Government Site Accidentally Leaks Dozens of Social Security Numbers

The Freedom of Information Act request site accidentally made public dozens of social security numbers and other personal information while undergoing a site upgrade, according to reporting from CNN. The information was taken down after CNN alerted the government to the situation.

From CNN:

After a tip from a source who had noticed the glitch, with two quick searches, CNN discovered that the government had published at least 80 full or partial Social Security numbers. There were other instances of sensitive personal information, including dates of birth, immigrant identification numbers, addresses and contact details.

The glitch also exposed other sensitive information about individuals. In one instance, a victim of a violent crime seeking information about the case described the crime. In others, victims of identity fraud seeking more information about their cases had their Social Security Numbers exposed in the process. (In some instances, government agencies require Americans to submit FOIA requests for their own personal information.)

Not great!

The design bug apparently allowed anyone on the site to search for the information of whomever was requesting a document. “The idea is that people can see what has already been requested, by whom, and in some cases what may have been provided,” CNN writes. “When users click through to the individual request, the description field is withheld, pending agency approval. Yet those descriptions were viewable in full on the search results page, including if Americans had included their or others’ Social Security numbers or any other personal information.”

Even after CNN published the story, some personal information remained up. The FOIA website is maintained by the Environmental Protection Agency, but each government agency is responsible for keeping track of their own information on the site and deciding what to make public. Thus, when CNN notified the EPA of the oversight, they were only able to re-mask some of the information. The EPA later emailed other agencies to tell them of the problem.

“Recently it was discovered that [personally identifiable information] in some records was exposed to the public,” the email said, according to CNN. “The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems. This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such.”

“This is a really significant mistake,” Nuala O’Connor, a former chief privacy officer of the Department of Homeland Security, told CNN. “These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior. It puts potentially already vulnerable people at greater risk.”

“It defies logic and it defies expectation that anyone would think their Social Security number is being exposed when processing a request like this online,” O’Connor said.

CNN notes that the FOIA website advises users to submit as much information as they can about themselves in order to help with finding their records. Yet the page also warns that that information may be disclosed. In a privacy policy linked at the bottom of the page, the fine print says “any personal information included in the comment form will be submitted to the Department or Agency to which your request is directed and may be publicly disclosed on FOIAonline or on third-party Web sites on the Internet.”