form asking for SSN (Ekaterina_Minaeva/Shutterstock.com)

Social Security numbers: a security risk with serious staying power

Despite the risk of fraud and identity theft posed by the use of Social Security numbers, agencies continue to use them as universal identifiers because of outdated systems, insufficient funding and a lack of coordinated guidance coming from the executive branch.

In 2007, the Office of Management and Budget issued guidance mandating agencies develop plans to cut back on the collection of and reliance on the numbers due to concerns about identity theft. And when the Office of Personnel Management was breached in 2015, exposing some 22 million personnel records, the urgency for agencies to move off the number increased.

At a recent joint hearing for the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee, lawmakers raised concerns that the lack of progress on developing alternative identifiers and stronger protections could lead to a similar breach.

Greg Wilshusen, director of the Government Accountability Office’s Information Security Services, testified that agencies have trouble eliminating Social Security numbers from their IT systems and records "in part because no other identifier offers the same degree of awareness and utility."

Mariana LaCanfora, the acting deputy commissioner of the Social Security Administration’s Office of Retirement and Disability Policy, said that while Social Security numbers are critical for her agency’s ability to provide benefits, "the SSN and SSN card were never intended, nor do they serve, as identification."

"We strongly encourage other agencies and the public to minimize their use," she added.

Wilshusen also pointed to weak oversight from OMB as part of the problem.

"Reduction efforts in the executive branch have also been hampered by more readily addressable shortcomings," he said. "OMB has not required agencies to maintain up-to-date inventories of [Social Security] number collections and has not established criteria for determining when the number’s use or display is unnecessary."

Some agencies have tried to develop their own identifiers to move off relying on Social Security numbers. For example, the Centers for Medicare and Medicaid Services will replace the numbers’ use as the primary identifier with a new number, the Medicare Beneficiary Identifier.

Karen Jackson, CMS' deputy chief operating officer, said this new identifier will replace the Social Security numbers for beneficiaries by April 2019.

Rep. David Schweikert (R-Ariz.), however, raised concerns that each agency creating a new identifier may merely create “a cascade of numbers” that will create similar cybersecurity risks.

IT Subcommittee chair Will Hurd (R-Texas) proposed the adoption of a secure, tokenized system to handle and connect the new numbers, pointing to the one used by the Estonian government as proof of concept.

However, Wilshusen said that another hurdle agencies face is limitations posed by their legacy tech.

"Legacy systems often may not be able to handle newer numbers," he said. "In order to be able to do that, it requires significant system change or modification."

OPM CIO David DeVries testified that OPM has now encrypted its collection of Social Security numbers, "with the exception of one database that resides in the mainframe, which is now sitting behind other security controls and detection systems, and that is scheduled to be completed … this calendar year."

However, on a scale of one to 10 in terms of the modernity and efficiency, DeVries said he would give his agency's equipment, “from an overall architecture and operating perspective… about a 0.3 or 0.4.”

This article was first posted to FCW, a sister site to GCN.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

inside gcn

  • data science (chombosan/Shutterstock.com)

    4 steps to excellence in data analysis

Reader Comments

Sun, Jun 4, 2017 John

The whole security risk has been caused by the misappropriation of the not designed to be secure SSN by not just government but by the private financial services sector. Glomming onto the SSN as a semi-ID coupled with lax controls on their end, financial fraud takes place because it is easy. Hiding the SSN doesn't help, because it was never designed to be a secure identifier. But it is cheaper for financial sector to pay the fraud than rework their systems. Cost benefit - the costs to the companies is just cash and not that much and the benefit is great. The cost to the individual? Not the company's problem. If we had the guts, we'd look at what financial losses are incurred due to fraud in a year across the country and demand that Amex, Citio, MC, Visa etc spend an equivalent amount on market based alternatives to the SSN and give them a hard deadline to stop using it. Put the onus of fraud on the companies that make it easy by making them fix it by getting them off the SSN. Never will happen. But all this other stuff about the SSN? Just window dressing and ineffective at that.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group