×

The Equifax breach proves it’s time to stop using Social Security numbers

  • Social Security numbers were never meant to be unique identifiers when they were introduced in 1938.
  • The Equifax data breach proves that Social Security numbers can no longer be regarded as private or secret.
  • It's time for the government to ditch Social Security numbers and think of another way to securely identify people.

Over the course of an otherwise excruciating hearing Tuesday on Capitol Hill, there was one issue on which Equifax CEO Richard Smith found a more receptive audience — his call for an end to using Social Security numbers to identify U.S. consumers.

In testimony before the House Energy and Commerce Committee, Smith called for "think[ing] beyond" the concept of a Social Security number as a secure identifier. "I personally know my Social Security number has been compromised at least four times in my lifetime," Smith said. "That's just untenable."

The same day, Rob Joyce, who serves as White House cybersecurity coordinator, announced a review of the continued use of Social Security numbers by federal departments and agencies, warning that "every time [you] use the Social Security number, you put it at risk." Joyce expanded on these themes when he spoke Wednesday on a panel with one of us at the Cambridge Cyber Summit, stressing that Social Security numbers had outlived their usefulness and that the government needs to come up with a better way.

"In the era of massive data breaches, these widely distributed numbers can no longer be regarded as in any way private or secret — meaning systems that store and rely on Social Security numbers as a method of authentication are inherently insecure."

Calls to stop relying on Social Security numbers as unique and secure identifiers are nothing new. But at least until this week, the convenience and simplicity these numbers offered and the lack of any readily available alternative has made the habit difficult to kick for businesses and government.

Social Security numbers were introduced in 1936 as a way to keep track of the earnings of U.S. workers for purposes of determining their entitlement to Social Security benefits. As recounted on the web site of the Social Security Administration, computing benefit levels was "the sole purpose" for which these numbers were created; and the Social Security card was "never intended to serve as a personal identification document."

The failings of the Social Security number as a unique identifier began to be apparent as far back as 1938, when a sample Social Security card included in wallets sold at Woolworth's and other department stores ultimately resulted in as many as 40,000 people using the Social Security number of a secretary of a senior executive at the wallet's manufacturer. The secretary at issue was given a new number, but for the estimated 60 to 80 percent of Americans nowadays (even before the Equifax breach) whose Social Security number has been compromised, there can be years of anxiety and hassle with little recourse.

In the era of massive data breaches, these widely distributed numbers can no longer be regarded as in any way private or secret — meaning systems that store and rely on Social Security numbers as a method of authentication are inherently insecure. Coming up with alternatives will require up-front investment, creativity, and a change in customer expectations. Approaches built around two-factor authentication and biometrics present their own challenges and tradeoffs. But continuing to depend on a method of authentication predicated on a single insecure, hard-to-change, and easy-to-predict nine-digit number is folly.

Equifax may be an improbable messenger for reform, having built a multi-billion dollar business out of trafficking in sensitive information tied to Social Security numbers. And past reports of the death of the Social Security number have been greatly exaggerated. But if the fallout from the Equifax incident leads to real changes, at least one good news story will emerge from an incident that has otherwise brought only bad headlines for both the company and U.S. consumers.

Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice's National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI's evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program and a CNBC contributor.

Newman is a former special assistant to the president, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.

WATCH: Former Equifax CEO on credit data access