Prevent This: Handing Over Your ID to a Stranger

74 million identity documents were exposed in the last three months. Most of them were handed over voluntarily. Here's how to prevent that from happening to you.

Jun 23, 2026

A $30 fishing license. A cruise vacation. A hotel check-in. A job application at McDonald’s. None of these should ruin your life. But for millions of people this year, handing over an ID for one of these everyday moments put them on a list they never asked to be on.

The Man Who Lost a Decade to a Stolen Social Security Number

Dan Kluver is a factory worker in Olivia, Minnesota. He coaches baseball. He teaches Sunday school. He spent four decades without ever getting into trouble. He wants to get his story out there to prevent similar things from happening to you.

One day, Kluver got pulled over during a routine traffic stop. The officer told him his license had been suspended. Kluver had no idea why. It turned out there was a second driver’s license with his name on it being used in Missouri. Someone had purchased his Social Security number off the black market and had been living under his identity for 15 years.

To the IRS, it looked like one Daniel Kluver was working several jobs across two states and paying taxes at a rate far below what he owed. The IRS started garnishing his paychecks. His wife Kristy emptied her savings before their 2012 wedding, sending a $6,000 check to cover the balance. Their relief lasted until the next tax season, when a new bill arrived. This one was for $22,000.

They spent the next decade living with the consequences. Annual tax audits. Budgets that never added up. Paychecks that arrived lighter than they should have been.

Then came the part that no credit monitoring service could have prevented. The person using Kluver’s identity was involved in a fatal car accident that killed a 68-year-old grandfather and injured his 9-year-old granddaughter. The name on the driver’s license at the scene? Daniel Kluver. A wrongful death lawsuit was filed against him.

One stolen document. Fifteen years. A drained savings account, a decade of IRS audits, and a wrongful death lawsuit with his name on it.

Kluver’s story, originally reported in 2025, is the worst-case version of something that is now happening at industrial scale. The difference between 2010 and 2026 is volume. Back then, someone bought Kluver’s Social Security number from a single contact for cash. Today, companies are losing millions of identity documents at a time, and most of us are the ones handing them over.

There is a reason attackers are going after identity documents specifically, and not just credit card numbers. On dark web marketplaces, a stolen credit card number sells for about $17. A stolen driver’s license sells for $70 to $165. A U.S. passport scan goes for around $100, and a verified physical passport can fetch over $700. A complete identity package (name, SSN, date of birth, address, and a document scan to match) runs $1,000 or more. The pricing tells you exactly how criminals value these assets. A credit card can be cancelled with a phone call; its street value reflects that short shelf life. A passport number, a driver’s license number, a date of birth paired with a face? Those do not expire when someone reports them stolen. They hold their value for years, and the criminals buying them know it.

The Year Your ID Became Everyone’s Business

In just the past few months, four breaches have exposed government-issued identity documents on a scale that would have been unthinkable a few years ago.

3 million fishing license buyers. Texas.

On June 18, the Texas Parks and Wildlife Department disclosed that a third-party vendor handling hunting and fishing license sales had been breached. The attackers walked away with driver’s license numbers, passport numbers, email addresses, phone numbers, and home addresses belonging to 3,087,721 Texans. Social Security numbers and credit card data were not included, but what was stolen is arguably worse in the long run: your driver’s license number does not change when it gets breached. You cannot call a bank and get a new one.

The investigation has not determined how the attackers got in or how long they had access. No group has claimed responsibility. Affected customers can enroll in one year of free credit monitoring through Kroll by calling 844-959-7123 before September 14, 2026.

6 million cruise passengers. Carnival.

In April, an attacker tricked a single Carnival Corporation employee into handing over their login credentials. That one compromised account gave the attacker access to the personal information of nearly 6 million customers across Carnival Cruise Line, Princess Cruises, Holland America, and Cunard. The stolen data included names, dates of birth, passport numbers, and driver’s license numbers.

The hacking group ShinyHunters claimed the attack and published 8.7 million records when Carnival declined to pay. Texas Attorney General Ken Paxton opened a formal investigation. Three lawsuits have been filed. As one commenter on a cruise forum put it: “Stolen credit information is kept forever. Two years of monitoring means nothing.”

1 million hotel guests. Worldwide.

In May, a security researcher discovered that a Japanese hotel check-in platform called Tabiq, operated by a startup named Reqrea, had left over one million passport scans, driver’s licenses, and selfie verification photos sitting in an Amazon cloud storage bucket that was open to the public internet. No password. No authentication. Just a URL.

The files dated back to 2020. Six years of guest identity documents from hotels across Japan, belonging to travelers from countries around the world, accessible to anyone who found the link. Amazon’s cloud storage has been private by default since 2017. Making it public in 2026 requires actively overriding the default settings. Someone chose to do that.

The selfie verification photos are particularly concerning. These images are often linked to facial recognition workflows. Paired with the passport scans stored alongside them, they create a complete identity package: a face, a name, a document number, and a photo that proves they match.

64 million job applicants. McDonald’s.

Security researchers Ian Carroll and Sam Curry discovered that the AI chatbot McDonald’s uses to screen job applicants, a system called McHire built by a company called Paradox.ai, was secured with the admin password “123456.”

That password gave them full administrator access to a test environment. From there, a basic vulnerability in the system let them pull up any applicant’s records by changing a number in the URL. The result: 64 million records containing names, email addresses, phone numbers, chat transcripts from AI interviews, shift preferences, and personality test results were accessible.

The password had been in place since 2019. The test account, according to Paradox.ai’s legal team, “had not been logged into since 2019 and frankly, should have been decommissioned.”

Why This Is Different from a Credit Card Breach

When your credit card number gets stolen, you call the bank, dispute the charges, and get a new card in a week. The process is annoying but it works. Credit card fraud has a well-established playbook: the card issuer eats the loss, you get a fresh number, and life moves on.

Identity documents do not work that way.

Your driver’s license number is issued by your state. It follows you for life unless you specifically request a new one (and not all states make that easy). Your passport number is tied to a physical document that costs $130 to replace and takes weeks to process. Neither changes automatically when a company that was holding a copy of it gets hacked.

And unlike a stolen credit card, where the damage is financial and contained, a stolen identity document can be used to:

Open credit accounts in your name. New-account fraud is now the #1 type of identity crime, accounting for 62% of all identity misuse cases per the Identity Theft Resource Center. Credit cards (41%), checking accounts (18%), and personal loans (9%) are the most common.
Create a synthetic identity. Criminals combine your real driver’s license number with a fake name and date of birth to build a new persona that passes basic verification checks. Synthetic identity fraud is projected to cause $3.1 billion in losses in 2026.
File taxes in your name. Dan Kluver spent a decade fighting IRS bills because someone else was earning income under his Social Security number. The IRS takes an average of 22 months to resolve identity theft cases.
Accumulate a criminal record in your name. If someone is pulled over or arrested while carrying your information, the charges and warrants go on your record. You may not find out until your next background check, job application, or traffic stop.

The damage is slow, invisible, and cumulative. Only 9% of victims who suffer financial impact are able to fully resolve their cases, according to the ITRC’s 2026 report. A quarter of all identity theft victims are now managing two or more concurrent incidents at the same time.

What Can You Do?

1. If you Don’t Need it, freeze your credit.

If you don’t plan on using your credit score to open any new accounts or take out any new loans, it may make sense to do a credit freeze. A credit freeze prevents anyone (including you) from opening a new credit account until you temporarily lift the freeze. It is the single most effective defense against new-account fraud, which is now the dominant form of identity theft.

It is free. It takes about 10 minutes. You need to do it at all three bureaus:

Equifax: equifax.com/personal/credit-report-services/credit-freeze
Experian: experian.com/freeze/center.html
TransUnion: transunion.com/credit-freeze

When you legitimately need to apply for credit (a mortgage, a car loan, a new credit card), you temporarily lift the freeze at the relevant bureau, complete your application, and re-freeze. The lift takes minutes.

2. Ask questions before handing over your ID.

My family almost learned this lesson the hard way. In the mid-1980s, my parents booked a hotel in Paris for a work trip. The name was nearly identical to a well-known luxury hotel, off by a single French numeral. We walked in, and there, behind the front desk, was a gold-framed portrait of Muammar Gaddafi. The clerk smiled at us enthusiastically. “Americans? Passports, please. We will hold them for you.”

My father was career military. He did not hand over the passports. My parents walked us back out the front door, checked the marquee, realized we were at the wrong hotel, and we (eventually) found the right one down the street. Back then there wasn’t an easy way to “google something,” or check Apple Maps. There was just a portrait on the wall that told my parents everything they needed to know about who was asking for their documents.

Forty years later, the question is the same. The difference is that the portrait isn’t on the wall anymore. The clerk asking for your ID might be a website, an app, a self-check-in kiosk, or a third-party vendor you’ve never heard of. You do not get to see what’s behind the counter.

Most of us hand over our driver’s license without thinking about it. At a hotel front desk, a car rental counter, a sporting goods store, a doctor’s office. The person behind the counter asks, and we comply.

Start asking two questions:

“Do you need to scan it, or just see it?” There is a difference between verifying your identity (looking at your ID and confirming your name and face) and capturing your identity (scanning or photographing the document and storing a copy). Many businesses scan as a default when visual verification would suffice.
“How long do you keep the copy?” If they scan it, your document is now a file on their system. Is it deleted after checkout? Kept for 30 days? Stored indefinitely? The Tabiq hotel system kept guest passport scans for six years in an unprotected cloud bucket. No guest was ever told.

You will not always get a satisfying answer. But asking the question shifts the dynamic. It reminds the business that they are taking custody of something they are responsible for protecting.

3. Check if you are in the Texas or Carnival breaches.

If you have purchased a Texas hunting or fishing license, or if you have sailed on Carnival Cruise Line, Princess Cruises, Holland America, or Cunard, you may already be affected.

Texas Parks & Wildlife: Call 844-959-7123 to confirm eligibility and enroll in free credit monitoring. Deadline: September 14, 2026.
Carnival Corporation: Activate the free two-year TransUnion credit monitoring using the code in your notification letter. Deadline: August 31, 2026.
Have I Been Pwned: Check whether your email appears in the Carnival breach (or any other) at haveibeenpwned.com.

4. Request a new driver’s license number from your state DMV.

If you know your driver’s license number was exposed in a breach, contact your state’s Department of Motor Vehicles and ask about getting a new number issued. Not all states make this easy, but most allow it in cases of documented identity theft or confirmed breach exposure. You will typically need a copy of the breach notification letter and a police report or FTC identity theft report.

5. Monitor your IRS account.

Dan Kluver’s first warning sign was a tax bill for income he never earned. You can catch this early by creating an account at IRS.gov and checking your wage and income transcripts annually. If someone is filing taxes or earning income under your Social Security number, it will show up there before it shows up anywhere else.

You can also file an IRS Identity Protection PIN (IP PIN), a six-digit number that prevents anyone else from filing a tax return using your Social Security number. Request one at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin.

The Bottom Line

Dan Kluver handed over his Social Security number to an employer, the way all of us do. Someone else got hold of it, and his life was upended for 15 years. He lost thousands of dollars, endured a decade of audits, and found his name on a wrongful death lawsuit for an accident he had nothing to do with.

The difference between Kluver’s story and what is happening in 2026 is not the method. Identity theft works the same way it always has: someone gets a document with your name on it and uses it as if they were you. The difference is the supply. Three million fishing license buyers. Six million cruise passengers. One million hotel guests. Sixty-four million job applicants. These are not hacking victims in the traditional sense. They are people who did something ordinary (bought a license, booked a cruise, checked into a hotel, applied for a job) and trusted the company on the other side to protect what they handed over.

Some of those companies stored passport scans in public cloud buckets. Some secured admin accounts with the password “123456.” Some do not even know how the breach happened yet.

Thanks for reading Intruvent Edge! This post is public so feel free to share it.

You cannot control how a third party stores your identity documents after you hand them over. But you can freeze your credit so a stolen document cannot be used to open accounts in your name. You can ask whether a business actually needs to scan your ID or just see it. You can check your IRS transcripts for income you did not earn. And you can set an Identity Protection PIN so nobody files a tax return as you.

These steps take about 20 minutes total. Dan Kluver spent 15 years cleaning up the alternative.

If you have been affected by any of the breaches discussed in this article:

FTC Identity Theft Report: identitytheft.gov
Identity Theft Resource Center: idtheftcenter.org or 888-400-5530 (free, confidential assistance)
IRS Identity Theft: irs.gov/identity-theft-fraud-scams
State DMV: Contact your state’s DMV to request a new driver’s license number if yours was exposed

Discussion about this post

Ready for more?