When hackers electronically invaded California state computers in April, they got access to information that included the Social Security numbers of virtually every one of the 265,000 people on California's payroll.
So far, officials say, there's no indication the hackers actually withdrew any information or are using it for illegal purposes. But the alarms set off by the recent public disclosure of the break-in underscore the growing problem of identity theft in the United States.
While no solid statistics are available, there's ample evidence of growth in identity theft involving Social Security numbers. For example, calls to a federal hotline to report Social Security number fraud and abuse rose from 11,058 in 1998 to 65,220 in 2001. Others estimate there are as many as 750,000 cases of identity theft in the United States each year.
Still, as California officials offer more details about the hacking of computers at the Teale Data Center in Sacramento, it appears the worst fears of privacy advocates have not come to pass - at least for now.
The compromised computers provide information to "deduction service companies," which arrange deductions from employees' paychecks for such things as union dues, mortgage payments or charitable contributions.
While the computers contained the last names and first and middle initials, as well as Social Security numbers of state employees, they didn't hold information such as addresses or checking account or credit card numbers, said Dave Dawson, chief information officer for the California controller's office.
Without that data it would be a tedious and difficult chore for thieves to gather enough information to siphon funds from a checking account or charge purchases to someone's credit card.
Still, identity thieves may be able to use the numbers to get other information. At least a dozen Web sites, for instance, advertise that they can use a Social Security number to search for addresses, maiden names, aliases or other personal information.
Such information brokers would be invaluable in helping set up a false identity, said Beth Givens, director of the Privacy Rights Clearing House, a privacy advocacy group in San Diego.
Typically, thieves use a Social Security number to establish charge accounts under the victim's name.
The accounts usually have a bogus mailing address and phone number, so when the bills start coming due, they are never received by the victim. After the bills go unpaid, the charge companies alert credit-rating agencies, which then brand the unwitting victim a credit risk, Givens said.
"Most victims only find out about this when they try to get a loan to buy a car or a house or they try to open another charge account and then they get rejected," Givens said.
But by then it's too late.
It can take years to get the damage erased from a victim's credit rating, Givens said. Even in the best case, victims can expect credit to be snarled for six months or more.
But the problems can go even further. Givens said there are cases where people arrested for a misdemeanor claimed to have lost their IDs and gave false Social Security numbers instead. The criminal charge then went on the victim's record, a problem even more difficult to correct.
Experts say there is a thriving market for Social Security numbers. "They're one of the key elements for creating an identity," said Joanne McNabb, chief of the Office of Privacy Protection for the state Department of Consumer Affairs.
And they are relatively easy to obtain, even without hacking into state computers. Lists of them can be found for sale on Internet sites, and they are routinely found on paycheck stubs, health insurance cards and credit-union statements.
A new California law prohibits businesses from practices such as sending Social Security numbers through the mail, putting them on employee IDs and otherwise putting them on public display.
But as for the breach in state computers, officials remain hopeful that no lasting damage was done. McNabb of the state's privacy protection office said the main credit-rating agencies report no unusual activity on the accounts of state workers who have called in with concerns on identity theft.
Dawson of the controller's office said the known security holes have been plugged, but it may never be known if the hackers actually took any data from the computers.
"New forms of attack are being created all the time," he said. "The only defense is constant vigilance."