As cyberattacks continue, analysts are seeing a new pattern: Hackers are focused on stealing personally identifiable information. That includes the security clearances of U.S. intelligence officers, with the reported theft of background information. It also includes information that's less sensitive but far-reaching — like Social Security numbers.
In an interview with NPR's Audie Cornish, NPR's Aarti Shahani took a look at just how many Americans' Social Security numbers have been stolen so far, and what's being done about it.
Let's start with stats. Following big data breaches like Anthem and, more recently, the federal government's Office of Personnel Management, how many Social Security numbers have been taken?
The question sent us on a wild goose chase.
The Social Security Administration says it does not have a count. So we turned to the Federal Trade Commission, which is the lead agency on identity theft for the federal government. FTC officials say they don't have anything approximating that number because they don't track data breaches. It's not part of their mandate from Congress.
The FTC suggested we contact Verizon. Their business unit, Verizon Enterprise Solutions, publishes a very popular annual report on breaches.
So, to get a tally on theft of Social Security numbers, the federal government sent NPR to a phone company?
Verizon gets cyberattack data from dozens of organizations around the world, including federal agencies like the Secret Service and the Department of Homeland Security's Computer Emergency Readiness Team.
Jay Jacobs, lead data scientist at Verizon for the breach report, is a foremost expert who has been slicing and dicing this data for years. He estimates 60 percent to 80 percent of Social Security numbers have been stolen by hackers. NPR put the question to him multiple times and he stuck by this estimate.
That number is staggering. It's far larger than the estimate, by the federal workers union, that every federal employee is a victim.
Jacobs pointed out that while Social Security numbers have been stolen for decades, the scale of the problem is new. Before, socials were written or typed on a piece of paper, and breaking into one filing cabinet doesn't scale up. But now that everything is digital, if hackers compromise a server or data warehouse, that theft scales into the millions, quickly.
"It's gotten somewhat easy for the attacker," Jacobs says. "I think we're underestimating just how [many] records are out there."
So the problem of theft has changed by orders of magnitude, but just because your number was stolen doesn't mean you're a victim of identity theft?
Correct. The number of victims is definitely smaller. But we don't have a great estimate on how many people have actually been harmed. That'll unfold over time.
One key detail: The burden falls on you to vigilantly monitor if you are a victim. The Social Security Administration has a policy: You can't change your Social Security number just because it's been stolen. You need proof it's been abused. SSA is strict about it. In all of 2014, they replaced only 250 Social Security numbers based on misuse and disadvantage.
What about technological solutions? Is there something better than a Social?
In health care, which is where a lot of this problem is originating, there are efforts to reduce the so-called Social Security footprint.
Aetna, the health insurer, has a policy to collect, store and share Social Security numbers in fewer and fewer places, to reduce the threat of exposure.
There's a new generation of health apps that help you visit the doctor or ER. A popular one called iTriage has a policy of not collecting or storing Social Security numbers, specifically for security reasons.
Outside health care, there are tech companies working on alternative ways to identify a person through biometrics (think iris scans), and systems that track your behavior to block access if it looks like you're not acting like yourself. Experts say systems have to be revamped to do two-factor authentication — where the user provides not just a password, for example, but also a fingerprint.
AUDIE CORNISH, HOST:
The theft of personal information belonging to as many as 14 million people from government databases puts the issue of cyber security front and center. That makes it a good topic for this week's All Tech Considered.
(SOUNDBITE OF MUSIC)
CORNISH: Our Internet-connected world now makes it possible for enterprising thieves all over the globe to steal troves of information all at once. That includes long lists of credit card numbers, as we've seen repeatedly, and also Social Security numbers, as in this latest government hack. NPR's Aarti Shahani joins us now from San Francisco to talk more. Hey there, Aarti.
AARTI SHAHANI, BYLINE: Hi.
CORNISH: So as you've been looking beyond this particular incident at the broad problem of Social Security number theft, we've also seen this in the hacking of health care records, such as at Anthem. What have you learned? I mean, how many Social Security numbers have been taken?
SHAHANI: (Laughter). Well, that's a question I've been trying to answer, and it sent me on a wild goose chase. The Social Security Administration says it does not have account. So then I turned to the Federal Trade Commission, which is the lead agency on identity theft for the federal government, and they say they don't have anything approximating that number because they don't track breaches. And they suggested that I contact Verizon, which puts out this very popular annual report on breaches.
CORNISH: So to get a tally on theft of Social Security numbers, the federal government actually sent you to a phone company?
SHAHANI: (Laughter). Pretty much. Now, Verizon gets cyber-attack data from about 70 organizations around the world, including federal agencies like the Secret Service. I spoke with a senior researcher at Verizon, a lead data scientist who's been slicing and dicing this data for years. And before I tell you his estimate, Audie, I've just got to ask you. What would you guess? What percentage of people has had their Social Security number stolen?
CORNISH: I'm going to guess, like, 20-something percent.
SHAHANI: (Laughter). OK, fair estimate. According to this expert, his guess - 60 to 80 percent of our Social Security numbers have been stolen by hackers.
CORNISH: Yikes. That's, like, everyone. That's really a percentage. I mean, that's most of us.
SHAHANI: It's the vast majority. I even told the guy, like, hey, I'm not asking about email addresses. I'm talking Socials. And he stuck by that estimate. You know, he also pointed out that Social Security numbers have been stolen for decades. Back when they were written on paper, breaking into a filing cabinet - that's not a crime that scaled up. But today, when you've got everything digital on servers and data warehouses, that'll scale into the millions quickly.
CORNISH: So theft has grown by orders of magnitude. But just 'cause your number was stolen, that doesn't mean that you're a victim of identity theft.
SHAHANI: You know, fair enough. And the number of victims is definitely smaller. We just don't have a great estimate on how many. A key detail is that the burden falls on you to vigilantly monitor if you are a victim. The Social Security Administration has a policy. You can't change your number just because it's been stolen. You need proof that it's been abused and you've taken great pains and efforts to fix the problem. And they're strict. All last year, they replaced only about 250 people's numbers.
CORNISH: That's NPR's Aarti Shahani in San Francisco. Thanks so much.
SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.