Federal Database Exposes Social Security Numbers

April 20, 2007

By Ron Nixon, The New York Times

http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl=1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw



The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.

"I was bored, and typed the name of my farm into Google to see what was out there," said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.

The first link that appeared in the search results was for her farm.s Web site. The second was for a site that she had never heard of, FedSpending.org, which provides a searchable database of federal government expenditures. The site uses information from the Census database.

Ms. Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers.

"I was stunned," she said. "The numbers were right there in plain view in this database that anyone can access."

While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week.

Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today.

Department officials said that more recently, when government agencies began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.

Terri Teuber, a department spokeswoman, said the agency was notifying people whose Social Security numbers were disclosed on the site. She said the agency was also planning to contract with a company to monitor the credit reports of all the affected individuals, at an estimated cost of about $4 million.

"We took swift action when this was brought to our attention, and took the information down," Ms. Teuber said. "We want to make sure that it doesn.t exist on any publicly available Web site."

The Agriculture Department said that its review of the database shows that between 100,000 and 150,000 people could be at risk.

A spokeswoman for the Census Bureau referred all calls about the database to the Office of Management and Budget.

Privacy advocates say the actions by the agencies may not be enough. The database is more than two decades old, and is used by many federal and state agencies, by researchers, by journalists and by other private citizens to track government spending. Thousands of copies of the database exist.

Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, a privacy rights group, said the improper disclosures of Social Security numbers could violate the Federal Privacy Act, which restricts the release of personal information.

"Federal agencies are under strict obligations to limit the use of Social Security numbers as an identifier," said Mr. Rotenberg, "It doesn't look like that's what happened in this case."

FedSpending.org is owned by a nonprofit group called OMB Watch, which monitors the White House.s Office of Management and Budget.

The group created the site last year to provide public access to government contracts and grants in a searchable database. Users can search the information by company or by individual names to see who receives federal money.

OMB Watch said it was taking the data off its website while the federal government corrects the problem with the revealed Social Security numbers. Gary Bass, executive director of OMB Watch, said the government.s use of Social Security numbers in the database was "deplorable."

"It is most unfortunate that at least one agency has been inserting personally identifiable information into this database for a number of years," Mr. Bass said. "I'm amazed that, all these years, no one at the Department of Agriculture noticed that they were putting Social Security numbers into a public database."

Mr. Bass said the database is a valuable tool for government transparency and public disclosure, and that he hopes federal officials can continue to make the information available in a useful form while still protecting privacy.

The Census database disclosure is the latest in a string of embarrassing data-security breaches at federal agencies in the last few years. Last year, hackers illegally accessed an Agriculture Departmentdatabase containing the names, Social Security numbers and photos of current and former agency employees.

The Department of Energy, the Navy, the Department of Veterans Affairs, the Social Security Administration and the Internal Revenue Service also suffered data breaches last year in which personal information was lost or stolen.


main page ATTRITION feedback