Organized cyber-criminals have taken what used to be a minor domestic crime and turned it into a global ID trafficking ring. In these cases, the data that’s so valuable are the Social Security numbers of young children because they can easily be matched with any name and date of birth and used to create fraudulent identities, obtain credit or even dodge residency rules for getting work in the United States.
There was a time when problems with child ID theft came from family members of young children who would use their SSNs to get around poor credit or even criminal records, but that’s changed. According to testimony by the Federal Trade Commission delivered to the House Committee on Ways and Means’ subcommittee on Social Security, “Children’s SSNs are uniquely valuable because they lack a credit history and can be paired with any name and birth date.”
Worse, the problem usually isn’t discovered until years after the theft takes place because children can’t apply for credit on their own. During that time, the criminals with the stolen information can have free rein to sell the information to others or to establish credit and run up hundreds of thousands of dollars in bad debt.
The numbers are stolen in a variety of ways. The most common is data breaches due to lax or nonexistent security relating to a child’s personal information. A wide variety oforganizations demand a child’s SSN regardless of whether they have a legitimate use for it. These groups may be day care centers, sports leagues, doctors’ offices or schools. In many cases, such as children’s sports leagues, the information may reside on a club official’s personal computer with no security whatever.
Whiledoctor’s offices and hospitals are supposedly covered by the Health Insurance Portability and Accountability Act (HIPAA), health care organizations along with educational institutions are the greatest sources of data breaches, according to Matt Cullina, CEO of Identity Theft 911. Cullina said that security can be so lax at some hospitals that employees gather the newly issued Social Security numbers of newborns and pass them to their criminal partners. Laws in many states that mandate that children have a valid SSN before they leave the hospital help ensure that such people can get the numbers whenever they need them.
But sometimes the security breach is self-inflicted. Cullina tells of a high school in the Midwest that published its honor roll, listing each student’s name and other information from the student’s records-without noticing that the information included the student’s full name, date of birth and Social Security number.
Ultimately, these data breaches cause enormous economic damage to the businesses that must eventually suffer the losses from fraud, but of course they also create enormous problems for the children who have had their identities stolen, especially if the theft isn’t discovered until the child looks for his or her first job or applies for that first education loan.
Its Time to Randomize Social Security Numbers
However, data breaches aren’t the only way criminals get SSNs. A network of cyber-criminals has figured out how the Social Security Administration generates its numbers and is using that to come up with valid Social Security numbers around the time that a child is born. Because the first three digits of a Social Security number reference the region where the number is issued, it’s only the last six numbers that are really tied to identity, and those are issued in a predictable sequence.
This means that a child’s SSN can be stolen without any sort of data breach and that a fresh SSN can be tied to someone else’s name and address. That person can then use the new SSN to get credit or a new identity. The Social Security Administration is working on a plan to randomize Social Security numbers, and in the meantime is offering some guidelines to dealing with identity theft, including getting a new number.
There’s not a lot you can do about criminals who have cracked the SSN code, but you can prevent data breaches to some extent by not providing your SSN (or your child’s) when it’s not required. This means that even if your T-ball league asks for your child’s number, you don’t need to provide it. If someone or some organization needs the number, or claims to, ask why they need it, how they will secure it, how they will destroy the information when it’s no longer needed and what they will do to prevent a data breach.
But what happens if someone does steal your child’s identity-or yours? In the case of your child, this discovery can happen at tax time when the IRS doesn’t issue the refund you expect or notifies you that your child has already filed his or her own return. Or sometimes you might hear from creditors.
But the best way to find out is by getting an annual credit report for everyone in your family, every year. It’s free. It’s worth noting that your minor children shouldn’t have a report to request because they won’t have a credit file. If they do, it’s a red flag.
In the enterprise, the new effort by organized crime to steal the numbers belonging to children can have serious consequences. Your company depends on Social Security numbers in hiring, in extending credit and other financial transactions, and in reporting wage information to the IRS. A surge in stolen numbers can have its own security implications for your company no matter how they’re used.