Fed Breach Leaks Social Security Numbers

April 20, 2007

By Michael J. Sniffen, Associated Press


The Social Security numbers of 63,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected.

The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday.

The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber.

A review has determined that none of the other 32 agencies had a similar problem, said Sean Kevelighan, spokesman for the Office of Management and Budget.

"There is no evidence that this information has been misused," Teuber added. "However, due to the potential that this information was downloaded prior to being removed, USDA will provide the additional monitoring service."

The breach was discovered by Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill. "I was Googling my farm name at 11 p.m. when I couldn't sleep," she said in a telephone interview, and details of her land loan came up in the second listing of the Google search, a private Web site that reposted the government data.

The next morning, April 13, she contacted the Agriculture Department, her congressman, Rep. Tim Johnson, the private Web site and the Census Bureau and was surprised by how quickly they removed the personal information.

"If somebody downloaded it, it's still out there in the world," she said. "That will never be a private number again."

Chris Hoofnagle, senior attorney at the University of California at Berkeley law school clinic on technology, said the only federal law violated by such a breach is the Privacy Act, but the Supreme Court had ruled last year that victims could only collect damages for measurable losses to ID thieves, not merely for anxiety.

Nevertheless, the incident is likely to spur passage of a federal law requiring notification of potential victims when personally identifiable information is disclosed or stolen electronically, Hoofnagle predicted. Already 35 states have such a law.

When the breach was reported to the Agriculture Department on April 13, there were Social Security numbers for 47,000 recipients of grants from the department's Farm Services Agency and from USDA Rural Development on a public Web site maintained by the Census Bureau.

The department originally said Friday the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But by Friday evening, after they calculated how many people had been entered more than once, USDA announced that 63,000 individuals had their Social Security numbers exposed. The data has only been posted on the Internet by the Census Bureau since 1996.

The Census Bureau collects the grants made by 33 federal agencies and posts them on the Internet without analysis. By law, the names of these recipients and how much money they got are public records.

The disclosure comes six months after a congressional report found federal workers at 19 agencies had lost personal information affecting thousands of employees and the public, raising concerns about the government's ability to protect sensitive information.

In all, the House Government Reform Committee reported 788 incidents involving the loss or compromise of sensitive personal information since Jan. 1, 2003. That was in addition to the "hundreds of security and privacy incidents" at the Department of Veterans Affairs, according to a report the committee issued in October.

Teuber said the two Agriculture Department programs involved gave each grant a 15-digit identifying number. Included among those digits was the recipient's 9-digit Social Security number. There was nothing on the Web site that indicated the grant number contained the Social Security number, but the recipient who reported the problem recognized her Social Security number in the grant number, Teuber said.

To avoid revealing information that could increase the vulnerability of this private data, Teuber said Agriculture was not releasing more details, including the Web address, of the government site where this information was disclosed until all potentially compromised recipients have been notified.

The Agriculture Department is sending registered mail notifications to 150,000 recipients identified as having been part of the public database since 1981, but Teuber said some people are on the list more than once.

At an estimated taxpayer cost of $4 million, Agriculture is offering each of them free credit monitoring for one year, Teuber said.

USDA funding recipients who wish to take advantage of the credit monitoring offer will receive instructions on how to register. Any USDA funding recipient with questions may call 1-800-FED-INFO (1-800-333-4636) or visit http://USA.gov. The call center operates from 8 a.m. to 8 p.m. EDT, Monday-Friday.

Under supervision of the Office of Management and Budget, the grant numbers posted by the other 32 agencies were taken down and reviewed to see if any included Social Security numbers. "We are sure no other agencies ... were impacted by similar problems," said OMB's Kevelighan. He attributed the quick response to government-wide safeguards set up after the Veterans Affairs Department problems last year.

Teuber said an unknown number of private Web sites had downloaded and reposted the information, but she said at least one of them, OMB Watch, had also removed the identifying grant numbers.

OMB Watch director Gary D. Bass said Bergmeier contacted his group April 13 after finding her number on the Web site of his public interest group. The group referred her to Agriculture and Census, where it got the data.

main page ATTRITION feedback