(Bloomberg) — The hackers who infiltrated Anthem Inc. made off with one of the most prized possessions in computer crime: the Social Security numbers of as many as 80 million customers of the nation’s second-biggest health insurer.
The nine-digit numbers the U.S. government has doled out since 1936 typically follow people from birth to death. There are 450 million combinations in use, and by learning yours, hackers can obtain credit cards in your name, wire money from your bank accounts, or learn enough from telephone records or medical histories to trick you into divulging more information.
“With the data elements compromised in this breach, criminals have had the keys to the kingdom,” said Paul Stephens, director of policy for Privacy Rights Clearinghouse, a San Diego-based advocacy group. When companies or agencies use Social Security numbers to both identify individuals and authenticate they are who they say, it’s “a recipe for disaster.”
Unlike payment-card numbers, which are useless once banks find they’re being used for fraud, your Social Security number is ubiquitous and hard to change. They remain the main authentication mechanism for many essential services, especially ones provided by the government.
It’s rare that one company has so many of them, and that so many are stolen at one time. For Social Security numbers to be useful for criminals, they need to be stolen in conjunction with other information, such as name, address and birth date — exactly the kind of data that insurers like Anthem collect.
Because criminals need to invest that effort and time to make money off of Social Security numbers, other snippets of personal data that are easier to monetize command a higher price on the black market. Social Security numbers sell for $3, while mothers’ maiden names sell for $6 and the name and password for online bank accounts sell for $1,000, according to one study from 2011.
Many companies decide to store Social Security numbers in a central location. While that increases their usefulness for data analysis, it also raises the risk that hackers could take them all at once, said Orion Hindawi, co-founder and chief technology officer for Tanium Inc. The Berkeley, California-based security firm works with banks, health-care companies and other large organizations.
“The most secure way to store something is also the most expensive way,” Hindawi said. “If you break up all the data, you can’t access it to mine it and find patterns. Many companies make a choice about where the line is they’re going to draw, and people draw the line in the wrong place.”