Personal Information at Risk: What Thieves Target

Identity thieves do not steal randomly — they target specific categories of personal information that carry direct monetization value, either through immediate financial fraud or long-term synthetic account construction. This page maps the primary data categories targeted in identity theft operations, the mechanisms by which that data is exploited, the common scenarios in which exposure occurs, and the threshold criteria professionals use to classify exposure severity. The scope covers consumer-facing personal information risk as defined under federal frameworks including the FTC Act and the Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681 et seq.).

Definition and scope

Personal information, in the context of identity theft risk, refers to any data element that can be used alone or in combination to authenticate identity, access financial accounts, or establish fraudulent credentials. The FTC defines "personal information" for identity theft purposes under 16 C.F.R. Part 603, which incorporates reference to the FCRA's framework for consumer report data.

The data categories that carry the highest theft value fall into four classifications:

1. Government identifiers — Social Security Numbers (SSNs), Individual Taxpayer Identification Numbers (ITINs), driver's license numbers, and passport numbers. An SSN combined with a date of birth is sufficient to file a fraudulent tax return or open new credit accounts. The IRS Identity Protection PIN program exists specifically because of the primacy of SSN-based fraud in tax contexts.

2. Financial account data — Bank account numbers, routing numbers, credit and debit card numbers with CVV codes, and brokerage account credentials. Card data trades on dark-web markets at prices ranging from under $1.00 to over $20.00 per record depending on card type and available balance data, as documented in annual threat intelligence assessments published by sources such as the Verizon Data Breach Investigations Report.

3. Authentication credentials — Usernames and passwords, security question answers, PINs, and recovery email addresses. Once a credential pair is compromised, account takeover fraud can propagate across any service where the victim has reused the password — a risk class covered in detail under account takeover fraud.

4. Biometric and device identifiers — Fingerprints, facial recognition data, voice prints, and device identifiers including mobile phone numbers used for SMS-based authentication. Unlike passwords, biometric identifiers cannot be reset. The sensitivity of this category is addressed by biometric data protection standards including NIST SP 800-76-2.

Medical record numbers and health insurance identifiers constitute a fifth classification relevant to medical identity theft, where fraudulent use of another person's insurance credentials generates false billing records that can affect both credit files and health records simultaneously.

How it works

Thieves operate on a pipeline model: acquisition, verification, monetization. The acquisition phase targets the data categories above through either mass-scale breach extraction or individual-level social engineering.

At the mass-scale end, data breaches expose structured database records — often including hashed passwords, SSNs, and financial identifiers — in bulk. The major US data breaches reference documents incidents where tens of millions of records were exposed in single events, creating persistent downstream fraud risk for years after the initial breach.

At the individual level, phishing and identity theft operations use fraudulent communications to induce victims to voluntarily submit credentials or account data. The Anti-Phishing Working Group (APWG) recorded over 1 million phishing attacks in a single quarter of 2022 (APWG Phishing Activity Trends Report Q4 2022), making phishing the dominant individual-targeting vector by volume.

After acquisition, thieves verify the validity of stolen data through low-value test transactions or by querying identity verification systems with the stolen credentials. Valid data is then monetized through one of three primary pathways:

• Direct financial fraud — unauthorized withdrawals, card-not-present transactions, or wire transfers
• New account fraud — opening credit lines, loans, or utility accounts in the victim's name
• Synthetic identity construction — combining real SSNs (often belonging to children or individuals with thin credit files) with fabricated names and addresses to build artificial credit profiles, a process detailed under synthetic identity fraud

The Federal Trade Commission's consumer sentinel database, accessible through IdentityTheft.gov, is the primary federal repository for identity theft complaint data and informs enforcement prioritization under the FTC Act Section 5.

Common scenarios

Exposure events that lead to personal information theft cluster into five recurring patterns:

Data breach exposure — An employer, retailer, healthcare provider, or government agency suffers a breach that releases structured records. The victim has no direct control over this pathway. Notification obligations under the 48 state breach notification statutes (catalogued by the National Conference of State Legislatures) require disclosure, but notification may arrive weeks or months after initial compromise.

Credential compromise through reuse — A password used across multiple platforms is exposed in a breach of one service and subsequently tested against financial or email accounts. Password security for identity protection addresses the credential hygiene standards that mitigate this vector.

Physical document theft — Stolen mail, discarded financial statements, and lost wallets provide government identifiers and account numbers in pre-digital form. Mail theft and identity fraud and dumpster diving identity theft represent underestimated exposure pathways despite digital fraud receiving disproportionate attention. The USPS Office of Inspector General documents mail theft complaints in annual reports.

SIM swapping — A threat actor social-engineers a mobile carrier into transferring the victim's phone number to a SIM card under the attacker's control, defeating SMS-based multi-factor authentication. This attack specifically targets the phone number as an identity anchor — a scenario covered under SIM swapping identity theft.

Public network and device interception — Unencrypted traffic on public Wi-Fi, or malware installed on shared devices, allows passive credential harvesting. Public Wi-Fi identity risks establishes the technical conditions under which interception is feasible.

Decision boundaries

Not all personal information exposure carries equal remediation urgency. Professionals and identity protection services apply threshold criteria to classify exposure events:

High-severity exposure (requires immediate action):
- SSN confirmed in a breach or dark web monitoring alert
- Financial account credentials exposed with evidence of unauthorized access
- Driver's license or passport number combined with date of birth in the same breach record
- Health insurance member ID with provider data, indicating medical identity theft risk

Moderate-severity exposure (monitor and harden):
- Email address and hashed password without other identifiers
- Partial card data without CVV or expiration date
- Name and address without government identifiers

Low-severity exposure (baseline awareness):
- Name and phone number without financial or government identifiers
- Publicly available contact data without authentication credentials

The distinction between high and moderate severity is operationally significant: high-severity exposure warrants immediate placement of a credit freeze (distinct from a fraud alert — see credit freeze vs fraud alert) and a formal report through the FTC's IdentityTheft.gov process. Moderate exposure warrants credential rotation and activation of dark web monitoring services but does not necessarily trigger the full reporting and remediation chain.

The FCRA (15 U.S.C. § 1681c-2) grants consumers the right to block fraudulent tradelines resulting from identity theft from appearing on credit reports — a right that activates only when documented fraud has occurred, not upon exposure alone. This distinction between exposure and confirmed fraud is the defining boundary in the remediation decision tree.

Social Security number protection addresses the specific protocols applicable when the highest-value government identifier is confirmed compromised. For victims navigating confirmed fraud, the identity theft reporting process and the identity restoration process document the sequential remediation steps recognized by federal agencies.

References

• Federal Trade Commission — 16 C.F.R. Part 603 (Identity Theft Definitions)
• FTC IdentityTheft.gov — Consumer Recovery Portal
• Fair Credit Reporting Act, 15 U.S.C. § 1681 (CFPB Full Text)
• NIST SP 800-76-2 — Biometric Specifications for Personal Identity Verification
• NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
• Anti-Phishing Working Group (APWG) — Phishing Activity Trends Reports
• National Conference of State Legislatures — Security Breach Notification Laws
• Verizon Data Breach Investigations Report (DBIR)
• [IRS Identity Protection PIN Program