NPD mega-breach a sobering reminder of vulnerability of identity data

Social Security Card
Jesus Jauregui/ImagePixel

In recent years, the typical cost of a personal identity package that includes a person's name, date of birth and Social Security number has been around $10 on the black market, and often as little as $1. These ballpark estimates come from multiple analyses of black market data sales by credit bureau Experian, cyber threat intelligence platform Flashpoint and security awareness training firm KnowBe4.

The cheapness of a Social Security number — a piece of information that these firms and others implore consumers to protect — is a reminder that, despite how an individual might endeavor to protect their identity online, personal information shows up in data breaches all the time, making it difficult for banks and credit unions to verify the identity of customers and members online.

The latest example of the deterioration of the value of the Social Security number as an identifying piece of information is the 2.7 billion records leaked from data broker National Public Data, or NPD, many of which include the nine-digit number. While not all the Social Security numbers in the exfiltrated database are linked correctly to people, the breach is large enough that likely millions of people have been affected.

The breach does not change the status quo ante, which is that personally identifiable information, or PII, is "already available online in mass quantities," according to Teresa Walsh, chief intelligence officer and managing director of Europe, Middle East, and Africa at the Financial Services Information Sharing and Analysis Center (FS-ISAC), an international coalition of financial institutions focused on cybersecurity.

"Social Security numbers can be compromised as early as infancy," Walsh said. "However, when bad actors open accounts tied to PII, most of the time more than just a Social Security number is required."

This is good news for consumers seeking protection when their Social Security number is compromised, but bad actors have methods of building profiles of potential identity theft victims that go beyond merely stealing data.

According to Walsh, AI and database tools can help fraudsters link together disparate PII breaches to build comprehensive profiles of affected individuals. These items can include previous addresses, bank account information, frequently used passwords, scans of a passport or driver's license and anything else that might show up in a data breach and would be useful for impersonation.

One side effect of all of this is that financial services providers are starting to return to old-fashioned strategies to block fraud attempts, such as having a new customer come into a branch with their identity document and utility bills, according to Walsh.

Social Security Cards in a Row Pile for Retirement

The personal data collection company, which offers its database for background check and private investigation services, acknowledged the major breach.

August 15

And, just as fraudsters can link together data breaches to improve their identity fraud schemes, banks are looking to link legitimate identity databases together. One example, Walsh said, is linking business registration databases with bank databases to verify a new business bank account with an associated business registration.

"However, there are many obstacles to these database linkages due to privacy concerns, so currently cyber criminals have many opportunities," Walsh said.

This ability for cyber criminals to collaborate necessitates governments, and organizations collaborating in turn, to implement stronger data protection protocols, according to Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro.

"While the likelihood of any single individual being targeted immediately may not have drastically increased due to this breach, the potential for future victimization has certainly expanded," Clay said. "It is crucial for individuals to remain vigilant and for both public and private sectors to reinforce security measures to protect against the misuse of such data."

Even if a person's data has been breached before, additional breaches can act as data points for fraudsters to confirm or build confidence in the profile they have on that victim. The more data breaches that confirm the Social Security number and other identity details of a potential victim, the more valuable that person's profile becomes on the black market.

"The continuous demand for PII ensures that cybercriminals can still profit, even if some of the data has been leaked before," Clay said. "The black market operates on volume and the law of averages. By selling large quantities of SSNs, even at lower prices, criminals can still generate significant profits."

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER