The Collateral Damage of a Social Security Number Breach

In the previous article in this series on the collateral damage resulting from a data breach, we looked at the wide ranging damage that can be done when a Personally Identifiable Information (PII) breach occurs. In this article, we will look at the collateral damage of a Social Security number breach.

Over the last 80 years, the Social Security Administration has issued more than 450 million original Social Security numbers (SSN). The ubiquity of SSNs has led to their universal adoption as a primary means of identifying an individual with whom a broad array of personal and confidential information may be associated.

Social Security Number Breach - identify theft SSN

Experian Endures a Social Security Number Breach

In September 2015, Experian discovered that T-Mobile data, housed on an Experian server, was infiltrated and more than 15 million records were downloaded. The stolen records captured, along with other identifying information, included the names, addresses, and Social Security numbers of individuals who applied for T-Mobile services. Experian offered the T-Mobile victims, whose information was exposed, free credit monitoring from Experian for one year. However, that offer does almost nothing for the more serious and less talked about potential consequences that the breach may have brought on for individuals, including:

  • Identity Theft: Since a SSN is the universal “key” record through which a broad spectrum of separate data is associated, it is the key to creating a nearly bulletproof false identity. Such a deep false identity can be used to apply for a marriage or professional license, obtain a passport, establish a business, be declared dead, or essentially anything that has long-term recourse- all while not impacting a credit report immediately.
  • Being Associated With Criminal Activity: Stolen SSNs can be used to verbally provide identification information to law officers during a routine traffic stop or misdemeanor violation. The fraudulent person receives a citation to appear in court, but of course does not attend the hearing resulting in the court issuing a bench warrant for the individual legitimately associated with the stolen SSN. In other cases, the fraudulent person pleads guilty for a misdemeanor, a felony, or DUI, resulting in a criminal record in the victim’s name that could most likely block the victim from obtaining a job, securing housing, or obtaining credit.
  • Obtain Medical Services: When you walk into the clinic or hospital for medical treatment one of the many pieces of data collected each time is your SSN. If the fraudulent person has additional information about you, his/her treatment and test results will make it onto your electronic medical history – which doctors and other practitioners depend upon to provide you safe and responsive treatment. The results could be well, life threatening.
  • File Fraudulent Returns and Claims: With a stolen SSN, imposters can file fraudulent tax returns and insurance claims or apply for government benefits.

Providing a credit monitoring service to victims of Social Security number breach is a nice gesture, but what happens if fraudulent credit activity happens before or after the credit service is provided from the time of the breach? It can take months, even years, to repair the damage and unfortunately, it is all at an out-of-pocket expense to the victim. Damaged credit – even if fraud is later proven – may mean paying heavy deposits for utility services, high interest rates on loans and credit cards, and a reduction in your available credit limits (which will further lower your credit score). While a brief window of free credit monitoring may be appreciated, it doesn’t really begin to address the full scope of the damage that can be caused by a Social Security number breach.

In the next article, we’ll look at how your membership information can turn you and your family into a target for hacktivist social “justice…”

Schedule a no obligation, ThreatModeler™ demo to help protect your company data records from identity theft.