As cyberattacks continue, analysts are seeing a new pattern: Hackers are focused on stealing personally identifiable information. That includes the security clearances of U.S. intelligence officers, with the reported theft of background information. It also includes information that's less sensitive but far-reaching — like Social Security numbers.
In an interview with NPR's Audie Cornish, NPR's Aarti Shahani took a look at just how many Americans' Social Security numbers have been stolen so far, and what's being done about it.
Let's start with stats. Following big data breaches like Anthem and, more recently, the federal government's Office of Personnel Management, how many Social Security numbers have been taken?
The question sent us on a wild goose chase.
The Social Security Administration says it does not have a count. So we turned to the Federal Trade Commission, which is the lead agency on identity theft for the federal government. FTC officials say they don't have anything approximating that number because they don't track data breaches. It's not part of their mandate from Congress.
The FTC suggested we contact Verizon. Their business unit, Verizon Enterprise Solutions, publishes a very popular annual report on breaches.
So, to get a tally on theft of Social Security numbers, the federal government sent NPR to a phone company?
Verizon gets cyberattack data from dozens of organizations around the world, including federal agencies like the Secret Service and the Department of Homeland Security's Computer Emergency Readiness Team.
Jay Jacobs, lead data scientist at Verizon for the breach report, is a foremost expert who has been slicing and dicing this data for years. He estimates 60 percent to 80 percent of Social Security numbers have been stolen by hackers. NPR put the question to him multiple times and he stuck by this estimate.
That number is staggering. It's far larger than the estimate, by the federal workers union, that every federal employee is a victim.
Jacobs pointed out that while Social Security numbers have been stolen for decades, the scale of the problem is new. Before, socials were written or typed on a piece of paper, and breaking into one filing cabinet doesn't scale up. But now that everything is digital, if hackers compromise a server or data warehouse, that theft scales into the millions, quickly.
"It's gotten somewhat easy for the attacker," Jacobs says. "I think we're underestimating just how [many] records are out there."
So the problem of theft has changed by orders of magnitude, but just because your number was stolen doesn't mean you're a victim of identity theft?
Correct. The number of victims is definitely smaller. But we don't have a great estimate on how many people have actually been harmed. That'll unfold over time.
One key detail: The burden falls on you to vigilantly monitor if you are a victim. The Social Security Administration has a policy: You can't change your Social Security number just because it's been stolen. You need proof it's been abused. SSA is strict about it. In all of 2014, they replaced only 250 Social Security numbers based on misuse and disadvantage.
What about technological solutions? Is there something better than a Social?
In health care, which is where a lot of this problem is originating, there are efforts to reduce the so-called Social Security footprint.
Aetna, the health insurer, has a policy to collect, store and share Social Security numbers in fewer and fewer places, to reduce the threat of exposure.
There's a new generation of health apps that help you visit the doctor or ER. A popular one called iTriage has a policy of not collecting or storing Social Security numbers, specifically for security reasons.
Outside health care, there are tech companies working on alternative ways to identify a person through biometrics (think iris scans), and systems that track your behavior to block access if it looks like you're not acting like yourself. Experts say systems have to be revamped to do two-factor authentication — where the user provides not just a password, for example, but also a fingerprint.