IRS dumps up to 100,000 Social Security numbers on the Internet
We’re in the very best of hands, aren’t we? Just wait until the people who slipped up and posted up to 100,000 Social Security numbers onto a website are in charge of your health care information.
Our good friends at the Tax Exempt Organizations unit are once again under fire, as a watchdog group called Public.Resource.org investigates a data management snafu and discovers the IRS has been inadvertently dropping files that contain Social Security numbers onto a public website. National Journal explains:
Every so often, 527s [non-profit political groups] have to file tax forms to the IRS, which then get added to a database. The database itself is hardly a secret; the IRS has been sending updated records routinely to Public.Resource.org and other public-interest groups, and it’s a favorite among political reporters. But when the IRS told the group’s founder, Carl Malamud, to disregard the Form 990-Ts included in the agency’s January release, he took a closer look at the files in question.
After analyzing the breach, Malamud wrote a letter to the IRS pointing out 10 instances where a social security number was accidentally revealed on the government’s website—just a small sample of the larger breach.
Just the day before, Malamud had filed another letter to the agency describing a problem with the 990-Ts. Of over 3,000 tax returns contained in the January update, 319 contained sensitive data the agency should have scrubbed, Malamud wrote in the July 1 report that he filed to the inspector general’s office. In that mixup, some 2,319 social security numbers – perhaps more – were revealed.
The full letter from Public.Resource.org to the IRS and Treasury Inspector General can be read here. The timeline laid out in the National Journal story suggests the IRS detected the dangerous (in fact, illegal) release of data on its own, and asked Public Resource to nuke the SSN-laced files it sent them, without explaining why. Actually, judging from the letter linked above, the IRS lied about the reason – it said only that the files shouldn’t have been sent by email, and had to be physically burned onto a disk and delivered by Postal Service courier instead. That doesn’t explain why they’d ask the watchdog group to delete the files sent by email – if the method of transmission was the problem, due to fears of interception by hackers, the damage was already done.
Public Resource’s security logs indicated that the original files were accessed by at least one outside source during the hours they were online, so the group explored the data to determine what sensitive information they might have unwittingly been a party to disseminating, and discovered the Social Security numbers. In total, they found eight distinct privacy violations in the data about 527 groups they had received – in which SSNs or other confidential identification numbers for the people who prepared the forms, the entities listed upon them, and even employees eligible for a New Hire Retention Credit were listed.
In other words, this wasn’t an IRS employee or two slipping up and accidentally releasing sensitive data, nor was it the kind of malevolent political activity the Tax Exempt Organizations unit is currently under investigation for. The problem was systemic: the agency was asking for unnecessary confidential information on forms that would later be distributed to the public.
Public Resource’s letter concludes with some recommendations for the IRS, beginning with the urgent need to notify the groups and individuals in question that their privacy had been compromised. Incredibly, they couldn’t get a straight answer from anyone at the IRS about whether there were plans to notify the affected parties. It’s not even clear who citizens should report security breaches to. Evidently Public Resource tried calling the Identity Theft Hotline, “but a call to that phone number is very confusing and clearly doesn’t cover this situation.”
It’s not comforting to know that calls to the Identity Theft Hotline are confusing. You really don’t want to resolve such situations on your own.
“It appears that there is not a firm policy in place to deal with these situations, and that a decision had not been made yet as to the extent of any notification program that would be undertaken,” sighs Public Resource, before strongly advising the IRS to get cracking on that notification program ASAP, because “failure to do so will appear as if the IRS is covering up this situation.”
The IRS Tax Exempt Organizations Division engaged in a cover-up? Why, that’s inconceivable!
Public Resource also criticizes the IRS for being slow to detect and resolve improper disclosures; they took a step backwards by declaring email an improper transmission method and resorting to snail-mailing spreadsheets and DVDs, when they should have used readily available secure file-sharing systems instead. It also took a full day longer for the IRS to pull the compromised information from their website, after Public Resource was notified of the problem and swiftly purged it on their end.
The story, alas, does not end there, because the disclosure of Social Security Numbers was much larger than initial estimates suggested. Over to Fox News:
An IRS spokesman told FoxNews.com on Monday the agency was alerted about a “substantial number” of Social Security numbers posted on the site and removed web access to the information “out of an abundance of caution.” The spokesman also said the IRS is now “assessing the situation and exploring available options.”
A message on the agency’s 527 homepage asks visitors to check back Monday, but the site was still down Monday evening.
Public.Resource.org. founder Carl Malamud told FoxNews.com on Monday night that roughly 100,000 Social Security numbers were exposed.
Malamud said in a statement on the group’s website that it hopes the Obama administration will act to restore access to the agency’s nonprofit database and resolve its concerns over what it described as a “serious violation of federal law.”
“It is time now for the administration to send a tiger team over to the [IRS] to help fix their information management practices,” Malamud said.
I know “tiger team” is a crisis-management term of art, but my first thought was of tiger moms. Maybe Amy Chua should parachute into the Tax Exempt Division and take charge.
The bigger government gets, the more information it will harvest, and the less care it takes with safeguarding that information, because bureaucrats stop thinking of it as priceless treasure. How did this massive agency come up with forms that unnecessarily request and disclose private identification numbers? How is it possible that nobody noticed until after the sensitive information had been improperly disseminated? Why should we assume that all the new sensitive data the ObamaCare unit will be harvesting is going to be treated any more carefully? We should be taking dramatic action to move in the direction of a smaller, less overbearing government that can be supported with a simpler, less intrusive tax system, but we’re racing in the opposite direction with delirious speed.
Update: U.S. Representatives Dennis Ross and Kathy Castor, both from Florida, have a bill designed to protect Americans from inadvertent disclosure of their Social Security numbers on government documents. “H.R. 2229, the Safeguarding Social Security Numbers Act of 2013 would mandate that Social Security numbers are truncated so that only a few, if any, of the nine digits of the Social Security number are visible,” according to a press release.
Identity theft is a particularly severe problem in Florida, as Ross and Castor explain:
“More than 70,000 Floridians were victims of identity theft in 2012,” said Ross. “Truncating Social Security numbers will help eliminate the ability to steal someone else’s identity and commit fraud. The Safeguarding Social Security Numbers Act of 2013 will ensure that our personal information remains personal and that everyone remains safe.”
“Identity theft is a serious issue in our community. For the past two years, Tampa has been the epicenter of tax fraud and identity theft crimes, involving more than $468 million in taxpayer money,” said Rep. Castor, who has worked in Congress to tackle tax refund fraud and pressure the IRS to increase cooperation with local law enforcement, prevention measures and prosecutions. “More needs to be done to protect our neighbors, and this is bipartisan legislation to implement an important safeguard and reduce identity theft-related scams.”
H.R. 2229 would address the problem by designing and supporting a comprehensive program to “de-identify” Social Security numbers on documents, and would prohibit “federal, state, and local governments from displaying, transferring, recording, or utilizing, in any capacity, the full SSN of living American citizens to the public.”