In recent years, the typical price for a package of personal identifying information that includes a person’s name, date of birth, and Social Security number has been around $10 on the black market, with many in the region of $1. These estimates come from multiple analyses of black market data sales by credit reporting companies.
Social Security numbers are information that these and other companies urge consumers to protect, but their cheapness is a reminder that no matter how hard individuals try to protect their identities online, personal information is frequently found in data breaches, making it difficult for banks and credit unions to verify the identities of their customers and members online.
The latest example of the devaluation of Social Security numbers as personal identifiers is the leak of 2.7 billion records from data broker National Public Data (NPD), many of which contained nine digits. While not all of the Social Security numbers in the exposed database were properly linked to individuals, the scale of the leak means that millions of people are likely affected.
Theresa Walsh, global information director at the Financial Services Information Sharing and Analysis Center, an international coalition of financial institutions focused on cybersecurity, said the breach doesn’t change the status quo: personally identifiable information (PII) is “already available online in great volumes.”
“Social Security numbers can be compromised from an early age,” Walsh said, “but in most cases, a Social Security number alone is not enough for a bad actor to open an account tied to personal information.”
While this is good news for consumers seeking protection if their Social Security numbers are compromised, bad actors do more than simply steal data to create profiles of potential victims of identity theft.
Walsh said AI and database tools can help fraudsters link together different PII leaks to create a comprehensive profile of affected individuals. These items can include previous addresses, bank account information, frequently used passwords, passport or driver’s license scans or anything else that appears in a data breach and could be useful for impersonation.
One side effect of all this, Walsh said, is that financial services providers are returning to older tactics for thwarting fraud, such as requiring new customers to come into a branch with identification and a utility bill.
And just as fraudsters can link data breaches to improve their identity fraud methods, banks are also trying to link legitimate identity databases together. One example, Walsh said, is linking business registration databases with bank databases to validate new business bank accounts that have associated business registrations.
“But there are a lot of obstacles to linking these databases together due to privacy concerns, so right now it presents a lot of opportunities for cybercriminals,” Walsh said.
John Clay, vice president of threat intelligence at cybersecurity firm Trend Micro, said the ability of cybercriminals to cooperate means governments and organizations also need to work together to implement stronger data protection protocols.
“While this breach may not significantly increase the likelihood that individuals will be targeted immediately, it certainly increases the likelihood that they will be victimized in the future,” Clay said. “It is important that individuals remain vigilant and that both the public and private sectors step up their security measures to prevent this data from being misused.”
Even if an individual’s data has been breached before, further breaches can serve as data points for scammers to verify and build trust in that victim’s profile. The more data breaches that verify a potential victim’s Social Security number and other identifying details, the more valuable that person’s profile becomes on the black market.
“Due to the constant demand for personal information, cybercriminals can still make a profit even if some of the data has been previously leaked,” Clay said. “The black market operates on volume and the law of averages. By selling large quantities of Social Security numbers at low prices, criminals can still make a large profit.”
