Pages

Sep 19, 2017

Equifax And Social Security

     Dave Lindorff at Salon wonders "How badly did Equifax breach damage the Social Security system?" The question arises because Equifax, which has suffered a massive hacking breach, has a contract with Social Security to help with security for the mySocialSecurity system that allows Americans to have some degree of access to their Social Security records.
     It's a reasonable question to ask. Unfortunately, when Lindorff asked Social Security, he got nothing. Their public affairs office refused to answer questions.
     Let my try to give the answer that Social Security should have given. Social Security obtains information from Equifax to verify identities but gives none to Equifax in return. For example, Social Security would ask Equifax for information on a person who is attempting to establish a mySocialSecurity account and those records might show that the person had recently purchased a car. Social Security would ask the person what brand of car they purchased. If the person attempting to open the mySocialSecurity account is the true number holder, they'd be able to answer the question and open the account. The key fact is that there is no information exchange. All of the information goes in one direction, from Equifax to Social Security. Equifax gets no information in return apart from the knowledge that Social Security was asking for information on that person.
     If there is a problem, it would be that the information hacked from Equifax could be used to open mySocialSecurity accounts but that risk quickly disappears assuming Equifax has stopped the data breach since Social Security is only using recent information to verify identity. Also, even apart from the Equifax hack, identity thieves have been able to access mySocialSecurity accounts to change bank deposit information to divert payments made to claimants. So far, Social Security has regarded this as a low level problem. To some extent that's true. It doesn't take long for people to complain about not receiving their Social Security benefits so little money is stolen and it's all eventually restored to the rightful people. However, it's a big problem for those who are deprived of their Social Security benefits for a month or two or three. Social Security seems to prefer that this not be publicized since it undermines their effort to get people to open mySocialSecurity accounts.
     I should say that Social Security eventually got its act together and was able to give a terse but accurate response when the Wall Street Journal asked the same question. The Wall Street Journal article is behind a pay wall.
     Update: Social Security really should have put out a statement on this as soon as possible after the Equifax breach became public. Two Senators have written a letter to  the Acting Commissioner asking about Equifax.

6 comments:

  1. Good explanation, thank you, but I'm not so sure about the "recent information" thing. I helped a client create her mySocialSecurity account just a few days ago and some of the identity verification questions (presumably pulled from Equifax) were many years old. If someone had access to that client's Equifax data, they totally could have created that account without her and accessed those records.

    ReplyDelete
  2. I doubt Equifax sends any information to SSA other than the fact that the person logging on passed the security screener. There would be no reason for SSA to know you recently bought a car. And @3:25 is correct, they have old information, such as how much was the mortgage on your first house. In many cases older is better since it would be harder for someone to know about you.

    ReplyDelete
  3. But if a hacker can use the information obtained from Equifax to correctly answer the security questions posed by Social Security, then it may be possible that person could access another person's mySocialSecurity account.

    ReplyDelete
  4. How often are MySSA accounts hacked? Is there data on prior breaches and the number of people impacted by an account change? Where would we find information on the number of complaints from prior situations?

    ReplyDelete
  5. I don't know about using only "recent" information--when I set up mine it asked what car I had purchased in 1982. On the other hand, to an agency that still uses the less than current DOT, this may qualify as "recent!"

    ReplyDelete

  6. "I should say that Social Security eventually got its act together and was able to give a terse but accurate response when the Wall Street Journal asked the same question. The Wall Street Journal article is behind a paywall."

    https://www.wsj.com/articles/equifax-work-for-government-shows-companys-broad-reach-1505781393?shareToken=stddd16cbb868a41e188cb8f0a86698e76&reflink=article_email_share

    ReplyDelete