Your Social Security number IS in the Hands of Criminals

Over the years criminals occasionally contact me to tell me about their exploits and often ask how they can get into the “security awareness” business. Everyone wants to be a Frank Abagnale (Catch Me If You Can movie). These crimes are often sociopaths and incapable of functioning normally without eventually resorting to the easy money crimes. I’ve seen it first hand many many times. Anyway, one time an identity thief emailed me my own SSN, basically flexing his muscles and showing me how cool he is.

Honestly, I’m not worried that my SSN is out there. I do things to make it useless to the thief. Read on.

A hacking group called USDoD claimed to have acquired 2.9 billion personal records from National Public Data, a background check company, in April 2024. The stolen data reportedly included names, Social Security numbers, and addresses of individuals from the US, UK, and Canada, potentially encompassing a vast majority of these populations.

Initially, the hackers attempted to sell this sensitive information on the dark web for $3.5 million. However, on August 6, a hacker associated with another group leaked 2.7 billion records, which were partially verified by Bleeping Computer. The hacker also claimed to possess an even larger dataset.

The Social Security number (SSN) has a rich history dating back to 1936. Here are the key points about its historical background:

Origins and Initial Purpose

The SSN was first introduced in November 1936 as part of President Franklin D. Roosevelt’s New Deal Social Security program. Its original purpose was to track individuals’ earnings history for Social Security entitlement and benefit computation.

Early Implementation

Within three months of its introduction, 25 million SSNs were issued.

  • On November 24, 1936, 1,074 post offices were designated as “typing centers” to process Social Security cards.
  • The first SSN was officially announced to be assigned to John David Sweeney, Jr. of New Rochelle, New York, though this was not actually the lowest number issued.

Expansion of Usage aka “Functionality Creep”

Over time, the use of SSNs expanded significantly beyond its original purpose:

  • In 1943, Executive Order 9397 required federal agencies to use SSNs in new record systems to identify individuals.
  • In 1961, the Civil Service Commission adopted the SSN as the identifier for federal employees.
  • In 1962, the IRS began using SSNs as official taxpayer identification numbers.

Widespread Adoption

The 1960s saw a dramatic increase in SSN usage due to the computer revolution:

  • Government agencies and private organizations began using SSNs extensively for record-keeping and business applications.
  • Usage spread to state and local governments, banks, credit bureaus, hospitals, and educational institutions.

Legislative Changes

Several legislative changes further expanded SSN use:

  • In the 1970s, laws were passed requiring SSNs for federal benefit programs and authorizing states to use SSNs for various purposes.
  • The 1980s saw requirements for SSNs in areas such as military draft registration, commercial driver’s licenses, and food stamp program administration.

Modern Usage

Today, the SSN has become a de facto national identification number used for taxation and various other purposes, far beyond its original scope. However, concerns about privacy and identity theft have led to some efforts to limit its use in recent years.

Protecting Your Information

Given the extensive nature of this breach, it’s crucial to take proactive steps to safeguard your personal information:

  1. Monitor Your Credit Reports: Regularly check your credit reports for any signs of fraudulent activity or suspicious transactions.
  2. Credit Freeze: Immediately contact the credit bureaus and request a freeze on your accounts.
  3. Update Security Measures: This incident serves as a reminder to strengthen your online security. Consider updating your passwords and implementing two-factor authentication for your accounts.
  4. Stay Vigilant: Assume that your personal information may be compromised and remain alert for any signs of identity theft or fraud.

By taking these precautions, you can better protect yourself against potential misuse of your personal information in the wake of this massive data breach.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

Most Security Awareness Training is Insufficient and Should Lead to Consequences

Maybe company executives who don’t engage in real world security awareness training should suffer the consequences for their insufficiency. 

An excellent Help Net Security article is titled “What CISOs need to keep CEOs (and themselves) out of jail” discusses many of the fundamentals of cyber security, what security leaders should be doing, but aren’t doing, and so on. The article makes no mention of “security awareness training” but it does explicitly state “The overwhelming majority of major breaches and attacks involved human error.” Which, of course, could often be averted with security awareness training that enhances digital literacy.

This author and his team have reached out to thousands of CIO/CISO’s for city and town municipalities whose sole responsibility is to maintain the cities IT infrastructure and security. And often, when approached to assist in their security awareness training to enhance a change in behavior, the response is generally “We use a third-party company that provides phishing simulation training, we’re all set.” Frankly, that response sucks. What it says is that the CIO/CISO is providing the absolute bare minimum of training that facilitates whatever legal-compliance is required.

Interestingly, many of these municipalities use Proofpoint, who do fine job, but it’s not enough. Speaking of, a The Hacker News article titled “Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails” further states “The cybersecurity company has given the campaign the name Echo Spoofing. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole (at Proofpoint) to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures.” OUCH.

Anyway, back to “but it’s not enough”. Phishing simulation training does one job, it is designed to change behavior in regards to preventing phishing. And while that may lead to compliance, it doesn’t actually solve various real-world security problems, nor does it significantly enhance digital literacy or fundamentally change people’s behavior regarding what security is and more importantly, what security isn’t. Most people have a false notion of what security is, where they think it revolves around paranoia, fear, worry, etc. and it doesn’t.

If compliance is all you, the CEO/CIO/CISO are going to do, maybe you SHOULD go to jail. Recent headlines “Boeing accepts a plea deal to avoid a criminal trial over 737 Max crashes, Justice Department says” point to everything Boeing DIDN’T DO to ensure safety. Really, what’s the difference between what Boeing didn’t do regarding compliance or providing the bare minimum of network security or compliance type security awareness training?

Data breaches, ransomware, network vulnerabilities, are becoming life and death scenarios. What happens when a hospital is hacked? What happens if traffic systems are hacked? What happens if GPS for airlines is hacked? What happens if the grid goes down for a significant period of time? The Justice Department/Boeing deal requires Boeing to invest at least $455 million in its compliance and safety programs. The Justice Department is saying your basic compliance isn’t enough, and it cost people’s lives.

Hell, Ars Technica reports a North Korean hacker got hired by US security vendor KnowBe4, which provides security awareness training in the form of phishing simulation training, the hacker immediately loaded malware into the company’s network. Employees seemed to be fooled by a stolen ID. The hypocrisy is endless. KnowBe4 is one of the best in the world at what they do. But still, “The overwhelming majority of major breaches and attacks involved human error,” even inside top security awareness training firms. Humans are hackable because we trust by default. And none of these companies are providing the necessary real-world security awareness training that fundamentally changes people’s behavior.

Here’s the deal, and I’ve wrote about this before, and this is what I present in all of my trainings, and none of this is presented by any of the security awareness training firms; Security goes against our core beliefs. Security is not natural, it’s not normal, it means that we don’t trust others. However, we trust by default. Not trusting others is actually a learned behavior. Security means that you are aware that there are others out there that may choose you as their target. That’s not normal. It’s not natural. No-one wants to think they are a target.

What’s normal is that we live happily ever after, we live together as one species in harmony. We trust each other, we are good to each other, we treat others as we want to be treated. We don’t hit, hurt, harm or take from one another. We are civilized creatures.

However, there is a small percentage of predators, uncivilized beings, we call them sociopaths, psychopaths, and hard-core narcissists. They are the criminal hackers, the serial killers, the rapists. They are a minority, and we choose to think they don’t exist. Or at least we deny they would choose us. We resist security practices, because it goes against what it means to be a civilized being.

The complexity of cybersecurity topics can overwhelm employees and consumers, making them feel incapable of understanding or implementing the necessary precautions. I blame pretty much every cyber security awareness training company out there. It’s not all about phishing simulation training. None of these companies have a clue when it comes to teaching individuals about risk. It’s not “do this, don’t do that” they have forgot what it means to be human.

1. Denial. Some people may deny the importance of cybersecurity or believe that they won’t be targeted by cyber threats, leading them to dismiss training efforts. Denial is more natural and more normal than recognizing risk. Denial is comfortable, it’s soothing, and it allows us to avoid the anxiety of “it really can happen to me”

2. Fear of technology. Individuals who are not confident in their technological abilities may feel intimidated by cybersecurity training, leading them to avoid it altogether. This, of course makes total sense. How many times have you gone in a vicious circle, a constant loop of not being able to log into an account because of two factor authentication not working or something else out of whack? Technology can be frustrating. If security is not easy, people aren’t going to do it.

3. Lack of awareness. Some consumers may simply not be aware of the risks posed by cyber threats, leading them to underestimate the importance of cybersecurity training. This is a real problem. This lack of attention to what your options are regarding anything security is common. Part of that lack of awareness stems from disbelief these things can happen to us, denial we can be targeted, and a relative “pacifist” attitude.

Addressing these barriers requires organizations to tailor their cybersecurity awareness training programs to be engaging, relevant, and accessible to all employees and consumers. This can involve using clear language, providing real-life examples, and offering support for individuals who may struggle with technology or cybersecurity concepts. It also means getting “real”. And cyber security awareness training companies aren’t going to do that, nor are their 2-dimensional employees, and most of them don’t have the ability to get down and dirty and speak “holistically” about life and security in the same sentence.

And if the CIO, CEO, CISO or in my case, the Mayor or town administrator, who oversees the budget of their CIO, CISO doesn’t think this kind of security awareness training is necessary, maybe they should go to jail too.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, and the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.