Well, and I just signed up for a federal tree planting program:
The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.
Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.
“I was bored, and typed the name of my farm into Google to see what was out there,” said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.
— U.S. Database Exposes Social Security Numbers By RON NIXON, New York Times, April 20, 2007
And she found not only her own farm and social security number on the web, but also 30,000 others. The Agriculture Dept. says probably 100,000 to 150,000 people are at risk. Ah, I see they’ve narrowed it to 38,700 people.
How did this happen?
Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today.
Department officials said that more recently, when government agencies began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.
Terri Teuber, a department spokeswoman, said the agency was notifying people whose Social Security numbers were disclosed on the site. She said the agency was also planning to contract with a company to monitor the credit reports of all the affected individuals, at an estimated cost of about $4 million.
Yet another case of fixing the problem after the horses are out of the barn being more expensive than just locking the door. Or, in this case, not puting SSNs in public databases in the first place.
While the reaction was swift:
"We took swift action when this was brought to our attention, and took the information down," Ms. Teuber said. "We want to make sure that it doesn’t exist on any publicly available Web site."
You’d think by now any government agency of any government would be checking its own online databases for such things. That would be good risk management.
-jsq