The government of Canada only replaced 60 Social Insurance Numbers (SINs) in cases of fraud and abuse in 2018, even though the personal information of 2.7 million people were exposed in a single data breach alone last year at the Quebec-based credit union Desjardins.
Out of the 1.6 million new SINs issued last year, only several dozen were given out to replace SINS exposed in a data breach because “getting a new social insurance number will not protect individuals from fraud,” said Elise Boisjoly, an assistant deputy minister with Employment and Social Development Canada.
When criminals get access to a person’s SIN, they can use it to apply for credit, create false documentation for illegal workers, or develop a “synthetic” identity — e.g., an identity based on pieces of information about real individuals as well as fabricated information.
“The former social insurance number continues to exist and is linked to the individual. If a fraudster uses someone else's former social insurance number and their identity is not fully verified, credit lenders may still ask the victim of fraud to pay the debts,” said Boisjoly in July, in a hearing about last year’s Desjardins data breach.
Boisjoly said that when an individual is linked to more than one SIN, it could increase the chance of errors when the government is calculating pensions and benefits. Individuals would have to continually monitor each SIN they are linked to on a “regular and ongoing basis.”
The hearing was held on Jul. 15, two weeks before another data breach at credit card company Capital One would expose the personal information of another 6 million Canadians. At least one million SINs were compromised.
When Canadians believe that their SINS have been stolen, they need to file a police report, get credit reports from both of Canada’s major credit bureaus, follow up with creditors and ask them to dismiss any unauthorized debts or opened accounts.
To apply for a new SIN, they’ll have to go to a Service Canada location with proof of identity, a list of every address that they’ve lived at in the past decade, printouts of every T4 they’ve received in the past three years and a photograph of themselves for each of the employers listed on the T4s.
Some critics, like cybersecurity expert Neal O’Farrell, who leads the non-profit victim support network Identity Theft Council, have pointed out that for the purpose of verifying identity, more secure alternatives to SINS exist. These include biometric scans, real-time financial data and blockchain verifications.
“It's a calculated risk,” he told the CBC. “Continuing to use SINs costs far less than overhauling an entire system that has come to depend on them. They've done the math.”
Even Ottawa has been trying to discourage people from using SINs as a form of ID. In 2014, the government began phasing out plastic SIN cards and new applicants are being given their numbers on a piece of paper instead, which they are asked to keep at home.