Several readers have asked me to weigh in on whether the recent Equifax data breach, which affected an estimated 143 million Americans, could compromise online Social Security accounts.
Equifax, one of the three major credit bureaus, announced in September that it had experienced a major data breach last summer involving Social Security numbers, birth dates, addresses and in some cases driver's licenses and credit card numbers, for about half of all American adults.
The pilfered information is the perfect recipe for committing identity fraud. In theory, hackers could use this sensitive personal information to set up an online Social Security account in your name, file for those benefits when you became eligible and direct the payments to a new address and bank account without your knowledge.
The bigger question is, can they use that same information to gain access to the millions of existing My Social Security accounts and possibly divert benefits?
While researching this question, I discovered a nasty surprise. Electronic access to my account was suspended after someone tried––unsuccessfully––to log into my account.
"We tried three times to match the information you provided with our records, but were unable to do so," the error message said. "The suspension will not affect any Social Security benefits you receive," the generic notice assured me.
But I'm not receiving any Social Security benefits. I just want to make sure my online information is secure. What now?
The website directed me to contact SSA's toll-free number at 800-772-1213, but the help desk is only staffed Mondays through Fridays, not over the weekend when I discovered the possible security breach.
I sent an email asking about next steps. Although I have not yet received a response from SSA, I was able to access my account Monday morning without further incident. Perhaps the extra security measures I agreed to six months ago helped thwart an unauthorized hack.
Meanwhile, inquiring minds want to know if their online accounts are safe.
Without mentioning the Equifax breach directly, Jim Borland, acting deputy director for communications at the Social Security Administration, posted a blog on the agency's website in mid-September about "protecting your Social Security".
"A My Social Security account is your gateway to many of our online services," Mr. Borland wrote. "Create your account today and take away the risk of someone else trying to create one in your name, even if they obtain your Social Security number," he advised.
Anyone 18 or older who has a Social Security number, a U.S. address and a valid email address can set up an online account. In addition to supplying these critical personal details, the Social Security Administration will ask applicants to answer a variety of questions that are cross-referenced with their credit reports, such as the name of the bank that holds their mortgage or car loan, to verify their identity.
You can also sign up for extra security when you first register for a My Social Security account or add it to an existing account, as I did several months ago before the Equifax data breach.
As an additional security measure, Social Security will ask for one of the following: the last eight digits of your credit card; information found in your W-2 tax form; or information from your self-employment tax form. An upgrade code will be mailed to your home address, usually in five to 10 business days. The letter will include step-by-step instructions to finalize the security upgrade.
"If you already have a My Social Security account, but haven't signed in lately, take a moment to login to easily take advantage of our second method to identify you each time you log in," Mr. Borland wrote, explaining that you can choose to have a one-time code texted to your cell phone or sent to your email address as an added security measure. "Using two ways to identify you when you sign on will help protect your account from unauthorized use and potential identity theft," he added.
One of my readers cited Mr. Borland's blog as full of great advice, but noted it still left some questions unanswered.
"It does not specifically state that it takes more than the four identifiers stolen at Equifax (name, birth date, address and Social Security number) to make changes to Social Security accounts that could lead to a diversion of benefits," the reader said in an email.
"If there are sufficient cybersecurity measures in place to prevent this, I think the SSA communication should be updated to make that clear," he wrote. "On the other hand, if new measures are necessary, they should take them now and then publicize those measures."
I agree. I sent the reader's comment to the SSA press office last week, but so far, I have not received a response. Stay tuned for details on the broader issue of protecting our online Social Security accounts.