Quick Answer
The 2024 National Public Data breach exposed roughly 2.9 billion records and an estimated 272 million unique Social Security numbers. The fallout reaches into 2026 because stolen identifiers do not expire. Michigan businesses should freeze their credit, monitor employee accounts, train staff on phishing, and tighten access controls. Kraft Business Systems helps West Michigan companies build layered defenses so a breach somewhere else does not become a breach inside your network.
What the 2.9 Billion Record Breach Was, and Why It Still Matters in 2026
A Florida data broker called National Public Data sat on a quiet, sprawling pile of personal records. Names, addresses, phone numbers, dates of birth, and Social Security numbers, scraped or purchased over many years. Then, in April 2024, a hacker group using the alias USDoD posted that pile on a dark web forum and asked for $3.5 million.
By August 2024, a class-action lawsuit forced National Public Data to confirm what security researchers already suspected. Up to 2.9 billion rows. Around 170 million people in the United States, the United Kingdom, and Canada. About 272 million unique Social Security numbers and roughly 137 million unique email addresses, according to IBM’s reporting.
So why bring this up two years later? Because Social Security numbers do not get rotated like passwords. Once your SSN is on the dark web, it stays there. Criminals use those numbers for years, often layering them with new phishing campaigns, synthetic identity fraud, and tax refund scams. And in 2026, the same data is still circulating. A 2026 UpGuard discovery of an exposed Elastic database with 2.7 billion SSNs and 3 billion email and password pairs shows how often this stolen material gets recycled.
For Michigan companies, especially in healthcare, manufacturing, and professional services, the question is not whether your employees were exposed. The honest answer is, almost certainly yes. The real question is what your business does about it.
Why 2026 is the year the bill comes due
Stolen credentials and identity records often sit unused for 12 to 24 months while criminals build automated tooling, set up money mule networks, and refine social engineering scripts. So the wave of secondary fraud usually peaks two years after a major dump. And we are right in that window now. Identity theft complaint volumes climbed sharply through late 2025, and Michigan small business clients are reporting more sophisticated phishing pretexts than ever. The 2024 dump is still doing damage in 2026, and pretending otherwise is a budget mistake.
Average cost of a U.S. data breach in 2025, the highest of any country, up 9% year over year (IBM Cost of a Data Breach Report).
How Stolen Social Security Numbers Get Used Against Your Business
Most coverage of the breach focused on consumers. But the records are also a goldmine for attacks against employers. Our team sees the downstream effects every quarter when a Grand Rapids client gets hit with a fraud attempt that started with stolen identity data.
And the patterns are predictable. Here is what happens after a breach like this one:
- Synthetic identity fraud. Criminals combine a real SSN with a fake name and apply for business credit lines or open accounts in your company’s vendor portals.
- Targeted spear phishing. Attackers craft emails referencing real personal details, then send them to your finance team asking for an urgent wire.
- Payroll diversion. A scammer poses as an employee, requests a direct deposit change, and pulls a paycheck before anyone notices.
- HR impersonation. Fake job applicants use stolen SSNs to pass quick verification, then use the access to steal data once hired.
- Tax fraud. Filers submit false returns under your employees’ names, which can drag your HR staff into IRS resolution work for months.
Each of these creates real costs. Lost wages, lost time, and lost trust. And every Michigan business that handles W2s or vendor payments is in scope.
The 2026 Data Breach Cost Picture
Breach costs keep climbing in the United States even as the global average dips. So a single incident can crater a small Michigan firm. Look at the numbers from the latest IBM Cost of a Data Breach Report and small business research.
- The U.S. average reached $10.22 million per breach in 2025, up 9 percent year over year.
- Healthcare leads at $7.42 million globally; financial services trail at $5.56 million.
- Small organizations under 500 employees average $3.31 million per incident.
- About 60 percent of small businesses close within six months of a major attack.
- Breaches involving stolen credentials take 292 days on average to identify and contain.
So the math is brutal for a small or mid sized firm. A $3 million event is not survivable for most West Michigan operators without insurance, and even with coverage, downtime and customer churn often outlast the policy payout. Our team works with clients to model that scenario before it happens, not after.
Share of small businesses that close within six months of a major cyberattack (StationX, 2026 small business cybersecurity statistics).
What Owners and Employees Should Do Right Now
You cannot un-leak a Social Security number. But you can lock down what attackers do next. Walk through these moves with your team this week.
Personal protection for every employee
- Place a free credit freeze with all three bureaus (Equifax, Experian, TransUnion). It takes about 15 minutes total.
- Set fraud alerts and renew them every year. The FTC data breach response guide walks through the process.
- Pull free annual reports at AnnualCreditReport.com and scan for unfamiliar accounts.
- Turn on multi factor authentication for banking, payroll, and email accounts.
- Use a password manager and replace any password reused across sites.
Business protection for the company
- Require multi factor authentication on every system, with no exceptions for executives.
- Deploy email filtering with attachment sandboxing and link rewriting.
- Add a vendor verification step for any change to bank routing numbers or direct deposit.
- Run quarterly phishing simulations and short refresher trainings.
- Document a written incident response plan and rehearse it twice a year.
And if you do not know whether your firm has these basics in place, that is a sign to schedule an assessment.
Was Your Data Exposed? A Comparison of Lookup Tools
Several free services let employees check if they show up in known breach databases. None are perfect, but used together they give a reasonable picture. Here is how the most common options stack up.
| Tool | What It Checks | Cost | Best For |
|---|---|---|---|
| Have I Been Pwned | Email addresses across known breach dumps | Free | Quick personal email check |
| NPD Breach Lookup (Pentester) | Name, state, and birth year against NPD records | Free | Confirming NPD exposure specifically |
| Identity Theft Resource Center | Full identity monitoring and recovery support | Free non profit support | Victims who already see fraud |
| Credit Bureau Lock or Freeze | Locks new credit applications under your SSN | Free under federal law | Anyone who wants ongoing protection |
| IRS Identity Protection PIN | Adds a PIN to block fraudulent tax returns | Free | Anyone filing federal taxes |
Encourage your team to use at least two of these. The credit freeze and the IRS IP PIN are the strongest of the bunch because they block the most expensive types of fraud.
What This Means for Grand Rapids and West Michigan Businesses
Michigan businesses sit at a fault line. Manufacturing, healthcare, defense supply chains, and professional services are all targets, and the state ranks among the more frequently attacked in the Midwest. Local research from CTS Companies shows ransomware activity rising sharply against Michigan manufacturers and clinics.
And the small business gap is real. A 2026 StationX analysis found 52 percent of small businesses rely on untrained staff or the owner to manage cybersecurity, and 47 percent of firms with fewer than 50 employees allocate zero budget to it. Pair that with stolen SSNs and you have a soft target for any halfway competent attacker.
So Michigan owners have a few specific issues to watch.
- CMMC compliance. Defense contractors across Grand Rapids, Holland, and Detroit must meet new federal cybersecurity maturity rules or lose contracts.
- HIPAA enforcement. Healthcare providers in Traverse City, Kalamazoo, and Lansing face sharper Office for Civil Rights enforcement after recent ransomware waves.
- Manufacturing IP risk. Tier 2 and Tier 3 auto suppliers are persistent targets for stolen design files and ransomware.
- State law shifts. Michigan’s Cyber Initiative continues to push public private collaboration, and breach notification rules apply to any business that holds resident data.
- Insurance scrutiny. Cyber carriers now ask for proof of MFA, EDR, and backups before they renew Michigan policies.
Kraft Business Systems is based in Caledonia, Michigan, and supports clients across Grand Rapids, the lakeshore, Traverse City, and Detroit. So the regional risk picture is not theoretical for our team. We see it weekly.
Building a Cybersecurity Stack That Actually Works
No single product stops every attack. Real protection comes from layers, with each layer covering the gaps of the others. Here is the stack we recommend for most Michigan small and mid sized businesses, with practical examples for each tier.
Identity And Access
Single sign on, multi factor authentication, conditional access, least privilege roles, and quarterly access reviews.
Endpoint Protection
Modern EDR with managed threat hunting, patched operating systems, and disk encryption on every laptop.
Email Security
Advanced phishing filters, attachment sandboxing, link rewriting, and DMARC, SPF, and DKIM aligned for the domain.
Network Defense
Next gen firewall, segmented VLANs for guests and IoT, secure remote access, and intrusion detection telemetry.
Backup And Recovery
Immutable, off site, tested backups for files, servers, and Microsoft 365, with documented restore times.
Awareness And Response
Quarterly phishing simulations, role specific training, a written incident response plan, and a 24/7 escalation path.
Building all six in house is expensive and slow. So most West Michigan firms partner with an MSP or MSSP to fill the gaps. That is where our managed IT services come in.
Compliance Frameworks That Touch Stolen SSN Data
If your business stores employee, customer, or patient SSNs, several frameworks apply. Even if none of them mention SSNs by name, the regulators and auditors care a lot about how you protect them.
| Framework | Who It Applies To | SSN Implication |
|---|---|---|
| HIPAA | Healthcare providers, plans, and business associates | SSNs in patient records require encryption, access logs, and breach notification. |
| GLBA | Financial institutions and many fintech firms | Mandates a written information security program covering nonpublic personal info. |
| CMMC 2.0 | DoD contractors and subcontractors | Tier 2 controls cover access, training, and incident response for any sensitive data. |
| PCI DSS | Any business processing card payments | Indirect, but the audit will cover SSN handling if stored on card systems. |
| Michigan Identity Theft Protection Act | Any business holding Michigan resident data | Requires breach notification and reasonable safeguards for personal info. |
So if your firm checks any box above, the NPD breach is not a passive headline. It is an audit prompt. Regulators want to see what you changed after the breach, not what you intended to change.
Early Indicators That Your Business Is Already a Target
Stolen Social Security data does not announce itself with sirens. The signs show up quietly, often in HR or finance inboxes, and most teams miss them until the damage lands. So here are the early signals our incident response engineers see most often after a Michigan client lands on a fraud list.
- An IRS notice arrives for an employee whose return has not been filed yet.
- A direct deposit change request comes in from an employee email that looks slightly off.
- A vendor sends a routing number update right before a scheduled payment.
- Someone applies for unemployment benefits in an employee’s name.
- A new credit account appears on an executive’s personal credit report.
- HR receives a verification request for a loan no employee remembers.
- Phishing emails reference real names, real titles, and real project codes.
If you see two or more of these in the same quarter, treat it as a coordinated attempt and not a coincidence. Pull a quick incident response huddle, lock down change processes, and call your MSP.
The first 24 hours after you spot fraud
Speed matters. So your team should know the first hour playbook by heart. Here is the short version we drill with clients across Grand Rapids and the lakeshore.
- Contain. Reset passwords, revoke sessions, and disable any compromised accounts.
- Communicate. Notify owners, finance, HR, and your IT or MSP partner with a single message thread.
- Capture. Save logs, emails, and screenshots before vendors auto delete them.
- Coordinate. Call your bank, your insurer, and local FBI field office if losses are over a few thousand dollars.
- Communicate again. File breach notifications under Michigan and federal rules within the legal window.
And practice this twice a year, even if nothing has happened. Tabletop exercises shorten real recovery times by days.
How Kraft Business Systems Helps Michigan Businesses Lock Down Identity Risk
Founded in 2005, we work with manufacturers, clinics, schools, and law firms across Michigan. We pair print and document services with managed IT and cybersecurity, so the same team protects your copiers, your payroll files, and your patient records. Here is how we help.
Free Cybersecurity Assessment
A short, structured review of your stack, policies, and exposure. No obligation, no jargon.
Managed Detection And Response
24/7 EDR monitoring with named technicians, not anonymous SOC tickets.
Phishing Defense Programs
Email filtering, simulated phishing, and short training modules tied to real Michigan attack patterns.
Backup And Disaster Recovery
Immutable backups, tested restores, and documented recovery times your insurer will accept.
Document And Print Security
Secure print release, hard drive sanitization, and audit logs on every connected copier.
Compliance Roadmaps
HIPAA, CMMC, GLBA, and PCI gap reviews with practical, budgeted next steps.
You can read more about our approach in our pieces on managed cybersecurity services and data backup and recovery. Or just call (616) 800-7682 and we will walk through your situation.
Frequently Asked Questions About the Social Security Number Breach
Is my Social Security number really on the dark web?
Most likely, yes. The 2024 National Public Data breach included an estimated 272 million unique Social Security numbers, and additional 2026 leaks have surfaced billions more records. Treat your SSN as compromised and act accordingly.
Should I pay for an identity theft monitoring service?
You can, but the strongest steps are free. A credit freeze with all three bureaus, an IRS Identity Protection PIN, and multi factor authentication block most fraud paths. Paid services add convenience and recovery support, not magic.
How do I freeze my credit in Michigan?
Visit each bureau’s site (Equifax, Experian, TransUnion), create an account, and click freeze. It is free under federal law. Michigan residents have the same protections as the rest of the country, and you can thaw the freeze when you apply for new credit.
What if my employees were exposed?
Send a short internal message with three actions. Freeze credit, request an IRS IP PIN, and turn on MFA for personal email. Then offer time during the workday to complete the steps. The 30 minutes you give back pays for itself in reduced fraud and HR distraction.
Does this breach affect my business taxes?
It can. Criminals use stolen SSNs to file false tax returns, sometimes under employee names. So if your HR or payroll team gets a strange IRS notice for a current employee, treat it as a fraud signal and contact the IRS Identity Theft unit right away.
Are Michigan businesses required to notify customers after a breach?
Yes. The Michigan Identity Theft Protection Act requires notification when a breach involves personal information of Michigan residents. Federal rules also apply if you operate in healthcare or finance. A written incident response plan keeps these notifications fast and defensible.
Can a small business afford serious cybersecurity?
Small firms cannot afford to skip it. The average breach cost for businesses under 500 employees is $3.31 million, while a managed cybersecurity contract for a small Michigan firm typically runs a few thousand dollars per month. So the math favors prevention by a wide margin.
What is multi factor authentication and why does it matter so much?
MFA requires a second proof of identity, usually a code from your phone, in addition to a password. It blocks about 99 percent of automated account takeover attempts, even when the attacker already has the password. So it is the single highest impact control you can deploy this week.
How often should we run phishing tests?
Quarterly, with a follow up training within 24 hours for anyone who clicks. Less frequent testing creates a false sense of security, and more frequent testing fatigues staff. Quarterly hits the sweet spot for most West Michigan companies we work with.
How does Kraft Business Systems get started with a new client?
We begin with a free cybersecurity assessment. A senior engineer reviews your stack, your policies, and your exposure. Then we deliver a short report with prioritized next steps, and you decide what to act on. No pressure, no jargon.
What if we already use a different IT provider?
That is fine. Many of our clients run a hybrid model with an internal IT lead, a generalist MSP, and Kraft for cybersecurity, document services, or compliance support. We slot in where the gaps are and stay out of your team’s way.
Where can I learn more about NPD specifically?
The Microsoft Support breach summary and the Wikipedia entry on the 2024 NPD breach are both useful starting points. For Michigan specific guidance, our team can walk through the implications for your industry.
Worried Your Business Is Exposed?
Stolen Social Security numbers fuel phishing, payroll fraud, and synthetic identity attacks for years. Let our team show you exactly where your defenses stand and what to fix first.
Call (616) 800-7682
GET A FREE IT & CYBERSECURITY ASSESSMENT
Krafting Secure and Innovative IT Solutions for Your Business
Kraft Business Systems | 6980 Southbelt Drive, Suite 1, Caledonia, MI 49316
