Posted February 27, 2015
Today’s blog post comes to us courtesy of guest contributor Tim Rohrbaugh, VP of Information Security for Intersections
In all the noise around the stolen customer data at Anthem Healthcare, many have missed what is now a new and very serious risk to American households: millions of children’s social security numbers have been stolen, and will be used in waves of financial crimes over decades to come.
Anthem Healthcare (and other healthcare providers) believe they needed to collect their customers’ children’s names and Social Security Numbers (SSNs) to verify the beneficiaries of their health plans. If this is absolutely necessary, what Anthem should have done thereafter would be to destroy this sensitive information, which currently only resides in two other places in the world – with the U.S. Social Security Administration (the issuer of the SSNs), and with the Internal Revenue Service (needed for parents to claim tax credits for their dependents).
The massive information security blunder at Anthem, where the SSNs were stored insecurely, has exposed this data to the world’s cyber criminals and brings the risk of financial fraud and identity misuse to US families to a new high.
Why is the Anthem breach a watershed event for children’s identity protection? This is the first major breach of children’s names, SSNs and birth dates, running into the tens of millions of data elements. Second, the information that was stolen, particularly pertaining to children, was directly linked with that of their parents. This link will make it much easier for cyber criminals to perpetrate fraud using the children’s stolen data.
Children, for obvious reasons, do not have established credit files or financial identities. The theft of parent’s data describing their financial identities – full names, SSNs, home addresses and such, directly linked with the full names, SSNs and home addresses of their children, makes for a catastrophic event for the children. Children are essentially more vulnerable to identity misuse because they have no established credit or identity records. Children are, in effect, “off the grid” when it comes to financial information. Add to this that the cyber criminals now have an “on the grid” related record in the parents information, and you have a fatal combination.
Criminals will use the combined parent and children data to create new “Synthetic ID’s”, as termed by the security industry. Synthetic ID’s take information from multiple identities and combine them to create a new fake identity. Why are children great targets for cyber criminals? Because children do not have any existing and verifiable information with which to refute the Synthetic ID. Children have no established financial records or information that can tell banks and other financial service companies, “Hey, this application or transaction doesn’t look right.” And now for the really bad part: most children won’t even find out that they been victimized until they are an adult and start to establish credit, which could be 18 years later. When they do reach adulthood, they will find that their credit history is scarred beyond recognition, and it will take many months and substantial resources to fix the problem.
Advice For all US Parents
Parents should be vigilant in protecting their children’s SSNs and other personal information. Does the local soccer league really need Joanie’s SSN or birth certificate? The answer is “No”! Parents should be on the lookout for marketing offers (via email or mail) addressed to their children. This is an early warning sign that the child’s identity may already have been stolen by cyber criminals and is in use somewhere in the US. For older children, parents should speak with their children about the breach, explain the risks of sharing too much, and ask for their help in looking out for anything that seems suspicious: calls, texts, social network friend requests.
Parents should seriously consider enrolling their children in a service to monitor their identities. In choosing an identity monitoring service, parents should take care and only choose a service that does not create a credit record for their child in the enrollment process. It is important to note that traditional credit monitoring does not work because a minor is typically unable to be monitored the same as an adult. Creating a credit record is what a cyber criminal will do when creating a Synthetic ID.
It’s a scary world in cyberspace and it just got even scarier for a lot of children in America. We in the U.S. need proper data governance by all which, when applied properly, would challenge the collection and storage of minor’s sensitive personally identifiable information (PII). And how about requiring all issued SSNs to minors be restricted from certain forms of use in the financial sector? System changes, even if time consuming, could mean a great deal to some.
Guest blogger Tim Rorhbaugh is Vice President of Information Security for Intersections Inc. (NASDAQ: INTX), a leading provider of consumer and corporate identity risk management services. It is recognized as the preferred partner of major financial institutions in North America, providing custom identity management solutions. Tim currently serves on the board for the Online Trust Alliance where he provides strategic advice from technical and corporate governance prospective with the goal of strengthening the bonds of trust between consumers and concerned businesses, and he has been a featured speaker at many security events. The views and opinions of guest bloggers do not necessarily reflect the views of Cyveillance, Inc.