In 2020, there were 1,108 data compromises. By 2023, the number of compromises reached 3,205, according to the Identity Theft Resource Center.
The most recent high-profile breach: An estimated 2.9 billion Social Security records, or 272 million unique Social Security numbers, were stolen from a Florida company in April.
The numbers have been available for months. What does that mean for consumers?
“When someone assumes your identity with your Social Security number, they could apply for credit cards or a loan; they could open cellphone or other accounts in your name or use the information in other ways,” said Luke Ervin, a San Diego-based financial adviser with UBS Financial Services Inc.
Meghan Land, the executive director of Privacy Rights Clearinghouse, a national privacy nonprofit, said it’s best to assume your data will eventually end up in the wrong hands.
“Data breaches are unfortunately incredibly common,” Land said. “Even if you weren’t a victim in this one, information about you has likely been compromised in another breach. It can only help you to take proactive steps because this isn’t the first breach to compromise SSNs and it won’t be the last.”
The San Diego Union-Tribune asked people working in personal finance and online privacy, as well as representatives of the Internal Revenue Service and the Social Security Administration, how to prevent becoming a victim of fraud if your Social Security number is compromised. Here is their advice.
Check if your Social Security number is out there
There are at least two websites where you can see if your Social Security number was stolen in April’s massive breach. The following two sites do not require you to share your complete SSN. One is npdbreach.com, jointly created by a company named Atlas Privacy and a data rights organization called the Data Dividend Project. It asks for your name, ZIP code, and then either a phone number associated with you or your SSN. A tool from cybersecurity company npd.pentester.com asks for your name, state and birth year. In case of a breach, the site displays results of compromised information that can include street addresses, ZIP codes, phone numbers, birth date and a redacted SSN.
This leads to an important caveat about this second website: Anyone who inputs someone’s full name, state and birth year has a chance at pulling up that person’s addresses, birth day and month, associated phone numbers and/or a partial Social Security number.
Ann Clifton, a press officer with the Social Security Administration, also recommends monitoring your Social Security account.
“A person can check their my Social Security account regularly to see if there is any suspicious activity,” she said. “If a person has not yet applied for benefits, they should not see information about payment amounts on their my Social Security account and will be able to access their Social Security Statement to receive estimates of their future benefits.”
Immediately do the following if your SSN was stolen
Alert financial institutions. “Any time your data is compromised, the first thing to do is alert your financial services providers,” said Ammar Abuyousef, the U.S. Bank branch banking market leader for San Diego. “Whether it’s for a credit card or a checking and savings account, you can freeze your accounts before any bad actors are able to access or drain them.”
Get credit reports. “You should obtain a copy of your credit report from the three major credit bureaus (TransUnion, Equifax and Experian) to review for errors or possible fraudulent accounts and freeze your credit file — both steps are free,” said Land, with Privacy Rights Clearinghouse.
Free credit reports are available at annualcreditreport.com.
Alert authorities. “You can also consider filing a police report so that you have the information on file if you should encounter problems in the future,” said UBS’s Ervin.
Clifton, with the SSA, added that it’s good to ask for a copy of that report as proof. “It’s also a good idea to contact the Federal Trade Commission at www.idtheft.gov, or call 1-877-IDTHEFT (1-877-438-4338); TTY 1-866-653-4261,” she said.
Clifton also recommended informing the fraud unit at any one of the three consumer reporting companies. “The company you call is required to contact the other two,” she said. Here are their phone numbers: Equifax: 1 (800) 525-6285, Trans Union: 1 (800) 680-7289, Experian: 1 (888) 397-3742.
Fraud alert or credit freeze?
“A credit freeze is more effective than a fraud alert when it comes to preventing criminals from opening new accounts with your information,” Ervin said. “When a credit file is frozen, a creditor can’t access your report to evaluate you for a new account — meaning neither you nor a criminal can open a new credit account without unfreezing the file.
“By contrast, a fraud alert requires a business to verify your identity before opening a credit account under your name. Depending on how the business verifies your identity, a criminal with access to enough information about you might still be able to open an account,” he added.
Land, with Privacy Rights Clearinghouse, said doing both is another option. “You don’t have to choose between the two and both are free,” she said. However, she added, one might be more convenient, depending on circumstances.
“For instance,” Land said, “you must contact each of the three credit bureaus … to place a freeze, but a freeze will remain in place until you lift it. If you plan to open new credit accounts you must lift a freeze and then replace it each time you open a new account. To place a fraud alert, you only need to contact one credit bureau and it will alert the other two. You will not need to lift the alert to obtain new credit accounts, but you will need to renew the fraud alert on a regular basis (this can vary depending on the type of alert you use).”
Federal tax implications of a stolen SSN
For federal tax purposes, Raphael Tulino, a San Diego-based spokesman for the Internal Revenue Service, recommended reading the agency’s Taxpayer guide to identity theft. It’s less than 400 words and has links, resources and tips.
One tip: Beware if “You get a letter from the IRS inquiring about a suspicious tax return that you did not file. You can’t e-file your tax return because of a duplicate Social Security number. … You get an IRS notice that an online account has been created in your name.”
You can also apply for an IP PIN, or Identity Protection Personal Identification Number. This six-digit number adds another layer of protection by preventing someone else from filing a tax return using your Social Security number or Individual Taxpayer Identification Number (ITIN).
“If our records show that you were a victim of identity theft, you will automatically be enrolled into the IP PIN program,” the agency says. More on IP PINs at this FAQ.
If you think you’re a victim of tax-related identity theft — “when someone uses a taxpayer’s stolen Social Security number (SSN) to file a tax return claiming a fraudulent refund,” the agency says — you can submit Form 14039, Identity Theft Affidavit, online. You can also print a Form 14039 PDF and send it to the IRS.
In most cases, that affidavit isn’t necessary, because the IRS looks for suspicious tax returns. But here’s when it could make sense, according to the agency: You can’t e-file your tax return because of a duplicate tax return filed using your SSN; you are assigned a Employer Identification Number (EIN) without asking for one; you get a notice from a tax preparation software company that an account was made or closed in your name, and you didn’t do this. More red flags are at the IRS’s ID theft affidavit guide.
Staying safer after a breach
Once your number is out there, scammers have options. There are many ways they can try to get your money or access credit in your name.
Clifton, with the SSA, pointed to two links that explain what can go wrong if your private identity data is out there. One is about Social Security scams (blog.ssa.gov/social-security-and-scam-awareness) and one teaches how a stolen Social Security number can be exploited by thieves (ssa.gov/pubs/EN-05-10064.pdf).
She added, “If a person receives a suspicious call or email that states there is a problem with their Social Security number or account, they should hang up or not respond to the email. People should then go online to oig.ssa.gov to report the scam to Social Security. For more information, go to www.ssa.gov/fraud,” she said.
On a similar note, Land said it is important to “keep an eye out for imposter scams where criminals pretend to be someone you know, a government official or agency, a tech support company, your bank, your utility company or another company you are familiar with. Scammers may try to reach you by phone, email, social media, text message — really any way you can imagine.
“Scams can be convincing and elaborate, so it is helpful to stay up to date on trends and err on the side of caution when it comes to clicking links or providing information,” she said.
Abuyousef, with U.S. Bank, reminded people to change passwords “for any accounts where you have stored personal financial information.” He added, “This would include any banking or investment accounts. These passwords should also be updated regularly and stored in a secure password manager, with many affordable options available.”
Erwin, with UBS, shared these password best practices: “Make sure you are using unique passwords for each account that are 15 characters or longer; don’t use distinguishing information (like your birthday or pet’s name); and consider using a password manager versus saving each to your computer. Also set up multi-factor authentication and/or a biometric login on each account on top of the username/password.”
Two-factor authentication “is one of the easiest proactive steps you can take to protect your accounts,” Land agreed.
Not a victim? Don’t let your guard down
If you ran your name through those two portals and it looks like your SSN hasn’t been compromised, can you keep carrying on as before? That is a rhetorical question with a non-rhetorical answer: No.
“Protecting your identity and financial assets should always be a proactive part of your routine, whether that means daily, weekly or monthly monitoring,” said Abuyousef, with U.S. Bank. “You can do this yourself through your online statements and by ensuring that you protect your data through effective online security measures, such setting up password management tools or multi-factor authentication. It’s also vitally important to teach your children and loved ones to remain vigilant and aware of scam tactics so they can put measures in place to protect themselves.”
Ervin, with UBS, said it’s essential to plan how you’ll secure and recovery key information, before your data gets stolen.
“In developing your approach, consider: What is the data that you want to protect? How do you and your family access data? What could be the impact if there was a confidentiality breach? How can you back up data and protect yourselves?” he said.
Practicing vigilance
Abuyousef, with US. Bank, recommends ongoing monitoring of savings, credit and retirement accounts. Check statements or log in and review the ledger daily.
“If you notice anything suspicious, let your provider know so that they can investigate and take action to protect your account, if needed,” he said.
Ervin, with UBS, shared some pointers for staying safer online, whether or not your SSN is up for grabs:
Be proactive: Back up important files. Educate children about safe practices online and encourage safe social media guidelines.
Hardware: Secure your home and small business network by changing the default administrator password of the device controlling your wireless network. Enable encryption on your Wi-Fi router, preferably WPA2. Don’t plug in suspicious USB devices, such as unknown flash drives.
Software: Only install applications from trusted sources, such as app stores or known websites. Make sure your computer and devices are set up to receive automatic software updates. Delete apps you no longer need or don’t know the origin of and monitor your children’s’ downloading and use of apps. Use your cellphone data plan instead of public Wi-Fi when on the go.
Eyes open: Review your Social Security Administration records. Go through your health claims carefully to ensure you’ve received the care listed.
Opt out: Contact organizations to remove your name from marketing lists, including for the credit reporting bureaus (Experian, TransUnion, Equifax), to prevent unsolicited credit offers.
Be private: Consider what you disclose online. Avoid publishing that you are traveling or including personal information such as your birthday/year or mother’s maiden name or pets’ names — typically used for security or verification purposes — on social media. Use privacy settings to control who can access your information, and review them regularly. Don’t take online polls and be selective about friend requests from people you might not know.
Be skeptical: Be wary of phishing schemes, which continue to grow; never open unfamiliar attachments or click on unfamiliar links. Ignore emails or text messages that ask you to confirm or provide personal information by replying to the email or message.