"SSNs are assigned at birth, and never change"
Given the extent to which these have been plundered (and equivalent identifiers in other jurisdictions) maybe it's a principle that needs to be rethought.
An American university founded in 1833 is facing a bunch of class action lawsuits after the personal data of nearly 100,000 people was stolen from its tech infrastructure. And because the data includes the identity fraud goldmine of the victims' names and social security numbers (SSNs), one of the lawsuits claims the danger to …
I notice that swerves the question of whether they are unique or not.
UK readers should be well aware that National Insurance Numbers are not. No idea if that is by design, or oversight. But it's one to bear in mind.
Mind you, who needs identity theft to mess your life up ?
SSNs are not unique. They need to be re-used given the small range of possibilities.
9 digits, some of which are pre-allocated and possibly known by other means.
If there is a common hashing or encryption algorithm, easily deduced from the product of that algorithm.
Wikipedia indicates this to be incorrect:
The Social Security Administration does not reuse Social Security numbers. It has issued over 450 million since the start of the program, about 5.5 million per year. It says it has enough to last several generations without reuse and without changing the number of digits. There have been accidental assignments of the same number to more than one person.
In addition, it appears that numbers beginning with the digit 9 are not permitted, so that would allow for expansion if the key space is exhausted without breaking old numbers.
Yes, the same number has been assigned to two people with the same name who emigrated from Korea if I'm not mistaken...
and my memory still works... https://nextshark.com/ssa-korean-immigrants-same-social-security-number
And as far using the SSN as a personal identifier, it was never meant to be. It's been abused like the redheaded step child since I first started working in 1978. It was my employee number at many places. It was supposed to only be used for the SSAdministration, or so I was informed many decades ago.
The "don't use this number for anything except Social Security" message was removed from cards in 1972, according to Wikipedia. I don't believe it ever had the force of law.
The 1986 Tax Reform Act incentivized getting SSNs assigned to children, because they were necessary to claim those children as a deduction on income tax. That made SSNs even more useful as generic identifiers.
Considering how widely they're used and how often they leak, I don't really share the plaintiffs' concerns in this one. Yeah, you'll be at risk from identity thieves for the rest of your lives. So will everyone else.
And, yes, a poor showing by Mercer U here. But universities in the US tend to have grievously underfunded IT departments which don't pay as well as private industry, so it's not surprising. That's not an excuse, but this whole thing does seem rather mundane as breaches go.
This appears to fall into the "accidental assignments of the same number to more than one person" category as quoted. They're supposed to be unique, but it's a government system and sometimes they fail. I'm not trying to pretend that they do anything well, from assignment to use, but that doesn't change the fact that reuse of the numbers is not part of the planned system, and when it appears, it's an error which must be corrected.
> Given the extent to which these have been plundered (and equivalent identifiers in other jurisdictions) maybe it's a principle that needs to be rethought.
The easiest thing to do would be to consider them as just an identification, but not the identification. Like your name, which rarely is unique, even considering the middle name.
If you need to prove your identity with a couple additional means*, identity theft will become way less easy to commit. I might be wrong, but AFAIK in Europe there is little to no identity theft, and they do have and use SSNs. How do they do it?...
* I already see the comments: Complicated, awkward, and so on. On the other hand, how often do you take a new credit (or some such)? ID checks should be proportional to the importance of the procedure: The more money/risk involved, the more checks required.
"The Register noticed Mercer filed the data breach notice with the Maine state attorney general, under a law which only applies to personal data that is not encrypted, but not wanting to take this at face value, we asked the institution whether it had any encryption in place. It declined to comment on pending litigation."
Why would a University in Macon, Georgia, file a data breach notice with the Maine State Attorney General, a State 1200 miles away?
Mercer filed the breach letter with a number of different states (probably every state that has a legal requirement), since they would have alumni living in every state. Maine nicely posted the information on their website, and since they only require the data breach notice IF there is unencrypted data, the author was able to infer that some data was unencrypted.
"Why would a University in Macon, Georgia, file a data breach notice with the Maine State Attorney General, a State 1200 miles away?"
If the university has a satellite campus in Maine or some other official office (tax reasons), they might be required to make certain filings about data breaches. Many universities have remote campuses. If the uni has a graduate course in volcanology, an office/lab someplace that has a volcano can be very handy.
A lifetime ruined and a crappy credit score as a reward.
First of all, the credit scoring agencies are just as suspect for leaking personal information as many of the merchants.
But the company that accepts personally identifiable information (or other variations) should be held accountable for all the damage that can occur if that is used for nefarious purposes.
While this particular article is about exfiltrating this information, there are lots of situations where the companies in question also mis-use the information and cause harm (sharing with "trusted" partners).
I suggest a surety bond for every customer be placed in a trusted place (not sure what that is anymore) and any negative actions and pain-and-suffering penalties be paid from that accumulated bond. Probably $100,000 per customer? Also the officers and directors of said companies be held personally responsible for payments that exceed the bond amount.
I've always thought that the only consequence that would truly force businesses to take security seriously, and enforce the use of encryption as well as the decision to not store information for the sake of it, is to make them 100% liable for the financial damage done to every individual who suffers from a breach.
If they had to make payments to refund victims for the cost of making purchases at high interest rates (due to the resulting bad credit score), that would be step in the right direction.
Another would be to force them to finance the purchase of cars and homes at the perfect credit score rates.
Not practical? Nor is having to pay 20-30% more for major purchases for years because someone at a company the victim did business with thought it was too expensive to implement proper security.
I keep my credit locked down and only lift it briefly for checks that I authorise. There are not many. Not only is it free but it does not allow snoopers to even view your credit score so far more private than the so called 'credit protection' services out there.
Everyone should do this. There is no way to know whether you have been hacked. I got a letter from an organisation recently saying that 'my data had been compromised' three months prior.
Locking down your data has some unexpected benefits. The company that I have used to insure my house for many years recently contacted me because they were unable to pull my credit. What on earth were they thinking? I told them I would find a different insurer if they ever tried that again, they backed down very fast.
"I keep my credit locked down and only lift it briefly for checks that I authorise. There are not many. Not only is it free but it does not allow snoopers to even view your credit score so far more private than the so called 'credit protection' services out there."
It's not a bad idea but woefully inadequate. The credit reporting agencies have sheafs of regulations they have to abide by, but not so with most of the bigdatasphere, the "not credit reporting" companies. While they don't advertise as reporting on people's creditworthiness, they still do along with all sorts of other personal information that you are likely not going to want to have all in one convenient to sell place.
I went to graduate school in the US and have an assigned SSN (wasn't born in the US but worked there many years). I refused to give them my SSN and they gave me a random student ID. Similarly, many forms in other businesses ask for it but you can almost always refuse to give it. For example, every doctor's office and hospital form I've seen asks for it - but I have never shared mine. You only legally have to give it when they are reporting your income to the IRS (banks, investments, etc). Of course, the businesses won't tell you this.
What they really need is a law that makes it illegal to store a Social Security Number for anything but tax reporting and retirement - but all the data harvesting companies (Experian, Transunion, etc) will buy enough politicians that it will never pass...
> Then they will just require only your name and dob to open a credit card.
That would create a different kind of problem, but this time mostly for the banks. Let's assume your name is John Smith, and another John Smith does some fraudulent credit card stuff. How does that affect you? As long as the police can't say it was you and nobody else, you're off the hook.
Besides, banks need to make sure you will pay what you have to pay, so trust them to make sure they get you pinned down to a single individual, somehow.
Your account or credit card or mortgage application gets cancelled cos there is another John Smith with bad credit.
The police know it's not you but the bank is free to choose whatever customers they want - and why would they take the risk ?
> cos there is another John Smith with bad credit
Yeah, sure. So they will refrain from selling their service to all the hundred thousand "John Smiths" out there, just because one of them is untrustworthy. The bank clerk suggesting that will be out of the door in a heartbeat!... :-D
With the same logic, since some humans are crooks, banks shouldn't sell service to humans... No, banks are greedy, so they will make sure to separate the wheat from the chaff, their quarterly earnings depend on that.
If they were really using only your name and birthday, then things are probably fine for the John Smiths, but less fine for those with less common, but not nationally unique, names. It also makes identity theft much easier, since birth days are much less opaque than insecure government numbers.
However, those two problems are so large that somebody would find an alternative mechanism. That's no guarantee that the mechanism they agree on will be good for customers, because it would probably be something along the lines of "You must voluntarily sign up for a credit tracking account before any bank is willing to open accounts". However, I'm reasonably confident in saying that the name-only system would be rejected pretty quickly by financial companies.
> they were really using only your name and birthday
They wouldn't do that, would they. It's not even guaranteed to be unique for common names in big cities.
They would use everything they can, your name, birthday, some (serious) proof of permanent residence (not just an envelope addressed to you!), driving permit if available. And even that would probably not be enough, you might be forced to have some official ID (passport, passport card).
"For example, every doctor's office and hospital form I've seen asks for it "
It's well known that if you put a bunch of spaces for somebody to write down information about themselves and hand it over on a clipboard with a pen, they'll be diligent in filling it all out <bah, bah, munch some grass, bah>. I hope the SSN that I make up doesn't ruin somebody's life and the telephone number I routinely hand out is a test number that just rings. My alternate is a phone on a somebody's desk at the state tax board. My address is a PO box and I've moved a couple of times since I started using a PO box for all deliveries so much of my backtrail is scrubbed. My driving license and registration has my physical address at the DMV, but all paperwork shows the PO box. They will do this if you ask in many cases. Sometimes you need to invent a story that you work in the jewelry business or something and need to keep your physical location secret for your family's safety or whatever BS you cook up. Famous people can take it a step further and have their vehicles owned by a company with a company address in some shared office space where they rent a phone line and mail handling services.
It's important to restrict the information you give out about yourself and always think about whether somebody being requested is reasonable. The doctor's office wants your SSN to it's easier to send your account out for collections. My local city wanted my SSN on the water account and a signed waiver (8th gen Xerox) from the collection agency they use. I lied on everything but my name. I even practiced a signature until I had something much different than my real one and took that form back to the window a couple of days later. The bill is $30/month and unless you are a 'person of color', they'll have that meter locked out before you're 60 days overdue. For some reason they have a list of people with 6 months past due bills still getting service that going by the names, you'd swear they are all non-caucasian. I've been late before and the threats are overwhelming. One person I know got a couple of weeks behind and was cut off so I have to wonder why they let others go for such a long time.
It used to be that the first three digits of an SSN indicated the office, or anyway region, that issued it. Once, when I wished to see whether we had any SSNs masquerading as properly meaningless IDs, I searched a dataset for IDs that a) were nine digits long, b) began with the same three digits as mine, and c) belonged to an Ohioan. Of course there was one organization that hadn't got the word.
This style of issuance may have changed since--I got my Social Security card sixty years ago--but it does reduced the search space.
we have the leak of the entire frecking university pensions USS data. El Reg might want to keep a weather eye on this one ! The latest is an email "from USS" telling everyone to register on a credit watch agency via a link. I.e. exactly the type of email we're all told we shouldn't respond to. How TF is anyone meant to safely manage their affairs ?
"This is what happens with the USA constant refusal to get a National ID."
The US is a huge country with all sorts of dodgy politics. At some point, a laptop will be stolen from a car that belongs to a government employee that downloaded the data to work on at home and had just stopped by their church to sort out a couple of things when the laptop was stolen. In other words, somebody needed a thin veneer of plausible deniability and tossed half the US population under the bus to get it. There is already a de facto national ID, telephone numbers. With the ability to take your telephone number with you everywhere, people are doing that. I'm guilty of it myself and will rectify that issue pretty soon. I've had my current phone number far too long.
If a national ID was instituted, it would be nanoseconds before the government heaped everything about a person under that number creating one of the most lucrative hacking targets ever known. Given how governments usually outsource things to the lowest bidder, the data protection would be so poor they'd use it to train school aged kids in India how to hack in beginner lessons. Big data has files on darn near everybody, but getting a chance at the data only a government is going to have would have them drooling. That national ID number would be awesome for accuracy. Name, DOB, Phone, national ID number = exactly one person.