Because of the recent news that 2.9 billion (with a B) Social Security Numbers for US Citizens had been stolen from a background investigation firm, lots of people have been asking me to talk about what they should do.
The short answer is… nothing.
While this latest massive data breach is concerning to be sure, the fact that billions of Social Security Numbers were stolen is not the story. Unfortunately for all of us in the US (or who otherwise have a US Social Security Number), that data is almost definitely already known to the general public and the threat actor community. So, let’s look a little deeper about why you don’t need to be all that worried that your Social Security Number ended up in a huge data dump, again.
First, a bit about Social Security Numbers (SSNs). For those outside the USA, SSNs are numbers used to identify each US citizen in order to track a government-managed welfare program system called – you guessed it – Social Security. It’s managed by the Social Security Administration and provides multiple services for citizens during their lifetime. SSNs are usually assigned shortly after a person is born, or shortly after they become a citizen if they immigrated. They are issued once and, with only a few incredibly rare exceptions, they are never changed during a person’s lifetime. So for most of us living here in the USA, we have one that was assigned to us at birth and will be with us until after we die.
While these numbers were never meant to be used as any form of identification, they ended up being used for exactly that purpose over the 80+ years the system has been in active country-wide use. SSNs are used on tax forms, medical records, employment records, financial records, and just about everything else. The issue is that there are zero security controls around these numbers. While organizations who collect them are required to use reasonable and standard practices to protect the data; the actual number is not randomized or anonymized in any way by anyone – including the agency that issues it to you.
The numbers themselves can be decoded and even guessed if you have enough information on a person. Entire calculators and decoders exist, because the SSN was meant to be decoded so it could be used to route benefits properly – such as this site. Because of this, SSNs should never be considered privileged or private information – they’re just too easy to figure out.
Additionally, as with any program that’s been in existence for nearly a century now, just about any organization or agency that’s held SSNs has lost control of some or all of that data over the years. So many data breaches (both physical paper-based access and digital access) have included SSNs that – at this point – you’d be in a ultra-tiny minority if your SSN wasn’t already known to anyone who wanted to find it.
So, what to do about this breach? As I said at the top, there’s really not much to do in this case, nor is there much to worry about. The breach did include much more sensitive information that – when present all together in one place – absolutely could lead to identity fraud and other nefarious activity. Your SSN being the data dump, on the other hand, really isn’t a big deal. Keep an eye on your credit score/reports, be very wary of emails, text messages, or phone calls that want you to buy something or pay money or share additional information. Always remember that the FBI, Apple, Microsoft, Google, the Sheriff’s Office, etc. won’t call you first. When in doubt, ignore the link in the email and/or hang up the phone; then manually go to the website in question and log in or find a number to call to ask about the situation. Trust me, if any government organization or corporation needs you to do something, there will be a web page on their site or a phone number where they can tell you what they want you to do. None of them work exclusively by outbound email or phone calls.
Threat activity generated from data breaches is very real. Follow good online hygiene and be cautious with any phone calls or texts – but you should be doing that even when you aren’t hearing about a massive data leak these days. The fact that SSNs were in the latest breach doesn’t change anything, and should be the issue you’re least concerned about surrounding this ongoing problem.