American credit rating agency Equifax disclosed today that a vulnerability in one of its web applications has led to the leak of around 143 million Americans’ social security numbers being compromised. The leak comprises millions of Americans’ Social Security Numbers (SSNs), driving license numbers, and a couple hundred thousand credit card numbers, among other documents. The breach occurred from May to July, the company said.
The company said that aside from some British and Canadian consumers’ data, it has found no evidence that personal information of consumers in any other country has been impacted. It has also set up a website explaining the breach, and has set up a portal for Americans to check if they have been affected.
Why SSN leaks are dangerous
143 million Americans, which is almost half of the US’s population, now risk their SSNs ending up in the hands of identity thieves and, perhaps, the dark web. The Social Security Number system was first devised in the 1930s to audit American employees’ deposits and withdrawals from a mandatory pension-esque fund. Eventually, it was appropriated by other parts of the government and by financial institutions as a way of verifying citizens’ identities, and due to legal frameworks that later followed, it is now basically mandatory for US citizens to get a Social Security Number. Sound familiar?
Unlike Aadhaar though, SSNs have little to no in-built security, and it’s incumbent on the cardholder themselves to make sure that nobody gets their hands on their social security number — there is no biometric or OTP-based authentication for SSNs that acts as a second factor of authentication. Compromised SSNs are a very common factor in a major portion of cases of identity theft in the US. In fact, the average financial losses US citizens whose SSNs were breached faced was almost twice as much as those who had lost their credit card; this is even more significant considering that there are few authentication safeguards on credit and debit cards in the US.
How this matters for India
Privacy has been a fundamental right under the US constitution for decades, while India’s Supreme Court just recently declared it one. Even with the relatively robust legal regime around data protection that the US has, breaches like Equifax’s are not unprecedented. As an NYT report pointed out today, a breach of Yahoo’s servers, which led to over a billion users’ personal information being compromised, was much larger.
In India, a data protection law couldn’t come at a better time. Right now, companies that maintain data of Indian citizens for various purposes operate in a legal vacuum, and their own internal security standards are the only thing standing in the way of this data being breached. Two bills may soon be floated before the Lok Sabha to legislate data protection, one by Jay Panda, and the other by Shashi Tharoor. While a legal framework isn’t going to ensure total data security, it is an essential foundation on which India’s public and private sector need to work to secure the data of citizens whose data they possess.
Government organizations alone have passively leaked over 130–135 million Aadhaar numbers, simply by not masking that information on their websites. A data protection law would require both companies and government organizations to better secure citizens’ data. Personal information like Aadhaar numbers and contact details are often stored by a large number of players, both in the private and the public sector, and a single breach can leave millions of citizens exposed to identity theft and the Pandora’s Box that opens up with having their personal information in the public domain.
Equifax in India
In India, Equifax operates as a joint venture with four public sector banks — SBI, Bank of Baroda, Bank of India, and the Union Bank of India — and three private banks, according to the company’s website. The company offers credit ratings reports for free to consumers in India, and requires users to submit their Aadhaar number to authenticate their identity for these reports. In the last few months, they have been expanding their microfinance offerings, and partnered with the International Finance Corporation to “deepen coverage” of credit reports of Self-Help Groups in India. The company has been involved in microfinancing in India since 2011, according to its website.
Meanwhile, the Reserve Bank of India is looking to open a public credit registry incorporating unique identifiers for borrowers: Aadhaar for individuals, and Corporate Identification Number for companies.