Your social security number probably got leaked and that’s very, very bad

Update: 5/10/20/18: Earlier this week, documents provided to the Securities Exchange Commission exposed some staggering numbers that come from Equifax's internal investigation of the breach. Here are the stats about compromised personal info according to the document:

As well as other documents that were stored as image files, which included victims’ driver’s licenses, passports, and social security numbers. It's unclear how much crossover there is between each category, so bad actors may have some or all of your data. It's also possible that we could get even more information down the road as the investigation continues. That means now is a good time to crank up your personal cybersecurity practices.

Corporate hacks and data breaches happen pretty frequently. Target accidentally gave up our credit card info, then some jerks swiped our email data from Yahoo!. The recent data breach from credit bureau Equifax, however, is different. The scope is staggering, involving over 100 million people. Even more troubling is the fact that social security numbers are included in the leaked data. You can change your email password and get a new credit card, but changing your SSN is a painstaking and often expensive process that can ripple through your entire life. Here's how to proceed now that those nine pesky digits could be floating around the web.

According to Equifax, the breach involved 143 million U.S.-based individuals, and the leak included birth dates, addresses, full names, and social security numbers. If you're an ID thief, you couldn't ask for much more than that. Equifax has set up a site where you can check to see if they think your ID has been affected, but it requires you to give them your personal information. No thanks. [Note: There are concerns about what rights you're giving up by submitting your information to the Equifax post-hack sites.]

Shuman Ghosemajumder, chief technology officer of Shape Security, points out that even a negative result in the check shouldn’t really be that comforting. “Just because you weren’t a part of this breach doesn’t mean your data wasn’t leaked in some other incident,” he says. “There have been so many of these in the past several years, you should probably act as though your data has been compromised anyway.” He went on to explain that this hack is different than the typical corporate incident because you didn't have to be a direct customer of Equifax to be affected. Even if you didn't have an account on their site, your info could still be involved.

“One of the most common types of ID theft is a simple account takeover, which is fairly easy to flag and shut down,” says Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group focused on privacy and security. “With the social security number, however, we get into synthetic identity theft, in which someone can literally take over your identity and use it to steal medical goods or commit serious crimes.”

For an innocent consumer whose identity has been stolen, disproving their involvement in those crimes is extremely difficult. “There are people who have to walk around with letters from their state district attorneys that say they haven’t committed the crimes associated with their social security numbers,” explains Dixon.

Beyond that, criminals can file false tax returns, create fake children to go with the identity, and even create problems with mortgages and home deeds.

As penance for its screw-up, Equifax is offering a year of credit monitoring and fraud alerts, which is something you should really be doing already anyway, and it shouldn't stop after just a year. The individual bureaus offer their own services, but you can also get a more overarching plan from a third-party like LifeLock or Identity Force. They each come with their own advantages and disadvantages ranging from price to coverage options, but the good ones will provide assistance in the case someone actually uses your identity for something nefarious.

Dixon suggests making an account with the Social Security Administration before someone else is able to do so using your information. Setting up an account only takes a few minutes, but will require that you have some information on-hand. During the registration process, it may ask you about things like active loans you have, monthly payment amounts, or even older accounts from a couple years ago. Failing to provide the correct info locks you out for 24 hours, so you only get one chance per day.

If you want to give yourself an extra level of protection, you can freeze your credit, but that’s a step that requires some work on your part. Each credit bureau will require you to place the freeze individually. Freezing your credit often comes with a fee, but you can typically get it waved if you prove that it’s a direct result of identity theft.

“Freezing your credit means that no one can open credit in your name, but they can still do bad things with your identity,” explains Dixon. “It can help to stop the financial ramifications, though.”

For the 209,000 people who had their driver’s licenses leaked along with their social security number, however, a credit freeze is likely a smart move. That combination of information would make it worryingly easy for a criminal buy a car under a fake name.

The Federal Trade Commission runs a very thorough Identity Theft Consumer Information Center, which provides a wealth of resources to help get the theft under control. Going to IdentityTheft.gov will give you an opportunity to report the theft and also provide you with a to-do list of actions to take in order to start the recovery process. If you don't want to sign up for the site, you can also see the recommended steps from the checklist here.

The short answer is yes, but it’s a long, tedious, and often very expensive process. Having helped roughly 50 people go through the process (not for identity theft, but for domestic-abuse cases), Dixon calls it the “beyond nuclear option.”.

“Sometimes people will choose to walk away from their old lives because they fear for their safety,” says Dixon. “If you want to keep your life and stop the theft, you want to try and freeze your credit first and explore every other option [first]—make it your part-time job to stay on top of your credit issues.”

If you decide to get a new SSN, Dixon says to contact an attorney—preferably one that specializes in identity theft—and prepare as much documentation as possible. Not only is that number linked to your financial accounts, but it’s also linked to your educational institutions, your loans, and certification boards for careers like teacher and doctor.

Even if you’re able to get a new number, that information will need to be “crosswalked” to your new number to ensure that you can still prove your college education or job certification.

So, while you can get a new SSN, it's considered a "nuclear option," and it can likely be avoided if you take care now to keep your data as secure as possible.