Agencies Struggle to Stop Using Social Security Numbers as Identifiers

Federal agencies using Social Security numbers to identify people could be putting them at risk for identity theft, lawmakers argued Tuesday.

Because many separate organizations use that one key to identify individuals—employers, health care providers and other entities, for instance—a single Social Security number could grant hackers access to many sensitive accounts. And while there's an effort underway to reduce agencies' reliance on Social Security numbers as identifiers, it's not close to complete, Greg Wilshusen, director of information security services at the Government Accountability Office, testified during a may. 23 House oversight hearing.

Since 2007, the Office of Management and Budget has required agencies to ease their reliance on Social Security numbers as identifiers, and to cut any unnecessary use, collection or display of those numbers. OMB, the Office of Personnel Management and the Social Security Administration have worked together on this project, but their actions have had "limited success,” Wilshusen told the House Subcommittee on Information Technology.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

For instance, OPM tried to mask employee's Social Security numbers on human resources forms, and at one point, issued draft regulations to limit other agencies' collection of that number, but eventually withdrew that regulation because no other identifier was as useful, he explained during the hearing.

Some agencies haven't received adequate guidance from OMB about the timeframe by which they're supposed to reduce use, Wilshusen added, and OMB hasn’t yet required agencies to update their inventories detailing the instances in which they do collect Social Security numbers.

GAO is recommending OMB monitor agencies' progress better, and until then, "the reduction efforts will likely remain limited and difficult to measure,” and the risk of them being exposed and used to commit identity theft “will remain greater than it need be," he added.

But collecting Social Security numbers at all could put employees at risk, Rep. Tom Rice, R-S.C., said during the hearing. The 2015 intrusion into OPM's databases, which compromised personal records belonging to more than 22 million people, was an “example of what happens when the federal government collects Social Security numbers but does not keep them safe." He added citizens deserve the federal government "only uses them when necessary."

Still, agencies struggle to completely eliminate them from federal IT systems because “no other identifier offers the same degree of universal awareness and applicability,” Wilshusen noted.