December 23, 2005
Justice Department Reveals Social Security Numbers
The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek
was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related legal actions. It's a discomforting discovery at a time when identity theft and fraud are on the rise.
One document on the Justice Department Executive Office for Immigration Review's site listed the name and Social Security number of a woman involved in a 2003 immigration-review case. Another document from 2002 listed the name and Social Security number of a man who was being prosecuted for committing insurance fraud. Other searches of the Justice Department's site yielded more Social Security numbers and identifying information.
When contacted on Dec. 20 about the presence of a 2003 document revealing personally identifying information, a spokesman for the Justice Department's Executive Office for Immigration Review noted that his division is governed by the department's overall privacy rules, the Privacy Act, and the Freedom of Information Act. He acknowledged that the woman's Social Security number displayed in the immigration-review case shouldn't be available to the general public, would be removed from the site, and that the woman in question would be notified that her number had been published.
A search Friday on the Justice Department's Web site for the woman's name indicated that the document had been blocked from public view. However, Google and Yahoo searches returned a hyperlink to her PDF court document. The PDF is now blocked when clicking on this link, but the information can still be obtained by clicking on the "text version" of the link.
But according to an InformationWeek source, the Justice Department had been notified of the error more than a month ago. The source, a systems security manager at a California bank, said he saw the information on the site and sent an E-mail on Nov. 12 alerting the Justice Department. The security manager followed up with the Justice Department via E-mail on Dec. 4 and was notified on Dec. 6 by the site's Web master that his E-mail had been forwarded to the "responsible component within the Department." The systems security manager contacted InformationWeek on Dec. 19 when he noticed that the person's name and Social Security number still could be found on the Justice Department's Web site.
In the nearly 70 years that the U.S. government has been issuing Social Security numbers, their use has grown from being strictly for government record-keeping to becoming attached to nearly every important document in a person's life, including bank accounts, medical records, and employment files. The growing use of computers to store all of this information has led to a new era of electronic identity theft, with Social Security numbers being of particular value for cybercriminals.
More than 51 million Americans have had their personal information compromised since February 2005 through a variety of means, including software programs that monitor keystrokes to acquire passwords, phishing, and low-tech techniques such as eavesdropping and dumpster diving, according to the Privacy Rights Clearinghouse, a nonprofit consumer watchdog organization.
The Justice Department, meanwhile, touts its efforts to crack down on identity theft and identity fraud through the 1998 Identity Theft and Assumption Deterrence Act, which prohibits using or transferring another person's identifying information with the intent to commit, or aid or abet, any unlawful activity. The law, in most circumstances, carries a maximum prison term of 15 years.
Recognizing the threat to public well-being, not to mention the proliferation of E-commerce and E-government, government has stepped up its efforts to penalize companies that are criminal or careless with personal information. Since March 2005, more than 20 states have enacted legal requirements for notifying the public regarding security breaches involving personal information.
But the government's role in protecting its citizens from identity theft and fraud is likely to get murky in 2006. Bills in both the House and Senate would impose a less-stringent standard for notification and pre-empt state laws. While identity-theft notification standards differ from state to state, one of the federal bills in play would require agencies and persons in possession of computerized data containing sensitive personal information to disclose security breaches only when such a breach poses a significant risk of identity theft.
Yet the availability of Social Security numbers on one of its own Web sites indicates the federal government may need to pay closer attention to its own adherence to identity-theft prevention.