NEW YORK (CNNMoney) — So far this year, hackers have stolen more than 6.5 million Social Security numbers, CNNMoney has found.
That’s the absolute bare minimum. It’s likely much more than that.
Getting at the exact number of stolen SSNs is difficult. No single organization or government agency tallies the number. To arrive at the number, CNNMoney examined two dozen hacks that took place in 2014.
The biggest hacks included the 750,000 that were exposed with the recent U.S. Postal Service data breach, 1.3 million stolen from Montana’s health department in June, and 4.5 million from a nationwide hospital network in August.
The damage from Social Security number theft is real. Criminals use those numbers to steal your identity, ruin your credit and grab your tax refund. It can take years and lawyers to clear this up.
And in some cases, criminals use it to fraudulently bill visits to the doctor. That could alter your electronic medical record, which first responders rely on to treat you during emergencies when you’re passed out. It happened to one man in Oregon, according to Bob Gegg at ID Experts, a privacy software company.
This raises an important question: Why are we still using SSNs to verify our identities if they’re so exposed?
It stands in complete opposition of what every security expert says about protecting your identity. The best way to prove you’re you is to present something only you know. But SSNs are relatively easy to find. With a proper license, you can buy them.
Data brokers sell your Social Security number — or parts of it — every day. One Vietnamese man even managed to buy access to a databases that housed 200 million SSNs. It’s unknown what he did with those numbers.
Yet your bank, cable company and mobile provider still insist it’s the only way to know you’re really you.
Neal O’Farrell, a consumer advocate with the Identity Theft Council, thinks it’s an exercise in the absurd. But alternatives are impossible.
Another national ID number “is too monstrous of a task,” O’Farrell said. Too many Americans oppose it. Besides, they’d get stolen too.
What about biometric identifiers, like fingerprints and iris scans? If the FBI’s new and growing facial recognition system is any indication, Americans are too creeped out by this as well.
“There’s no sensible way to look at it,” O’Farrell said.
But SSNs were never supposed to be used this way. When it was created in 1936, the SSN had a single purpose: tracking what U.S. workers earned to determine benefit levels.
In fact, the card read: “FOR SOCIAL SECURITY PURPOSES — NOT FOR IDENTIFICATION” until 1972.
It wasn’t designed to be secret — Social Security numbers aren’t even random. You can figure out the first 5 digits by knowing the state and year it was issued.
When IBM computers arrived in the 1960s, they ushered in an age of SSNs as IDs. In 1961, the federal government started using it for employees, even though most are not eligible to collect Social Security. In 1962, the IRS used it for taxpayers. Law then compelled banks to join in. Colleges and hospitals soon followed suit.
And so, the SSN-as-ID system foolishly remains.
CNNMoney is investigating recent hacks. Have you had money stolen from your bank account? Has someone stolen your identity? Share your story.