Data breaches that expose the personal information of millions of people can have very real consequences for individuals, most notably: identity theft.
A new study found that the more of an individual’s personal information is easily accessible to criminals on the dark web, the likelier it is that that person will be a target for criminals.
The odds skyrocket if the information includes the person’s Social Security number, which is usually necessary for financial applications such as opening a bank account, applying for a credit card or filing tax returns, all of which are common targets for fraudsters.
The findings, published Monday by SentiLink, a company that monitors customer data for fraud on behalf of finance companies, are intuitive. But they are believed to be the first of their kind showing a clear correlation between the robust cybercriminal trade of people’s identities and real-world attempts where criminals try to commit fraud against those victims.
David Maimon, SentiLink’s head of fraud insight, told NBC News he conducted the study by comparing three sets of data from people whose information is available online.
For a baseline list of people whose names and addresses were available online, he used publicly available voter registration records. For a set of people whose names and addresses — but not Social Security numbers — were widely traded among criminals, he took names off stolen checks from a ring of check fraud thieves that operated on Telegram.
For a list of people whose names, addresses and Social Security numbers were all widely traded among cybercriminals, he downloaded a database of around 100,000 victims, cobbled together from various hacks and repeatedly traded on the dark web since 2021.
Maimon then compared more than 2,000 people from those datasets with SentiLink’s internal records of attempted identity theft to see how often each of those people had been targeted.
The results were dramatic. Only 2.1% of the people from voter registration forms had been targeted by identity thieves. Of those whose names were found in the stolen check ring, 12.1% had been targeted. But nearly all people in the 2021 database with Social Security numbers — 97% — had been victims of attempted identity theft, Maimon found.
Data breaches have become increasingly common, to the point where most Americans’ information has been repeatedly stolen. The U.S. Federal Trade Commission received 1.1 million claims of identity theft in 2024, though that is believed to be a severe undercount of the complete number of victims.
Even children often have their Social Security number stolen, and credit monitoring services rarely help victims much. According to statistics provided to NBC News by the nonprofit Identity Theft Resource Center, there were 1,857 new data breaches in 2024 that included Americans’ Social Security numbers.
While Social Security numbers are routinely hacked, it’s often impossible for a victim to know how widely their information has been shared — a key component of SentiLink’s findings. Not all breaches are equal, and cybercriminals often sell hacked data only to the highest bidder to keep it more exclusive.
When a person’s information does become widely repackaged and repeatedly traded between criminals, they are targeted by thieves repeatedly for a longer period of time, Maimon found.
The best course of action, Maimon said, is for people to freeze their credit ratings with the three major credit agencies and to monitor their ChexSystems Consumer Score to see if anyone has opened bank accounts in their name.
