News that the social insurance numbers of approximately 900 Canadians were "removed" from the Canada Revenue Agency's website recently has many people worried about the security of their online data.
Of all the ways to experience identity theft, the loss of a SIN is among the more serious, as that is a user's official thumbprint on government networks and the one that is most often used to authenticate people in the financial system, too.
Next to somebody getting your bank card and PIN number, it's hard to imagine a piece of private information that could be more damaging.
"Along with other personal information, someone may be able to use your SIN to apply for a credit card or open a bank account, rent vehicles, equipment, or accommodation in your name, leaving you responsible for the bills, charges, bad cheques, and taxes," Canada's privacy commissioner warns in a factsheet on its website.
A SIN, used in conjunction with other pieces of information that are relatively easy to obtain, can allow for the opening of credit and other financial accounts. It can also be used to access government services.
Regardless of whether your social insurance number has been stolen, security experts say there are things you can do as a precaution to try and stay safe:
- Don't ever give out your SIN to anyone but government or a bank. The social insurance number was invented in 1964 as a way of managing CPP payments and other government insurance systems, including income taxes. Institutions that pay interest for financial deposits (like banks and credit unions) are also entitled to have your SIN for the legitimate purpose of reporting that income to government. But "organizations should only authenticate to the extent necessary," the privacy commissioner said recently. "In other words, you don’t need to ask someone who is applying for a student bus pass to give intimate details of their lives." The government has a complete list of all government departments authorized to collect social insurance numbers here and outside of those two uses, there is no legitimate reason for anyone else to require a SIN from you.
- Change passwords. Often. Many people have been diligent about changing their passwords frequently, even before the Heartbleed bug was uncovered, but many likely haven't been. Still others have been waiting to hear from financial institutions before logging into their accounts, for fear of revealing their data through an unsecured website. In either case, security consultant Raymond Vankrimpen says changing passwords is always a good idea. "If they had it before, changing the password prevents them from coming in again," he says.
- Monitor your credit activity. Agencies such as Equifax and TransUnion provide credit monitoring services. For a fee, they will alert you to any new attempts to create credit accounts in your name (although they are also required to send you a version of your credit report, free of charge, if you ask.) But security consultants say monitoring your own accounts — keeping an eye on all transactions in all accounts you know of — is also a good idea.
If you think your SIN has been stolen, you're advised to report that to police and government agencies. The Canada Revenue Agency says it's contacting affected parties by registered mail with instructions on what to do, and reminds people that the tax department never contacts them via email or phone — so any attempt to do so should be ignored as it is fraudulent.