We’ve Got a New Mobile App

If you’re an existing online and mobile banking customer, we’ll send you an email to let you know when you’ll be able to download and use the new app. New online and mobile banking customers can download the app now.

Insights & Stories

Social Security Number Hack: What to Know

Reading time: 8 minutes

August 26th, 2024

cyber lock graphic cyber lock graphic

Earlier this month, National Public Data (NPD)—a Florida-based company that aggregates consumer information for background checks—confirmed it experienced a data breach involving the personal data of millions of Americans. The breach, which may be one of the largest on record, supposedly has data going back at least three decades, and includes a multitude of private information such as full names, social security numbers, email addresses, and mailing addresses. The data from the breach is now, allegedly, for sale on the dark web—here’s what you should know.

How the Data Breach Happened

At this time, there is not much known about how the hackers may have gained access to National Public Data’s system. According to NPD’s release on the subject, there was a security incident involving a third-party in late December 2023 and potential leaks of data from April 2024 through the summer.

There are a number of scams and techniques the bad actors could have used to gain access to the data. Below, we cover a few of those scams to help you recognize potential threats to the security of your own accounts.

Malware & Trojan Horse Emails

A common scam used by fraudsters is the “virus embedded in an attachment” approach. In this scam, the scammer will send an email with an “urgent” request of some kind, with an attachment to be downloaded or a link to be clicked.

In the attachment, which may be disguised as something as innocuous as a PDF or word document, is a virus. It downloads itself onto your computer when you open it.

The link version will also automatically trigger a download of a file onto your device, or the email may include a link to appear as the new “portal” for you to verify your credentials—effectively a fake website that looks real.

In either case, these scams often give hackers access to nearly anything—a record of everything you type, which can give scammers access to usernames and passwords, your email account, full account, or even the protected network and associated programs your account has access to.

These scams affect businesses and individuals, so make sure you:

  • Only click links and download files from known, trusted sources.
  • Always log into your accounts through your normal means—do not use new URLs or portals unless you’ve explicitly verified them with the company in question.
  • Report any emails, text messages, or even social media messages that seem suspicious so the platform can restrict the sender.

IT Vishing Scams

One common scam for businesses is for bad actors to pose as IT support. In this scam, they’ll call an employee pretending to be IT, and tell the employee they need to do some work on their computer.

They’ll ask for the employee’s credentials (username and password)—saying they need to verify the employee’s identity, and that they need to perform maintenance, etc. Then, once the employee complies, the scammers are able to use those credentials to log into the system and access data.

Again, these scams affect businesses and individuals, so make sure you:

  • Never share passwords, passcodes, or one-time PINs with anyone—those are for your use only!
  • Always question who is calling when they ask for any type of sensitive data—when in doubt, hang up and call the company back, (scammers can even spoof business numbers making it seem that the caller ID is )
  • Report any phone calls, text messages, or emails that seem suspicious—and tell your coworkers and family so they can be on the alert as well.

Business Email Compromise (BEC)

This scam may take various forms but, in most cases, the goal of Business Email Compromise is to trick employees with access to secure company platforms into performing various activities that benefit a scammer.

Say, for example, an employee in IT receives an email they believe is from their manager (because it’s from their manager’s email!), telling them the company is onboarding a new “efficiency vendor” and the vendor needs immediate access to the database. The manager explains they’ve already submitted the access request, but is asking the employee to expedite the request and grant administrator access today, because it’s imperative the vendor start work immediately. Not wanting to displease their boss, the employee grants access…to the scammer.

In another instance, an attacker could takeover a Realtor’s email account. From there, a prospective homebuyer may receive an email from their realtor’s actual email saying that the account for the escrow payment has changed, and that they should direct the wire to a different account than was previously discussed. Not wanting to lose out on their dream home, the homebuyer redirects the payment…to the scammer

Usually, the scammer is not using the actual email account of the person they’re impersonating, like the examples listed above, because that would require them to have already gained access to part of the system. Social engineering scams are a lot more common, so they may also:

  1. Make slight changes to the domain, such as one letter or number. For example, instead of boh.com, they’ll use b0h.com—with a zero replacing the “o.”
  2. Explain away a sudden change in email address at the start of the thread to try to lull you into a false sense of security.

However, sometimes the scammers will have access to the email of the person they’re impersonating. In this case, there will be no outright indicators that it’s an imposter, however there are red flags to watch for:

  • They’re emailing at odd hours—the real recipient typically works from 8 a.m. to 5 p.m. HST, but this email is sent at two in the morning.
  • You’re getting requests that are never mentioned in person or over the phone.
  • The emails create a sense of urgency or fear that does not align to the situation at hand. For example, granting system access to a company outside of their working hours is not likely to “derail an entire project.”

When in doubt, double check. It never hurts to be thorough. If something seems odd, always confirm through a secondary channel or means before you send payments, grant access, or fulfill some other suspicious (or suspiciously timed) request.

What You Can Do

While you can’t control what the bad guys are going to do, you can take proactive steps to protect your identity and accounts when your private information is involved in a data breach. Below, we cover some of the best actions you can take.

Set Up Credit Monitoring

Credit monitoring is a great way to make sure you know what is happening with your accounts and identity.

Credit reports often include personal financial information, such as a list of lending institutions that have issued a line of credit or loans, the total amount of money that was lent, the size of repayment amounts and how often payments were made, as well as missed or late payments, if any.

The Fair Credit Reporting Act (FCRA), a federal law enacted to promote the accuracy, fairness and privacy of consumer information contained in the files of consumer reporting agencies, requires each of the three major credit reporting agencies to provide you a free credit report once a year, upon request. If you haven't received your annual credit report recently—or ever—you can order a copy online at annualcreditreport.com (the only website offering free credit reports that is authorized by federal law) or by calling 1-800-322-8228.

You may also be able to get real-time credit monitoring and set up alerts if anything on your report changes—this can be particularly helpful when monitoring for identity theft.

Update your Account Information

There are a number of reasons it’s important to make sure your accounts are up to date with your current contact information, but the main two are to ensure:

  • You’re able to access your accounts when you need to, and
  • You’re able to receive alerts and notifications about the account.

Did you know that, by law, financial institutions like banks and credit unions, are not able to forward mail to a new address? For security reasons, they are only able to send to the email address you specifically put on file with them. That means your new debit card, account statements, and even account alerts are going to your old address…and whoever lives there now.

New phone? If you haven’t updated your phone number, you might not be able to get your one-time-passcode, which might mean you won’t notice those suspicious charges that are draining your account until it’s too late.

Change Your Passwords

Did you know 78% of people reuse the same password? While passwords weren’t included in this breach, it’s highly likely your data has been involved in other breaches in the past. Combining the data from this breach and another breach may give bad actors everything they need to get into your accounts. So, play it safe! Change your passwords on everything—email, bank logins, even your social media accounts—and make them different from one another.

Turn on Multi-Factor Authentication

Multi-factor authentication (MFA) is an additional layer of security for your accounts. Instead of just a username and password, you’ll be prompted to complete an additional verification step. These often take the form of a verification code received by text, email, phone call, or authentication app, but can also be as simple as answering setting yes when asked “Was this you?” in a pop up.

MFA ensures that that even if your username and password was compromised, without access to another platform the scammers won’t be able to access your account. But don’t forget: never share the one-time code, and never verify a login attempt if you’re not actively trying to log in.

Freeze Your Credit

A credit freeze restricts access to your credit report, which means that when someone applies for a loan or credit line in your name, the creditor will not be able to access your credit report and will not approve the application because they cannot verify your credit history and credit score.

To place a freeze on your credit report, you’ll need to contact each of the three major credit reporting agencies: Equifax, Experian, and TransUnion. It’s important to contact all three, because different lenders rely on different agencies—and you will not be fully protected if you only choose one or two. You can submit your request online, by phone, or by mail.

Freezing your credit is a good option for people who want to ensure their identity is protected, but aren’t planning on applying for a loan or credit card anytime soon. If you need to apply for a loan or credit line yourself, you will need to contact the agencies to lift the freeze, either permanently or temporarily while you’re applying.

Although you can't prevent data breaches, you can take steps to protect yourself and your money. Stay alert, watch out for red flags, and take proactive steps to protect your accounts like those we’ve listed above. To learn more about how to bank securely and protect your accounts, visit our Security Center.

You're about to exit BOH.com

Links to other sites are provided as a service to you by Bank of Hawaii. These other sites are neither owned nor maintained by Bank of Hawaii. Bank of Hawaii shall not be responsible for the content and/or accuracy of any information contained in these other sites or for the personal or credit card information you provide to these sites.