, Sue Parisher, who is also Donaldson’s mother, according to the suit.
In her complaint, Mavromatis said Beast Industries did not have a method or process for employees to report such issues either anonymously or to a third party, rather employees were expected to follow the company’s handbook, “How to Succeed In MrBeast Production.”
In it, employees were instructed that, “It’s okay for the boys to be childish,” “if talent wants to draw a dick on the white board in the video or do something stupid, let them” and “No does not mean no,” according to the complaint.
Mavromatis alleges that she was demoted and then fired.
Paez said that Mavromatis’s role was eliminated as part of a reorganization of an underperforming group within Beast Industries and that she was made aware of this.
Lululemon, the yoga pants and athletic clothing company, has hired a former executive from a rival, Nike, as its new chief executive.
Heidi O’Neill, who spent more than 25 years at Nike, will take the reins and join Lululemon’s board of directors on Sept. 8, the company announced on Wednesday.
The leadership change is happening during a tumultuous time for Lululemon, which had grown to $11 billion in revenue by persuading shoppers to ditch their jeans and slacks for stretchy leggings. But lately, sales have declined in North America amid intense competition and shifting fashion trends, with consumers favoring looser styles rather than the form-fitting silhouettes for which Lululemon is best known.
“As I step into the C.E.O. role in September, my job will be to build on that foundation — to accelerate product breakthroughs, deepen the brand’s cultural relevance, and unlock growth in markets around the world,” Ms. O’Neill, 61, said in a statement.
Lululemon, based in Vancouver, British Columbia, has also been entangled in a corporate power struggle over the company’s future. Its billionaire founder, Chip Wilson, has feuded with the board, nominated independent directors and criticized executives.
Lululemon’s previous chief executive, Calvin McDonald, stepped down at the end of January as pressure mounted from Mr. Wilson and some investors. One activist investor, Elliott Investment Management, had pushed its own chief executive candidate, who was not selected.
The interim co-chiefs, Meghan Frank and André Maestrini, will lead the company until Ms. O’Neill’s arrival, when they are expected to return to other senior roles. The pair had outlined a plan to revive sales at Lululemon, promising to invest in stores, save more money and speed up product development.
“We start the year with a real plan, with real strategies,” Mr. Maestrini said in an interview this year. “We make sure decisions are made fast.”
Lululemon said last month that it would add Chip Bergh, the former chief executive of Levi Strauss, to its board to replace David Mussafer, the chairman of the private equity firm Advent International, whom Mr. Wilson had sought to remove.
Ms. O’Neill climbed the organizational chart at Nike for decades, working across divisions including consumer sports, product innovation and brand marketing, and was most recently its president of consumer, product and brand. She left Nike last year amid a shake-up of senior management that led to the elimination of her role.
Analysts said Ms. O’Neill would be expected to find ways to energize Lululemon’s business and reset the company’s culture in order to improve performance.
“O’Neill is her own person who will come with an agenda of change,” said Neil Saunders, the managing director of GlobalData, a data analytics and consulting company. “The task ahead is a significant one, but it can be undertaken from a position of relative stability.”
-
New York1 hour agoCommunication Failures Preceded Deadly Crash at LaGuardia, N.T.S.B. Says
-
Detroit, MI2 hours agoPart of Detroit Riverwalk reopens after infrastructure work
-
San Francisco, CA2 hours ago49ers draft picks: Full list of team’s round-by-round selections
-
Dallas, TX2 hours agoCowboys draft picks tracker: Every selection, live grades
-
Miami, FL2 hours ago5 arrested in undercover teen sex trafficking bust in Miami, authorities say
-
Boston, MA2 hours agoBoston police seek missing 12-year-old from Dorchester
-
Denver, CO2 hours agoRoadrunner spotted far from its usual range in Denver surprises birders
-
Seattle, WA3 hours agoTicket Alert: Karol G, Teddy Swims, and More Seattle Events Going On Sale This Week – The Stranger