Executive Summary

This brief covers the recent emergence of cyber security threats to public safety, in particular, the theft of social security numbers online by hackers. It covers the recent data breaches, the history of this problem and what is recommended in order to mitigate this issue.

Overview

With the digital revolution in the past two decades comes with the increased need for tighter cybersecurity measures. These increased measures stem from the ever-present danger of cyber crime, which includes the online theft or manipulation of sensitive information such as identity, bank accounts, addresses and social security numbers. A recent California lawsuit claims that in April 2024, a hacker group infiltrated a Florida-based company named the National Public Data, and stole $2.7 billion worth of records, including social security numbers by illegally accessing a background check company’s data. This information ended up on the dark web where the hackers were plotting to sell the information for millions. 

Pointed Summary

• There have been recent major thefts of social security numbers online by hackers affecting millions of Americans
• This theft raises concerns about the efficacy of private companies and government to protect civilian data online

Relevance

The hackers’ actions have already added more to the climate of fear over online safety. With the US elections coming this year, the internet plays a large role in the political conversation for better or for worse. Americans are now more eager than ever for their preferred candidate to bring forward a cyber security and online safety policy that will make sure data breaches like these become obsolete. Misinformation and conspiracy theories about these incidents are common and this issue should be solved quickly in order to reduce this.    

This data breach means that Americans must become creative in how they protect their data online. Depending on the government and companies such as the National Public Data may be useless for some Americans as there are  many hot button issues competing for Capitol Hill’s attention and it might take some time before this issue is given the full, serious bipartisan attention it deserves. Digital literacy is now essential to everyone in order to combat this issue. 

History

Current Stances

The recent data breach that saw 277.1 gigabytes of data stolen is not the only instance of cybersecurity in the past years, even though it is one of the most widespread and possibly consequential examples. These attacks have become increasingly prolific in the U.S., with a historic 1862 data breaches being reported in 2021, up around 400 to what was reported in 2020.    

Cyberattacks began as soon as technology became widely used, but the targets were different than they are today. One of the first widespread attacks in the U.S. was noted in 2003, when Chinese hackers stole national security information from China Lake’s Naval Air Weapons Station. This theme continued into the following years, as they continuously target institutions including  the U.S Department of Defense and Department of State.    

As consumers began entering the digital world, targeted data soon became Personally Identifiable Information, or PII. This normally relates to key healthcare, finance, or security information.   

One of the largest PII breaches in history occurred over a three year period when a team of Russian hackers gained access to Yahoo’s database. They gathered PII including names, birthdays, passwords, and security questions, allowing the hackers to impact consumers. Yahoo, after being bought out by Verizon, would eventually end up losing $35 million and be the subject of 41 class-action lawsuits. While the full number has still been undecided, reports estimate up to 3 billion people’s information may have been stolen.   

Other breaches are caused less from malicious activities and more from poor design measures. For example, First American Financial Corp released 885 million files as a result of a data leak –not a breach. This one, however, led to PII –such as bank account information and driver's license– being exposed, which has a possibility for more serious consequences. Luckily, the damage to the corporations is determined based on the effect of the leaks, so the lack of malicious effect led to only a $500,000 fine from the SEC.   

While there are many other instances of important information being stolen from Americans, there is no doubt that the scale and gravity of the recent Social Security leaks could lead to issues that society has not seen before.Policy Problem

Stakeholders

1. American Citizens

American Citizens find themselves losing the most from this hack. A stolen Social Security number (SSN) may lead to financial hardship, significant loss in credit, and identity theft. The scale of the hack is still unknown, although estimates speculate that every American SSN and address could have been part of the theft. While it is unlikely that credit cards are created in every American’s name and used maliciously, the potential fallout from the information being leaked and used by non-governmental entities is extreme. 

2. Government 

The government risks serious repercussions from a security breach, not only undermining its own credibility and trust, but weakening its strength and ability to act. If hackers are able to locate secure and sensitive information without recourse, governmental secrets, planning, and a myriad of other types of important information are at risk as well. 

3. Hackers

Hackers working for the government in security face the daunting task of resolving the security breach, preventing further information from leaking, and job security, as identity theft of this sort has never happened at this scale. Those who committed this hack face severe criminal consequences if caught or extreme financial gain if they are not located. 
‍

‍
‍Risks of Indifference

1. Widespread identity theft

Identity theft is a serious concern, relating to one’s financials, credit score, and tax identity theft are all widespread and well documented criminal activities. If millions of identities are stolen, this may lead to millions losing their savings, credit score, and any financial gain they once had. 

2. Financial Fraud

Financial fraud plagues millions of Americans already, meaning this breach may potentially worsen the problem significantly. With the ability to take a credit card out in someone else’s name, hackers could use the credit card until it declines, purchasing a variety of different products and services, and ditch the debt and bad credit score on the unsuspecting individual.

3. Erosion of public trust in digital security

The erosion of trust is a hidden, yet significant, impact of this type of breach. If a significant number of Americans lose trust in their financial institutions, history could repeat itself and a dramatic recession may occur. This undermines economic stability, quality of life, and personal safety for millions of Americans, throwing the country into turmoil and an economic downturn. Reverting to paper money, non-online credit, banking, and payments, the American economy may see a significant downturn, the ease of access to financial services will dramatically decrease, and Americans will suffer. 

Nonpartisan Reasoning

‍The issue of national cybersecurity poses as a priority, since both sides agree that this is highly relevant, important, and necessary to understand and keep safe. The methods of dealing with online security problems differ extensively, but it is a bipartisan thought that these issues should be addressed and hacks of this scale should be eliminated or minimized. It is in the interest of all Americans to have a tighter hold on national security and their banking information, governmental and online identity, and credit. Thus, a higher level of effort and/or funding tasked with maintaining online security for the American public is a logical solution. The issue affects both the American citizens and the government from creating fiscal insolvency to eroding public trust and confidence. Cybersecurity is a key concern at all levels of governmental interest. 

Policy Options

The issue of data privacy has been extremely relevant during the 118th congress, manifesting most notably in the Protecting Americans from Foreign Adversary Controlled Applications Act, otherwise dubbed as the “TikTok ban.” This bill offers a ban-or-sell condition to TikTok’s owner, ByteDance: sell TikTok to a U.S.-based company within 270 days, or face a ban in all U.S. app stores. Given that President Biden signed this bill into law after a bipartisan majority in congress, its passage may indicate a growing importance placed on digital privacy, especially as it relates to foreign relations.   

Historically, the Privacy Act of 1974 prohibits agencies from sharing information without written authorization from the individual.   

Secondly, the Health Insurance Portability And Accountability Act in 1996 governs healthcare data and a patient’s right to view their information under “covered entities,” including doctors and government programs. It does not account for health data stored in other places, such as health apps or schools.    

The Children’s Online Privacy Protection Act, abbreviated to COPPA, directs privacy of children in digital spaces. For many children under 13, social media apps prompt authorization and surveillance from one’s parent/guardian, or they require verification of their age.   

The California Consumer Privacy Act, or CCPA, is considered the most stringent digital privacy act in the country. It publicizes the ways businesses use one’s data by allowing consumers to view how data is used and sold, delete data, and opt-out of their data being used. The California Privacy Rights Act was later added to allow consumers to correct information about themselves.   

A notable current bill concerning data privacy is the American Privacy Rights Act of 2024, which considers data privacy a right and allows consumers to enforce that right. It would set a national standard for Americans to view, delete, correct, and opt-out of data collection from third parties. It aims to hold companies accountable by allowing constituents to sue and recover damages for unlawful data collection. This bill, as well as its historical predecessors, contextualize the growing importance of digital privacy in America.

Conclusions

This data breach has become a serious and evolving situation. While the public is no stranger to the average data leak, a breach of this magnitude affects everyone. The historical context shows the evolving nature of cyberattacks, while recent incidents highlight the growing risk to individuals and government institutions alike. Current and proposed policies indicate that digital privacy and security have become more prioritized across the political spectrum, reflecting a need for ongoing vigilance and adaptation to new challenges in the digital landscape.

Acknowledgment

The Institute for Youth in Policy wishes to acknowledge Eli Solomon, Anagha Nagesh, Nolan Ezzet and other contributors for developing and maintaining the Policy Department within the Institute.

References

1. "Biggest Data Breaches in US History [Updated 2023]." Third-Party Risk and Attack Surface Management Software | UpGuard. Last modified September 27, 2023. https://www.upguard.com/blog/biggest-data-breaches-us.
2. “California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General, March 13, 2024. https://www.oag.ca.gov/privacy/ccpa. 
3. "Data Breaches." National Association of Attorneys General. Last modified July 14, 2021. https://www.naag.org/issues/consumer-protection/consumer-protection-101/privacy/data-breaches/.
4. DeLetter, Emily. 24. “2.9 billion records, including Social Security numbers, stolen in data hack: What to know.” USA Today. https://www.usatoday.com/story/tech/2024/08/15/social-security-hack-national-public-data-breach/74807903007/.
5. Han, Chew. n.d. “To stop the erosion of digital trust, measure it.” Tech For Good Institute. Accessed August 17, 2024. https://techforgoodinstitute.org/blog/expert-opinion/to-stop-the-erosion-of-digital-trust-measure-it/.
6. “Hackers may have stolen your social security number in a massive breach. Here’s what to know.” MoneyWatch, CBS News.  Last modified: August 16, 2024. https://www.cbsnews.com/news/social-security-number-leak-npd-breach-what-to-know/
7. “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and Prevention. Accessed August 18, 2024. https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html#:~:text=The%20Health%20Insurance%20Portability%20and%20Accountability%20Act%20of,being%20disclosed%20without%20the%20patient%27s%20consent%20or%20knowledge. 
8. H.R.7521 - 118th Congress (2023-2024): Protecting Americans from foreign adversary controlled applications act | congress.gov | library of Congress. Accessed August 18, 2024. https://www.congress.gov/bill/118th-congress/house-bill/7521. 
9. H.R.8818 - American Privacy Rights Act of 2024. Accessed August 18, 2024. https://www.congress.gov/bill/118th-congress/house-bill/8818. 
10. Liu, Henry, and Staff at the FTC. “Children’s Online Privacy Protection Act.” Federal Trade Commission, April 3, 2024. https://www.ftc.gov/legal-library/browse/statutes/childrens-online-privacy-protection-act. 
11. Murray, Conor. “U.S. Data Privacy Protection Laws: A Comprehensive Guide.” Forbes, June 3, 2024. https://www.forbes.com/sites/conormurray/2023/04/21/us-data-privacy-protection-laws-a-comprehensive-guide/. 
12. “Nearly 1 in 3 Americans report being a victim of online financial fraud or cybercrime.” 2023. Ipsos. https://www.ipsos.com/en-us/nearly-1-3-americans-report-being-victim-online-financial-fraud-or-cybercrime.
13. "Nytimes.com." The New York Times - Breaking News, US News, World News and Videos. Last modified August 15, 2024.https://www.nytimes.com/2024/08/15/business/social-security-numbers-stolen-hack.html.
14. "U.S. State Data Breach Lists." International Association of Privacy Professionals. Accessed August 17, 2024. https://iapp.org/resources/article/u-s-state-data-breach-lists
    

‍