Personal Information at Risk: What Thieves Target

Identity thieves operate across a structured set of data categories, each with distinct market value, exploitation pathways, and downstream consequences for the individuals whose information is compromised. This page maps the primary categories of personal information targeted in identity-related crimes, the mechanisms by which that information is acquired and used, and the regulatory and classification frameworks that define the sector's response. The Identity Protection Authority's service provider network organizes professional resources by these same categories, making the taxonomy here operationally relevant to anyone navigating the identity protection services landscape.

Definition and scope

Personal information, in the context of identity theft, refers to any data element that can be used alone or in combination to identify, impersonate, or defraud an individual. NIST SP 800-122 defines Personally Identifiable Information (PII) as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity." This definition covers both directly identifying elements — Social Security Numbers (SSNs), passport numbers, financial account credentials — and indirectly identifying elements that become identifying when combined, such as ZIP code, date of birth, and gender.

The Federal Trade Commission classifies identity theft into discrete categories for enforcement and reporting purposes, including government documents/benefits fraud, credit card fraud, employment or tax-related fraud, and loan or lease fraud (FTC Consumer Sentinel Network Data Book 2023). The Fair Credit Reporting Act (15 U.S.C. § 1681) provides the foundational legal architecture governing how consumer credit data — one of the primary targets — must be maintained, disputed, and protected.

The scope of targeted information spans four principal categories:

1. Government-issued identifiers — SSNs, driver's license numbers, passport numbers, Individual Taxpayer Identification Numbers (ITINs)
2. Financial account data — credit card numbers, bank routing and account numbers, investment account credentials
3. Medical and insurance identifiers — Medicare/Medicaid beneficiary numbers, health insurance member IDs, medical record numbers
4. Authentication credentials — usernames, passwords, security question answers, biometric data, one-time passcode seeds

All 50 states have enacted data breach notification statutes requiring disclosure when these categories are exposed, though the triggering thresholds and notification timelines vary by jurisdiction.

How it works

Acquisition of targeted personal information follows three primary pathways: technical intrusion, social engineering, and physical theft. These are not mutually exclusive — sophisticated operations layer all three.

Technical intrusion encompasses data breaches affecting databases held by financial institutions, healthcare providers, government agencies, and retailers. The HHS Office for Civil Rights maintains a public breach portal tracking healthcare sector incidents under HIPAA enforcement (HHS OCR – HIPAA and Medical Identity Theft). Credential stuffing — automated use of previously breached username/password pairs against new targets — exploits password reuse across accounts.

Social engineering includes phishing emails, vishing (voice phishing), smishing (SMS phishing), and pretexting, where a thief constructs a false scenario to extract information directly from the target or from institutions holding it.

Physical theft covers mail interception, dumpster diving for discarded financial documents, skimming devices on ATMs or point-of-sale terminals, and theft of physical identity documents.

Once acquired, stolen data moves through a value hierarchy. SSNs and full date-of-birth combinations command the highest resale value because they enable synthetic identity creation — the construction of fictitious credit identities using a real SSN paired with fabricated personal details. The Federal Reserve identified synthetic identity fraud as the fastest-growing financial crime type in the United States (Federal Reserve – Synthetic Identity Fraud, 2019). By contrast, payment card data depreciates rapidly after a breach because financial institutions cancel and reissue cards quickly.

Common scenarios

Tax identity theft occurs when a thief files a fraudulent federal or state tax return using a victim's SSN and claims a refund before the legitimate filer submits. The IRS maintains a dedicated recovery pathway under its Identity Protection PIN program (IRS – Taxpayer Guide to Identity Theft).

Medical identity theft involves using another person's insurance credentials or Medicare/Medicaid number to receive healthcare services or durable medical equipment. Unlike financial fraud, medical identity theft can alter a victim's health records, creating dangerous inaccuracies that affect future clinical care. HHS Office for Civil Rights enforces HIPAA provisions applicable to medical identity theft scenarios involving covered entities.

Account takeover targets existing financial accounts rather than opening new ones. A thief acquires authentication credentials — often via phishing — changes the account's contact information, and then depletes funds or reroutes transactions. This differs from new account fraud, where stolen government-issued identifiers are used to open entirely new credit lines the victim is unaware of.

Employment identity theft uses a victim's SSN for I-9 verification, resulting in unreported wages attributed to the victim's SSN, potential tax liabilities, and complications with Social Security Administration benefit calculations. The specifically addresses the professional categories that handle each of these fraud typologies.

Decision boundaries

Not all exposure of personal information constitutes actionable identity theft under federal or state law, and the distinction matters when engaging identity protection service providers.

The key boundary conditions are:

• Exposure vs. exploitation: A data breach that exposes SSNs does not automatically constitute identity theft. Exploitation — actual fraudulent use — triggers consumer rights under 15 U.S.C. § 1681c-2, which requires consumer reporting agencies to block fraudulent tradelines as processing allows of receiving an identity theft report.
• Civil vs. criminal remedies: Credit fraud resulting in unauthorized accounts involves civil dispute mechanisms through credit bureaus and the FCRA. Criminal prosecution under 18 U.S.C. § 1028 (Identity Fraud) or 18 U.S.C. § 1028A (Aggravated Identity Theft) is a federal matter prosecuted by the Department of Justice — civil remedies and criminal enforcement operate on separate tracks.
• Monitoring vs. recovery services: Identity monitoring services detect conditions that suggest fraud exposure (dark web credential appearance, credit inquiry anomalies). Recovery services engage after fraud is confirmed. These represent structurally different service categories with different professional qualifications and regulatory touchpoints, a distinction covered in the resource overview for this provider network.
• Individual vs. synthetic identity: Standard identity theft victimizes an existing person whose records are distorted. Synthetic identity fraud constructs a new fabricated identity; the SSN owner may see limited immediate credit impact, complicating detection and making traditional victim-notification mechanisms less effective.