by Anders Hagstrom
A federal government transparency website had been unwittingly displaying at least 80 full or partial social security numbers (SSN) for weeks before taking them down, CNN reported Sunday.
The error came in a Freedom of Information Act (FOIA) request portal, causing many people who submitted FOIA requests to have their SSNs revealed on the website, CNN reported. In many cases, the website, foiaonline.gov, revealed more information than just an SSN, also publishing dates of birth, immigrant identification numbers, addresses and contact details. The government was unaware of the problem and cited a glitch when CNN reached out for comment.
“Recently it was discovered that [SSN] information in some records was exposed to the public,” an internal email obtained by CNN read. “The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems. This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such.”
The glitch in the website pertained to the ability of users to search databases of existing FOIA requests. In the version of the website prior to July 9, those searching the database would need agency approval before viewing its contents or even a description of its contents in the search results screen. The site received an update to a 3.0 version July 9, and the protection against displaying FOIA request descriptions in the results screen had seemingly disappeared. As a result, potentially any SSN that was displayed in a FOIA request description was publicly viewable.The Environmental Protection Agency (EPA), which handles IT for the FOIA site, spoke to CNN about how it fixed the problem.
“The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system,” EPA spokesman John Konkus said. “The issue affects a limited number of cases and inadvertently displays descriptive information that may, in some instances, include Social Security Numbers. EPA will follow the Agency’s Breach procedures to evaluate the situation further and take the appropriate mitigation measures.”
The site also had few warnings against sharing personal information in a request, and a handful of agencies even encouraged it, thinking the information would be locked from the public.
“This is a really significant mistake. It defies logic and it defies expectation that anyone would think their Social Security number is being exposed when processing a request like this online,” said Nuala O’Connor, a former chief privacy officer of the Department of Homeland Security (DHS). “These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior. It puts potentially already vulnerable people at greater risk.”
– – –
Anders Hagstrom is a reporter at Daily Caller News Foundation. Follow Anders on Twitter.