ONE OF THE most shocking things about Thursday’s announcement of the Equifax data breach is the sheer scale of the numbers involved. Particularly the Social Security numbers. Yes, there have been plenty of large data breaches before—5 million SSNs revealed in a Kansas Department of Commerce leak in July, 80 million in the notorious 2015 Anthem health insurance breach—but with Equifax’s revelation that 143 million Americans may have had their SSNs stolen (along with other sensitive personal information), security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves.
Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”
SSNs, which have been around since the 1930s, have only one intended purpose: to track US citizens’ earnings and contributions to the Social Security program. (In an uncanny twist, the Social Security Administration itself sometimes uses Equifax services to help verify a person’s identity during the process of setting up a “My Social Security” account, an SSA spokesperson told WIRED on Friday. But the Administration doesn’t share Social Security numbers with Equifax.) Other collection of SSNs is generally legal, but the Social Security Administration has no involvement in wider use of the numbers. “The card was never intended to serve as a personal identification document,” the Administration says on its website. “The universality of SSN ownership has in turn led to the SSN’s adoption by private industry as a unique identifier. Unfortunately, this universality has led to abuse.”
Problems stem from a number of places. Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era. And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change. The Social Security Administration can issue you a new one in extreme cases of identity theft or abuse. Even if you are able to alter your SSN, though, so many institutions already have your original number on file that criminals can often successfully leverage the stolen information for years. On top of all of that, the new number you receive remains tied to the old one.
“The SSN is used for purposes entirely unrelated to its original purpose. That almost always leads to problems,” says Marc Rotenberg, president of the Electronic Privacy Information Center, which has been advocating for SSN usage reform for more than two decades. “Congress needs to step up and hold hearings. We need laws that limit the collection and use of SSNs. And we need to penalize companies that collect SSNs but can’t protect [them].”