By Michael McGill, Acting Executive Officer; Jonathan Lasher, Deputy Counsel; Dennis F. Lynch, Deputy Assistant Inspector General for National Investigative Operations; and Steven W. Mason, Deputy Assistant Inspector General for Field Operations, Social Security Administration Office of the Inspector General, Baltimore, Maryland
he U.S. Social Security Administration (SSA) Office of the Inspector General (OIG) was created in 1995 as a result of the Social Security Independence and Program Improvements Act of 1994. Since its inception, the OIG’s statutory mission has been to prevent and detect fraud, waste, abuse, and mismanagement of the SSA’s programs and operations. To accomplish this mission, the OIG directs, conducts, and supervises a comprehensive program of audits, evaluations, and investigations relating to the SSA’s programs and operations.
The SSA/OIG understands the central role the social security number (SSN) plays in U.S. society as well as the critical need to protect its integrity. OIG investigators work daily on individual SSN misuse cases, bringing to justice scam artists, identity thieves, counterfeit document vendors, and other criminals whose tools of the trade are purloined SSNs. The SSA receives about 10,000 allegations of SSN misuse and investigates about 1,500 criminal cases of misuse annually.
In addition to the SSA’s investigative efforts, auditors play a significant role in identifying vulnerabilities and suggesting ways the SSA can work with organizations and government entities to limit the use of SSNs and better protect this sensitive information. Audit and investigative experiences have taught the administration that the more SSNs are used unnecessarily, the higher the probability that these numbers will be improperly disclosed and used to commit crimes throughout society.
Schools, businesses, and state and local governments request SSNs for a multitude of purposes—very few of which are recognized by law. Rather, many of these organizations use SSNs as identifiers simply for convenience. For example, SSA auditors have looked at the use of SSNs by universities and hospitals as student and patient identifiers, respectively. Although both of these types of organizations may have had some reason for collecting SSNs, such as financial aid or Medicare coverage, it was found that once collected, SSNs were used frequently for other purposes and were not always sufficiently protected.
A recent SSA/OIG audit revealed a troubling practice by primary and secondary schools in 43 states. Namely, the schools collect students’ SSNs at registration and often use the SSNs as primary student identifiers to help in record keeping and identifying students when they transfer to another school or apply for college. The No Child Left Behind Act of 2001 requires that each state implement a statewide accountability program that measures the progress of students and schools through data collection and analysis. However, this law does not require that states use SSNs to identify and track students. Rather, it appears that many primary and secondary schools use SSNs as a matter of convenience.
For the 2004–2005 school year, the National Education Association estimated that more than 15,000 school districts served more than 48 million students in kindergarten through 12th grade. The collection and use of SSNs without proper controls makes this population particularly vulnerable. According to information compiled by the Federal Trade Commission (FTC), recent data indicate that the number of children under the age of 18 whose identities have been stolen is growing. This is particularly troubling given that many of these individuals may not become aware of such activity until they apply for a credit card or student loan.1
Theft of Puerto Rican Identities
School districts’ collection of student SSNs has not gone unnoticed by identity theft rings. Recently, the SSA/OIG’s Strategic Research and Analysis Division noticed a troubling trend while conducting joint work site enforcement investigations with the U.S. Department of Homeland Security (DHS). Work site enforcement investigations focus on egregious employers involved in criminal activity or worker exploitation. This type of employer violation often involves alien smuggling, document fraud, identity theft, human rights abuses, and/or other criminal violations that have a direct link to the employment of unauthorized workers.2
To combat the hiring of unauthorized workers, the DHS and the SSA partnered to create the E-Verify Program (formerly known as the Basic Pilot/Employment Eligibility Verification Program), which allows participating employers to use telephone and Internet-based systems to verify newly hired employees’ employment eligibility. E-Verify works by allowing employers to compare employee information taken from the Form I-9 (the paper-based employment eligibility verification form used for all new hires) against more than 425 million SSA records and more than 60 million DHS records.3 In addition, the SSA provides an additional service called the Social Security Number Verification Service (SSNVS), which allows companies to verify SSNs and names for the purpose of completing Internal Revenue Service (IRS) Form W-2.
E-Verify is particularly attractive to industries that historically employ a large percentage of non–U.S. citizens. E-Verify works extremely well in rejecting questionable identities when names, dates of birth (DOBs), and SSNs do not match. However, many unauthorized workers who previously obtained fraudulent work documents from counterfeit vendors containing invalid SSNs or SSNs that did not match the names and DOBs on the documents have begun turning to a new source to defeat the efficient screening systems contained within E-Verify and the SSNVS. Identity theft rings are now obtaining and selling entire identities of U.S. citizens with Hispanic names from either Puerto Rico or the southwestern United States. By purchasing entire identities—documents including names, DOBs, and SSNs—unauthorized workers can circumvent the SSNVS and E-Verify systems.
This particularly insidious form of identity theft has far-reaching implications for its victims, because wages will be reported to the IRS on their stolen SSNs, and they will be required to explain this income at tax time. In addition, unauthorized workers can use SSNs to obtain mortgages and loans, leading to credit report problems for the victims. The DHS reports that unauthorized workers who fraudulently purchase complete identities in this fashion often use these “breeder documents” as a stepping stone to obtaining valid state identity documents as a means to escape detection by law enforcement agencies and employers.4 Adding to the problem are significant language barriers, as many of the victims speak little or no English, compounding the devastating impact of identity theft.
How does this relate to the practice of school districts collecting SSNs? In January 2008, the SSA/OIG became aware of a new crime wave in Puerto Rico involving the theft of student records at public schools. According to newspaper reports, there have been about 35 burglaries of Puerto Rico public schools since late 2007 where students’ records have been stolen. The stolen records include original birth certificates, copies of social security cards, parents’ names, and home addresses. Because the schools store records from previous years, identity thieves have been able to obtain student records dating back to the 1980s. The identities of between 7,000 and 10,000 Puerto Rican public school students are estimated to have been stolen in this manner.
The SSA/OIG is working with the FTC and the Puerto Rico Department of Education (PR-DOE) to facilitate victims’ ability to file complaints with the FTC. As a result of these efforts, the PR-DOE Web site now includes a link to the FTC Identity Theft Data Clearinghouse, and the FTC shipped 5,000 copies of the FTC’s Spanish-language Identity Theft Victim Assistance materials to the PR-DOE. The PR-DOE also committed to halting the practice of collecting student birth certificates and SSNs starting with the 2008–2009 school year.
Meanwhile, evidence that unauthorized workers in the United States are using stolen Puerto Rican identities continues to mount. A recent work site enforcement investigation by the DHS and the SSA/OIG at a company in Tennessee found that more than 700 unauthorized workers were using Puerto Rican identities for work purposes.
Another prevalent identity theft scheme that has surfaced across the United States over the past year involves unscrupulous individuals and businesses who have used telemarketers claiming to be SSA employees when they initiate telephone calls to obtain personal information, including bank account numbers, from Social Security beneficiaries. The telemarketers are often outsourced from companies in foreign countries, who use voice over Internet protocol (VoIP) phone numbers to initiate the calls.
The telephone fraud scheme has several variations. In some instances, callers with foreign accents request bank account information to set up direct debit of Medicare premiums, claiming that the premiums will no longer be deducted from Social Security payments. In other versions, callers request bank account information to update Medicare cards, for direct deposit of the recent stimulus tax rebate payment, or to verify future entitlement to Social Security benefits. Another version has callers posing as SSA employees and asking for bank account information so that the SSA can deposit a tax credit amounting to $500 per month for a six-month period. In many cases where victims are duped into providing bank account information, funds are withdrawn from the bank accounts shortly after the phone calls are concluded.
This type of telemarketing scheme, which often preys on unsuspecting, elderly individuals, could lead to bank fraud or identity theft, in which personal information is misused to obtain credit, goods, or services. The SSA/OIG has responded by initiating an investigation into the individuals perpetrating this scheme. SSA inspector general Patrick P. O’Carroll Jr. has also issued numerous fraud advisories in various states affected by this form of telemarketing fraud. Citizens need to be educated to refrain from providing SSNs, bank account numbers, or other personal information over the phone or Internet unless they are extremely confident of the source.
Continuing the Fight
The SSA/OIG will continue to play an important role in the overall government effort to combat SSN misuse and identity theft. At this time, OIG investigators across the country are members of almost 200 task forces and work groups. These groups, comprising federal, state, and local law enforcement agencies, pool resources and, when permitted, share information to accomplish more than individual members could ever accomplish on their own.
For example, agents participating in the Central Florida Identity Theft Task Force, a group comprising 10 law enforcement agencies, recently arrested 15 members of an identity theft ring who obtained lists of individuals with good credit histories and used the personal information of those individuals to defraud a variety of commercial entities in the Orlando area. Twelve of the 15 individuals were sentenced to prison terms, and the total restitution ordered to victims exceeded $2 million. Through efforts like these, the SSA/OIG will continue to investigate vigorously and seek prosecution of individuals who commit identity theft crimes.
The SSN was never intended for anything but tracking workers’ earnings and paying workers their accrued benefits. As the uses of SSNs have expanded over the decades, through acts of Congress as well as the adoption of the SSN by other entities simply as a matter of convenience, their value as a tool for criminals has increased accordingly. The SSA/OIG will continue its efforts to encourage the protection of SSNs by those who use them legitimately and to provide meaningful sanctions for those who fail to protect SSNs or who misuse this information themselves. ■
1Social Security Administration, Office of the Inspector General, State and Local Governments’ Collection and Use of Social Security Numbers, Audit Report A-08-07-17086, September 2007, http://www.ssa.gov/oig/ADOBEPDF/audittxt/A-08-07-17086.htm (accessed May 16, 2008).
2U.S. Immigration and Customs Enforcement, “Worksite Enforcement,” http://www.ice.gov/pi/worksite/ (accessed May 16, 2008).
3U.S. Citizenship and Immigration Services, “E-Verify,” http://www.uscis.gov/portal/site/uscis/menuitem.eb1d4c2a3e5b9ac89243c6a7543f6d1a/?vgnextoid=75bce2e261405110VgnVCM1000004718190aRCRD&vgnextchannel=75bce2e261405110VgnVCM1000004718190aRCRD (accessed May 16, 2008).
4U.S. Immigration and Customs Enforcement, Worksite Enforcement Advisory, February 2008, http://www.ice.gov/doclib/pi/news/newsreleases/articles/wse_advisory_v27.pdf (accessed May 16, 2008), 2.