Why are children more likely to suffer identity theft?
We all know that tens of millions of adult files and records are routinely stolen and used to enable identity theft around the globe.
But one of the lesser known problems associated with identity theft is that children are now the newest victims of fraud, and most of the time neither they nor their parents know it.
It’s been estimated that nearly 1.5 million children are affected every year, with more than half of those involving kids under the age of six.
More significantly, studies are revealing that the chances for credit and Social Security numbers of children being stolen are 51 times greater than the adult population.
Victims of child identity theft suffer an average of $12,000 of fraudulent debt and personal credit can be ruined for years.
These are sobering numbers and they represent a new front in the war on victim identity theft.
One woman in Sacramento, California recently described how ten years after her then two-year-old son’s Social Security number was stolen, the same thing happened to her daughter at the age of 15.
Medical breaches and identity theft
The rise of child identity theft coincides with the recent increase in medical records breaches.
When the health insurance giant, Anthem Inc., suffered a major data breach last year, tens of millions of American children were part of the enormous trove of personal information that was stolen.
Their records included Social Security numbers, dates of birth, and sensitive healthcare information.
Perhaps even worse, most of the minors’ records were linked to those of their parents, magnifying the exposure to include theft of adult information as well.
Just last week, a Congressional committee issued a report which linked the Anthem breach to another major loss of personal information when the Office of Personnel Management (OPM) suffered an attack on their government agency network.
The committee report indicated that both breaches were likely led by a Chinese nation-state threat group known as Deep Panda.
However, the loss of valuable data through medical records breaches is only one component of the exposure being seen in child information.
“Medical identity theft breaches are certainly one source, says Matt Cullina, CEO of IDT911, an identity management services company.
“But we are also seeing a variety of different access points beyond that.”
Children are targets due to tax identity theft
According to Cullina, his firm is seeing a rising number of thefts involving W-2 forms which contain highly-prized employee tax information of great interest to criminal hackers.
These also affect children in large numbers because most of them contain a complete file of employee spouse and dependent details.
“A typical tax file would have all the information you would need to steal an identity,” says Cullina.
As in the case of medical records files, W-2 tax information is also being subjected to an increasing number of breaches in 2016.
Major employers such as Kroger, Seagate, U.S. Bancorp, Sprouts Farmers Market, and the payroll vendor ADP have all reportedly lost W-2 files over the past six months.
Many of these attacks succeed because an employee falls for a phishing scam where they are duped into sending over a company’s W-2 files through a phony internal email request.
Even the Internal Revenue Service (I.R.S.) has recently been affected by the loss of personal tax data, including child information.
Identity thieves were able to access more than 350,000 taxpayer accounts in a massive data breach and another 610,000 thousand are considered to be “at risk” of identity theft following an attack which lasted over a year between 2014 and 2015.
“The I.R.S. is having a ton of trouble trying to combat identity theft and fraud,” says Cullina.
W-2 phishing scams and medical records breaches are on the rise because the family data that hackers can obtain, especially if it involves children, is highly valuable.
The reason is that a criminal, armed with a Social Security number that has never been linked to a credit record, can create an entirely new identity without much fear that monitoring agencies will flag it.
When combined with a real name, address, and birthdate, an identity thief has found true gold.
“This form of identity theft is much easier than trying to commit fraud through a bank,” says IDT911’s Cullina.
Another advantage for criminals is that most adults are on the lookout for identity fraud that involves their own accounts and records, not one that might be tied to a six year-old child.
“It’s just not something that a parent would be looking for,” says Cullina.
This can turn into a major problem for parents and their kids, with far-reaching implications.
If the fraud is not caught early enough, the child may not realize they have been victimized until they are ready to obtain a student loan or their own credit card.
By that point, after years of fraudulent use in their own name, their credit may be destroyed and take years to rebuild.
Warning signs to look out for
As with many forms of identity theft, there are warning signs that parents should be vigilant about in the event that a thief has stolen their child’s Social Security number.
These include mailings addressed to your child that might be pitches for credit card offers or notices of unpaid parking tickets.
Any insurance bill or benefits explanation from a doctor that involves treatment in a child’s name that was never received is another major red flag.
Parents can also check to see if their child has a credit report.
The three major credit bureaus (Equifax, TransUnion, and Experian) will generally provide parents with a child’s report on request at no charge.
How to protect your children
These laws require that when a child’s identity has been stolen, credit reporting agencies must create a credit report for a minor (upon request) and then freeze it so that any future actions in a child’s name will be blocked.
Equifax even offers parents in states that don’t have credit freeze laws the ability to suspend the credit reports of their children in an effort to further reduce criminal activity.
There is also a movement in process to create a so-called 17-10 Registry that would contain names, dates of birth, and Social Security numbers for every person in the U.S. who is under the age of 17 years and 10 months.
It is modeled after the Social Security Death Index which is designed to prevent thieves from stealing identities using the names of people who are deceased.
If this registry was created, every application for credit or employment would have to be matched against it in an effort to prevent fraud and identity theft involving a minor’s personal information.
The concept has gained a great deal of support, but it has also run into opposition.
There is concern that placing the “crown jewels” of personally identifying information for minors in one central place and not properly securing it could result in data theft of a magnitude far worse than anything experienced to-date.
Initial proposals to place the registry in the U.S. Department of Commerce have not been warmly embraced either, especially if the aftermath of high-profile government agency breaches such as the OPM hack.
Other ways children are targeted
While closer monitoring of a child’s credit history by parents might lessen the rate of identity theft and fraud, there are still other vulnerabilities looming on the horizon.
It’s expected that healthcare organizations will tighten security around medical records and large organizations will better educate their employees around the handling of sensitive W-2 tax material.
But both public and private schools maintain a treasure trove of personally identifying data on children and their parents, making databases in grades K-12 a tempting target for thieves.
Legislation to be passed to protect children
In an effort to get in front of this issue before it opens a new chapter in child identity theft, Governor Jerry Brown of California signed a law last month that limits the amount of personal information which public schools can collect on the state’s students.
The legislation was prompted by the actions of a federal judge earlier this year who ordered the release of Social Security numbers and a vast amount of personal information on students who attended California public schools over the past eight years.
Faced with an outcry from parents throughout the state, the judge reversed her decision last March.
Within the past month, the California legislature also unanimously approved a bill that would allow parents to freeze a child’s credit with reporting bureaus, even if they have not become a victim of identity fraud.
The bill (AB 1580) is now on Governor Brown’s desk awaiting signature.
Examples such as these in California are indicative of the greater attention now being paid to protection of personally identifying data on children across the country.
“These identifying credentials are assets and they need to be protected as such,” says IDT911’s Cullina.
Clearly, keeping those assets safe from the aggressive actions by computer hackers and other thieves will remain a challenge until safeguards and protection can rise to the level of the threat.