Do you have customer or employee Social Security numbers as part of your database? If you do, you probably have them encrypted or are thinking about encrypting them. 

Do you also have other customer data such as birthdays or birth-states as part of your database? If you do, you probably don't have them encrypted and aren't thinking about doing so.

But unencrypted data such as birth dates or hometowns may be all a hacker needs to get his hands on your customers' or employees' Social Security numbers.

Researchers at Carnegie Mellon University in Pittsburgh have developed a technique for using data available from public sources to predict a specific individual's Social Security number. Project lead Alessandro Acquisti, an associate professor of Information Technology and Public Policy, and Ralph Gross, a post-doctoral researcher, started with the U. S. Social Security Administration's Death Master File, a publicly available database which includes the names, dates of birth and death, and state of birth for every deceased beneficiary of Social Security. By making that information publicly available, the government intended to make it harder for someone to assume the identity of a dead person.

The researchers studied 30 years of data recorded in the Death Master File and were able to discern patterns in the relationships between birth dates, birth states, and Social Security numbers. Since the methods that the Social Security Administration uses to assign numbers are public knowledge, Acquisti and Gross were able to combine the two to develop algorithms for predicting Social Security numbers.

They were able to correctly predict—in a single attempt—the first five digits of the Social Security numbers for 44 percent of test subjects born after 1988. Add those digits to a redacted bank or on-line statement that lists only the last four digits, and now you know the whole number. For subjects born between 1973 and 1988, they were successful seven percent of the time.

In 1989, the government began issuing Social Security numbers shortly after birth, according to Acquisti, making it easier to apply mathematical techniques to predict them. It is even easier still, he noted, for people born in less populous states. Consequently, in fewer than 1,000 attempts, Acquisti and Gross were able to predict all nine digits of Social Security numbers for 8.5 percent of test subjects. Their success rate climbs for people born more recently and in smaller states. It took them fewer than 10 tries to predict one of 20 numbers issued in Delaware in 1996.

The techniques developed by Acquisti and Gross actually produce a range of possible Social Security numbers for a given person, Acquisti explained. A hacker could then use a botnet to exploit instant credit-approval sites to test those numbers and determine which specific series belongs to a given person. To have a computer system try ten or a hundred or even a thousand possibilities makes a Social Security number no more secure than a three-digit pin.

Acquisti, whose primary research interests include both the economics and the behavioral economics of privacy and information security, observed that identity theft cost the American Public $50 billion in 2007. The Social Security number was never intended to be used as an authenticator of identity, he noted, and using it for that purpose is a practice he feels should stop. Eventually, he would like to see the government switch to a random number system for Social Security numbers, but he notes that even then, the millions of Americans who already have Social Security numbers would still be vulnerable.

Before going public with this information, just in case you were wondering, the authors did remove critical portions of the method they used to predict Social Security numbers so it could not be easily replicated. They also briefed government officials before going public.

The moral of this story is to encrypt all your data, not just the obvious items like Social Security or account numbers, but anything that could be used to compromise the security of your customers or employees.