On Thursday, the federal government's Office of Personnel Management released the damage report of one of the largest hacks in American history. Over 21 million government workers have had their social security numbers compromised — that's over 7% of everyone in the entire country.
The OPM hack is just one of many breaches that have exposed millions of Americans to hacking groups, individual identity thieves and even, some analysts believe, state-sponsored Chinese hackers. And it all happens so invisibly that hardly anyone outside of government and the media seems to bat an eyelash.
One big solution: In the growing opinion of cybersecurity experts, identity theft wardens and the tech sector, it's time we give up on social security numbers. They've become a defining piece of personal information — Pew Research Center found that people consider it private info of the highest secrecy — even if they were never meant to be the be-all, end-all passport to proving we are who we say we are.
"It's going to be very difficult for us to figure out how to switch over to a better identity identifier, but it's time for experts in security and government to figure out what the solution is to stemming the tide," Eva Casey-Velasquez, president and CEO of the Identity Theft Resource Center, told Mic. "Something needs to change."
"Social security numbers are being used now ubiquitously for a completely unintended purpose."
Social security numbers, once stolen, act as a skeleton key for stealing your identity. It's what makes them so valuable to hackers, for whom SSNs fetch a much higher black market price than credit card numbers.
Casey-Velasquez and her team see a constant slew of breaches on retail stores and e-commerce sites where credit card data and payment information of customers is exposed, like the major consumer breaches at Target and Home Depot. But simply having a credit card isn't enough to to open new lines of credit, or commit medical identity theft.
"It's the most important piece of information if a thief wants to be able to really commit a lot of different types of identity theft," Casey-Velasquez told Mic. "If you think of your identity like a puzzle, the more pieces a thief has, the more harm they can do. But the SSN is the critical piece."
Your social security number is all but impossible to change, which is the biggest problem of all. The immutability of the number is what makes them so popular with hacks like these. A credit card can be canceled in a heartbeat — hell, some providers can sense fraud and stop it without you even noticing.
Not so with your SSN. Applying for a new SSN can be a total pain in the ass, moreso than just applying for a new passport or other government-issued identification. So when your info is hacked — if you even know it's been hacked — and your SSN is in the wrong hands, it's difficult to move quickly to protect yourself.
"If you think of your identity like a puzzle, the more pieces a thief has, the more harm they can do. But the SSN is the critical piece."
As is the case with the breach on Anthem, a health insurance provider that lost the SSNs of nearly 80 million Americans, many of the victims of these crimes are children. When a kid has their SSN stolen, that information ages like fine wine. It's indefinitely useful, gaining market value as victims forget about their breach but remain just as vulnerable.
"The permanence of any number should be ended immediately," Paul Martini, CEO of leading cybersecurity company Iboss, told Mic. "There's no way a piece of information should last your entire life."
The truth is, social security numbers were never meant to be so important. When they were first issued in 1936, they were for helping people track their retirement benefits. But because they were such a unique piece of info — everyone had one, and the federal government was tracking them — it became an easy, central way of identifying someone. Keep your social security number private, and you have a kind of secret password that clues someone in to who you were.
"Unfortunately, over the last century, SSNs have gone from a single-purpose identifier related to retirement benefits to a global identification method," Michael Carney writes for Pando. "The problem is, the system was never designed for this kind of use."
Now, once someone has your social security number, they can commit criminal fraud, spoof your identity, sign up for emergency health coverage charged to your name, convince government agencies that they're you, and potentially obtain further ID. In other words, using Casey-Velasquez's elegant metaphor, they can continue to build more of the puzzle pieces needed to pass themselves off as you.
Which is why we need a replacement — some other, more mutable piece of information. But Casey-Velasquez says alternative suggestions have caused panic and paranoia over government-imposed identification numbers. One thing we could do is model ourselves off of Europe and stop using them as a method of foolproof verification altogether. Instead, we could just use the reliable-yet-changeable pieces of personal ID we already have: drivers' licenses, passports and proof of address.
"If you talk to someone in the U.K. and say you need a SSN, they have no notion of that," Martini said. "In the U.S., we latched to it because it was the only thing unique in the federal system. But with this loss of 25 million records, how private is it anyways?"
Whatever we do, it's becoming clear that we should cut the cord tethering us to social security numbers and either admit that they're more damaging than useful, or just let them slowly drift off into the sea.