Social insurance numbers are stolen by the millions — but Ottawa replaces just dozens per year

The one million Canadians who saw their social insurance numbers stolen in the massive Capital One data hack shouldn’t count on Ottawa to help bail them out of trouble with identity thieves.

In 2018, the federal government issued replacement SINs in just 60 cases of fraud and abuse, according to recent testimony before a House of Commons committee.

Elise Boisjoly, an assistant deputy minister with Employment and Social Development Canada, told the Commons standing committee on public safety and national security that her department handed out more than 1.6 million new social insurance numbers last year — but issued only a few dozen replacement numbers because “getting a new social insurance number will not protect individuals from fraud.”

“The former social insurance number continues to exist and is linked to the individual. If a fraudster uses someone else’s former social insurance number and their identity is not fully verified, credit lenders may still ask the victim of fraud to pay the debts,” Boisjoly said during a mid-July hearing on a data breach at the Quebec-based credit union Desjardins, which exposed the personal data of 2.7 million customers, including SINs.

Social insurance numbers are prized by criminals because they can be used to apply for credit under someone else’s name or establish new “synthesized” identities. They also can be sold to create false documentation for illegal workers.

While Boisjoly acknowledged the challenge posed by “ever larger data breaches,” she said issuing replacement numbers to victims might create more problems than it solves, leading to potential errors in the calculation of pensions and benefits and requiring recipients to monitor both the old and new SINs on a “regular and ongoing basis.”

Earlier this week, U.S.-based Capital One Financial Corp. disclosed that a March breach of its cloud storage server exposed the sensitive information of 100 million Americans and six million Canadians — including names, addresses, credit scores and, in some cases, social insurance numbers.

The information was taken from card holder accounts and credit applications dating back as far as 2005. A 33-year-old Seattle software engineer has been charged with computer fraud and abuse after she allegedly boasted of the heist on social media, indicating that she wanted to share the SINs, full names and dates of birth.

It’s just the latest example of a large-scale hack targeting the personal information of consumers.

Last fall, the Marriott hotel chain admitted that hackers had stolen the email, address and passport information of 500 million guests who had stayed at Starwood properties between 2014 and 2018. A Sept. 2017 breach at the credit monitoring firm Equifax compromised the data of 143 million people, including at least 19,000 Canadians.

According to the annual Data Breach Investigations Report prepared by the U.S. telecom company Verizon, 2018 saw more than 2,000 successful major hacks across 86 countries, targeting 73 different private and public entities.

Organized crime groups were believed to be behind 39 per cent of the attacks, with “internal” hacks accounting for 34 per cent of the incidents and state-sponsored actors perpetrating another 23 per cent. The financial services sector is a favoured target, suffering 207 breaches in 2018.

Just how many of those data heists involved Canadians is harder to determine. The Canadian Anti-Fraud Centre, a national clearinghouse for hacking and online fraud complaints, received 9,351 identity theft reports in 2018, down slightly from 9,677 complaints the year before.

Jeff Thomson, an RCMP senior intelligence analyst assigned to the centre, said that those reports probably represent the tip of the iceberg, since studies and experience suggest that as few as five per cent of victims actually bother to notify the authorities.

The centre can’t estimate how many of those complaints involve the theft of social insurance numbers, he said, because the victims often don’t know themselves that their SINs have been stolen.

“People get a notice in the mail saying that their information has been compromised, but without any details,” said Thomson.

SIN numbers do seem to get stolen with alarming frequency. In 2015, the lead author of the annual Verizon report told National Public Radio that “60 per cent to 80 per cent” of all U.S. Social Security numbers had been compromised by hackers.

Neal O’Farrell is an Ohio cybersecurity expert who heads up the Identity Theft Council, a not-for-profit victim support network. He said that criminals have been harvesting SINs on a mass scale for the better part of two decades. And if we haven’t yet seen a full-fledged epidemic of identity theft — there were 1.3 million new U.S. cases in 2017 —  it’s only because the crooks “don’t have time to get to it all,” he said.

Corporate and government indifference fuels the thefts, said O’Farrell, noting that more secure alternatives to SINs exist — such as biometric scans, real-time financial data and blockchain verifications — which could be used to confirm customers’ identities.

“It’s a calculated risk,” he said. “Continuing to use SINs costs far less than overhauling an entire system that has come to depend on them. They’ve done the math.”

Canadians who believe their SINs are being used improperly face a heavy burden in proving it.

Employment and Social Development Canada asks identity fraud victims to file a police report and obtain credit reports from both of Canada’s major credit bureaus, which sometimes requires payment of fees. Victims also are required to follow up with creditors and convince them to close any unauthorized accounts and write off the debts that have been run up illegally in their names.

And if someone wants to apply for a new SIN, they must visit a Service Canada centre with proof of identity, a list of every address where they have lived over the past decade, printouts of every T4 issued in their name for the past three years and a “clear photograph” of themselves for each of the employers on the list, so that an investigator can double-check.

Ottawa has been trying to discourage people from using SIN numbers as a form of identification, and began phasing out the plastic cards in 2014. New applicants are given their number on a piece of paper instead, and are advised to leave it at home in a safe place.

There are a few select circumstances where you need to provide the number: starting a new job, filing taxes, accessing government benefits, or opening an interest-earning account at a financial institution.

But while the federal government “strongly discourages” other businesses and institutions from asking for SIN numbers, the practice isn’t illegal. And the onus is on the individual to explain why they don’t need to provide the number and hash out some other way to prove their identity.

Ann Cavoukian, a former Ontario privacy commissioner who now heads her own consultancy, the Global Privacy and Security by Design Centre, said the need for reform is clear.

“You have to restrict corporate access to this information. The federal government could do that tomorrow,” she said.

Still, she added, there’s little hope of anyone coming to the aid of the victims of identity theft — at least in the short term.

“We’ll have to wait until after the election, I’m afraid.”