Your SIN is a 'master key.' Here's why you must protect it

Dave has learned the hard mode that you don't privation the incorrect idiosyncratic getting a clasp of your societal security number. 

In 2024, helium became a unfortunate of individuality fraud. Someone utilized his SIN to unfastened a slope relationship and get their hands connected immoderate speedy cash. And portion helium didn't suffer immoderate of his ain money, his recognition people tanked for a period.

"The astir frustrating portion was being told, 'Hey, determination isn't overmuch we could bash astir this. Your accusation is connected the acheronian web. It volition beryllium utilized again.' And months later, it was utilized again," Dave, of Laval, Que., told Cost of Living. 

Dave isn't his existent name. CBC has agreed to place him by a pseudonym, arsenic constabulary person told him that further exposing his individuality could pb to much challenges.

Dave was 1 of 4.2 cardinal Desjardins customers that had their information leaked successful 2019. And they aren't the lone victims. Over the past fewer years, customers with Sobeys, Ticketmaster, London Drugs, Nova Scotia Power and the Canada Revenue Agency, to sanction a few, person had their information breached. 

And since much businesses and organizations person started asking for societal security numbers, experts are cautioning radical to beryllium precise selective astir who they stock their SIN with.

"It's the astir sensitive, secret and unsocial identifier. Essentially, it's the maestro cardinal to our individuality successful Canada," said Claudiu Popa, co-founder of KnowledgeFlow Cybersafety Foundation, which advocates for online information for Canadians.

SINs

The societal security fig was created with the motorboat of the Canadian Pension Plan successful the 1960s and utilized to way who was eligible, arsenic good arsenic for assorted employment security programs.

According to Popa, determination aren't galore places that really request to cognize it. A caller leader needs your SIN, arsenic does your slope and immoderate authorities agencies, similar the CRA.

But much organizations are asking for people's SINs. Popa says that includes gyms, landlords, security companies and schools. He says nary of these places request your SIN, but that doesn't halt them from asking.  

That's due to the fact that it's an casual mode to cheque someone's recognition with a unsocial number. But immoderate companies are besides utilizing it arsenic an identifier for customers. 

"It has conscionable go a lazy mode of uniquely identifying people, and unluckily it places radical astatine the hazard of privateness breaches," said Popa.

So what bash you bash if idiosyncratic asks for your SIN? Just accidental no. 

But arsenic the cliché goes, that's easier written into a CBC nonfiction than done successful existent life. Just inquire Greg Pace. 

When Pace made a large vocation alteration from an RCMP serviceman to a farmer, helium figured it was a bully thought to instrumentality immoderate classes to summation much cognition astir the caller field. 

But midway done the government-sponsored classes, idiosyncratic from the programme pulled him speech and informed him helium hadn't enactment his SIN in his paperwork. 

"I felt determination was a batch of societal unit to comply. And yet I knew it wasn't the close inquire — that they were, I felt, overstepping," said Pace.

Pace, whose inheritance arsenic an RCMP serviceman taught him to beryllium wary of sharing idiosyncratic information, asked why, but wasn't fixed a reason. So helium refused, and erstwhile it became evident helium was nary longer welcome, helium near the course. 

Compromised

What makes the societal security fig truthful invaluable to fraudsters, compared to a recognition paper fig oregon slope password? Popa says it's because, dissimilar different pieces of information, it isn't casual to change.

Dave knows that each excessively well. Just successful the past year, fraudsters person tried to unfastened 2 antithetic slope accounts successful his sanction and person bought aggregate iPhones online. And the onslaught of fraud came conscionable arsenic Desjardins' connection of escaped recognition monitoring was moving out. 

It's taken Dave a batch of clip to speech to banks, recognition bureaus and constabulary to get it each straightened retired each time. And it's not conscionable a hassle. It tin vessel his recognition score. 

"To cognize that idiosyncratic could usage … your accusation successful a fraudulent manner, thing that you worked truthful hard to build, is highly frustrating," said Dave. 

Since the Desjardins breach, immoderate person requested caller SINs. But that doesn't hap often. It requires impervious that the fig has been utilized successful fraud, not conscionable that the accusation has been leaked. And fraudsters are clever, Popa says. They'll often hold until their victims' credit monitoring has tally out, which is usually nationalist information.

In an email to CBC, Employment and Social Development Canada (ESDC) says it takes steps to support radical from having their SIN compromised, including consciousness campaigns, fraud prevention resources and unafraid exertion processes. 

It says that if your fig is compromised, you should record a constabulary report, notify the Canadian Anti-Fraud Centre, interaction a recognition bureau and study it to immoderate affected authorities programs. 

It doesn't, however, urge applying for a caller SIN. 

"Having aggregate SINs tin summation fraud risk. Getting a caller SIN does not erase the aged SIN and does not support it from aboriginal abuse," said ESDC spokesperson Saskia Rodenburg.

A antithetic method? 

There is different imaginable solution: integer IDs. This strategy would allow you to stock lone what you privation to stock and thing else. 

"You mightiness person thing similar a integer wallet that's successful your phone, oregon successful your astute tablet," said Joni Brennan, president of the non-profit Digital ID and Authentication Council of Canada.

One portion of accusation connected the ID could beryllium your verified income, for example, which you would beryllium capable to stock with whichever idiosyncratic oregon enactment that requires it. This way, she says, you could stock lone the accusation that's necessary, oregon that you privation to share. 

Some regions are taking the indispensable steps, similar B.C., but don't expect a Canada-wide integer ID anytime soon. That's due to the fact that provinces person a batch of jurisdiction implicit credentials.

And arsenic that progresses, Brennan says uncovering ways to support our SIN needs to beryllium an ongoing conversation.

"As we see, caller technologies travel guardant that mightiness make caller ways for atrocious folks to bash atrocious things, [so] the abstraction that's focused connected information and extortion and privateness needs to proceed to evolve, arsenic well."