Thousands of Social Security Numbers Exposed by Federal Department

The Social Security numbers of thousands of people who received loans from the U.S. Department of Agriculture (USDA) have been exposed for a number of years in a publicly available database, according to OMB Watch, a Washington-based nonprofit government watchdog organization.

The issue was first discovered April 13 by a user of OMB Watch’s FedSpending.org, an online service about federal spending that includes a government database that contained the personally identifiable information, said OMB Watch Executive Director Gary Bass. OMB Watch monitors the White House’s Office of Management and Budget.

The data in question appears in the Federal Assistance Award Data System (FAADS), a government database of all federally provided financial assistance (not including procurement), according to OMB Watch. FedSpending.org makes FAADS and publicly available data about government contracts accessible to the public in a searchable format in order to focus attention on government spending patterns. The group created the site last year to provide public access to government contracts and grants in a searchable database, according to the statement.

Users can search the information by company or by individual names to see who receives federal money, OMB Watch said.

Bass said the original FAADS files have been freely available for anyone to download from the U.S. Census Bureau’s website for years, and it appears the database containing personally identifiable information has been widely distributed for a long time.

“The data field at the heart of the security problem, the Federal Award ID, is vitally important to investigators and researchers tracking specific transactions, as it is the only means for identifying a specific loan or grant,” Bass said in the statement. “For example, in order to file a Freedom of Information request about a financial transaction, the public needs to provide the Federal Award ID [which includes Social Security numbers]. Unfortunately, in response to the problem, the Census Bureau has deleted the Federal Award IDs for all FAADS records from its publicly downloadable files without any public notice about these changes and has yet to replace the information, eviscerating a key aspect of the data and lessening its value.”

“Conceivably this could affect 100,000 people,” Bass said. “What is harder [to determine] is how far this goes back. It could be decades. It’s just that this is the first time it has been easily accessible to the public on the Web.”

“It is truly astonishing that this has been happening,” he said.

A spokeswoman for the USDA said the agency takes full responsibility for including users’ Social Security numbers in the Federal Award ID number. In a statement, the agency said it removed information from the FAADS database immediately after it learned of the potential exposure.

“There is no evidence that this information has been misused,” according to the statement. “However, due to the potential that this information was downloaded prior to being removed, USDA will provide … additional [credit] monitoring service.”

The USDA said it became aware of the potential exposure of such information on April 13, when the agency was notified by a recipient of USDA funding that she was able to ascertain identifying information by viewing the website. All of the personally identifying information was embedded in the larger ID numbers and therefore not immediately easy to spot. The same day, all identification numbers associated with USDA funding were removed.

The USDA said it believes that immediately prior to April 13, the Social Security numbers of people who received USDA funding from the Farm Service Agency and USDA Rural Development had been publicly available. “USDA has identified between 105,000 and 150,000 individuals whose private information has been entered into a federal government database at some time during the past 26 years. USDA is in the process of notifying, via registered mail, all 150,000 people whose information was exposed and offering them the opportunity to register for free credit monitoring for one year,” according to the statement.

The Census Bureau could not be reached for comment.

On April 16, the U.S. Department of Commerce requested that OMB Watch redact the Federal Award ID for the entire FAADS database on FedSpending.org for 30 days so that all departments and agencies involved in the important matter can be contacted, according to the statement.

Bass said OMB Watch would comply with the request if, within 30 days, the Department of Commerce, which oversees the Census Bureau, agreed to develop a plan to update the Federal Award ID field without using personally identifiable information.

Bass said the Commerce Department agreed to develop such a plan. But if that effort is not acceptable, OMB Watch reserved the right to repost the original information—including users’ Social Security numbers.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said OMB Watch would not be violating any laws by reposting the personal identifiable information. “It’s the government agency that’s subject to the obligation of the privacy act,” Rotenberg said. “It’s the government agency’s fault here, not the nonprofit educational group.”

–Linda Rosencrance, Computerworld