Crusade To Dump Social Security Numbers Picks Up Steam

First we were told that 26.5 million records of veterans and spouses were stolen, along with around 20 million Social Security numbers. A few days later, the Veterans Administration (VA) added 50,000 active duty folks to the list of those whose personal data had been purloined.

And now, Reuters reports that the roster of 50,000 active duty victims has swollen to 2.2 million patriots on duty today, or waiting in reserve.

In response, five veterans groups have filed a class action lawsuit, demanding judicial oversight and protection of VA computer files with personal information… and US$1,000 per record.

John Rowan, National President of Vietnam Veterans of America (VVA) and a plaintiff in the VA lawsuit, wondered, “What was an employee of the VA doing with the names, Social Security numbers, and dates of birth of all these veterans?”

The chairman of the House Committee on Veterans’ Affairs labeled the laptop theft “a meltdown in VA’s information management.”

And analysts at Gartner have concluded that this and other thefts of personal data make it clear that Social Security numbers provide unreliable proof of identity. They believe businesses should only use this data as a single component of an overall identity score.

Even before the disclosure of the active duty losses, Gartner VP Avivah Litan told the Committee on Veteran’s Affairs that this ripoff demonstrates just how vulnerable some of the nation’s most sensitive data is.

“This incident also shows that the Social Security number has become an extremely unreliable piece of information and cannot be trusted to be unique to an individual. Companies should not rely on Social Security numbers alone as proof of individual identity,” Ms. Litan said. “As many as one-in-seven adult Social Security numbers in the U.S. may already have been compromised.”

Nearly all the states have enacted laws restricting use of Social Security numbers, or are working on them. Universities have led the way (for once), purging the numbers from databases. Even the feds are entertaining a variety of approaches to restrict SSN use for identification… at least for Medicare.

According to CNN’s Jeanne Sahadi, our heroes have nothing to worry about:

There’s no proof so far that the theft of the veterans’ personal data was a targeted heist. And realistically, even if it were, there may be safety in numbers - a vet may have as little as a 1 in 26 million chance of his or her identity being ripped off.

Ms. Sahadi has no sense of what she’s dealing with. Assuming, for the sake of argument, that all 29 million (not 26 million) victims are on the web, one phisher with a relatively small botnet of 10,000 zombies could contact all of them in 16 days, while pumping less than 8 messages per hour through each hijacked computer.

More likely, the thieves can easily discount all 29 million names to a fence, who will then carve up the list for various shenanigans. Even the Social Security numbers of dead people are valuable, when attached to a name.

How will they find the fence? Google it.

Is it time for a replacement for the SSN? Absolutely.

But not before we can secure it.

Email Battles Backgrounder:

• Gartner: Securing data’s cheaper than cleaning up after theft; NewsByte; Email Battles; 07 June 2006.
• Five vets groups go to war against VA seeking control of records; NewsByte; Email Battles; 07 June 2006.
• Boss of Slippery-Fingered VA Analyst Gets The Boot While Keystone Kops Give Chase; Email Battles; 31 May 2006.
• Why Steal Social Security Numbers, When You Can Get Them For Free?; Email Battles; 25 May 2006.
• VA: The perps can’t possibly know that they have 26.5 million Social Security Numbers!; Email Battles; 23 May 2006.
• Justice Dept publishes Social Security Numbers; NewsByte; Email Battles; 23 December 2005.
• Social Security Numbers Insecure?; Email Battles; 11 February 2004.