Slashdot Mirror
OMB Website Exposes Thousands of SSNs
msblack writes "The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online. As many as 100,000 to 150,000 individuals may have been affected. The cost to taxpayers just for notifications and credit monitoring is estimated to run $4 million. 'While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week. Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. '"
The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online.
Sounds like they got the "Social" part right... "Security", not so much.
The theory of relativity doesn't work right in Arkansas.
Was 565-459-9342 on the list? If so, can you please take it off?
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
anyone was stupid enough to identify people using a number which is not supposed to a secret.
That's nothing. Right now, I'm going to threaten to expose every single SS number that has ever existed:
for ($i=1;$i1000000000;$i++) {
echo $i . "\n";
}
The first line of output is Strom Thurmond's or George Burns' SSN.
Solomon
"Twice half-assed makes an ass whole." --Solomon K. Chang
Here a permanent fix: render SSNs worthless for financial transactions by making it illegal for any entity besides the IRS, SSA, you employer and your bank to ask for a SSN or keep a record of a SSN for any purpose other than tax collection and Social Security. The employer and bank would only be allowed use it for tax reporting purposes. The credit reporting companies, banks, and data brokers might howl, but too bad. They can use other data identifiers, or even better, learn to personally know their customers beyond a mechanically created credit score tied to a SSN.
A story should have the following info -
Who - Office of Management and Budget
What - exposed at least 30,000 social security numbers publicly
When - ????? Story on NY Times website says a farmer noticed it 'Last Week'.
Where - Office of Management and Budget website
Why - not particularly clear
Who/What/When/Where/Why
I think an effort on a story about an event should have this minimal info.
>Department said Social Security numbers were included in the public database because ... and if any company gave that same excuse they would still be liable, investigated, and be sued.
>doing so was the common practice years ago when the database was first created,
>before online identity theft was as well-known a threat as it is today.
I wonder if they will inform the individuals whose numbers were compromised?
---
Keith Barrett (kgb)
Office of Morons and Buffoons?
...does exposing 30,000 SSNs affect 100,000 to 150,000 people?
Oh, I get it. The original SSN recipient and the 3-4 ID thieves. Never mind.
Paleotechnologist and connoisseur of pretty shiny things.
A "semi-secret" ID number is a bad tool for ID. You don't need to be an expert in cryptography to realize that a password sent around is plain-text is bogus.
The deeper issue is why identity theft is my problem. Shouldn't the credit agencies etc. be very very liable for loaning money to someone who is not me? It seems like they are part of the fraud whether they were willing participants or not. I should be able to collect damages when their negligent checking of my identity harms my credit score. Identity theft is a con job, where the perp convinces Visa (or whoever) that they are me. Usually, when cons happen, BOTH the conman and the victim are liable for damage caused. Suppose I conned you into thinking I was a cop and told you to drive me around while I robbed banks. You would still be accessory to my crime even if you claimed you didn't know better. Visa wants to (and currently is) claiming that they are not accessory to the theft of my credit score. That's not right.
The SSN is just a proxy for the fact that there are different standards for people citizens and corporate citizens.
Use the Firehose to mod down Second Life stories!
How exactly does one "accidentally expose" all this secret-database stuff?
My SSN is 427347246. This is not a secret. Everyone I have ever worked for knows this. Everyone who has ever drug screened me for employment. Everywhere that has ever had to tell the IRS about my gambling winnings. Half a dozen real estate agents. Over a dozen banks, and over a thousand bank employees. Anyone in earshot every time I have ever called my bank. Broward County got it right, publish them all, expose the farce that is SSN secrecy.
So 30,000 SS#'s were exposed, and 150k people might be in trouble? So.. does that mean for every SS# 5 people share it?
What is disturbing to me is not that these SSNs were exposed, but that they were simply included in "other" databases to begin with. We were told that our SSNs would be limited only to those entities that had a legitimate reason to NEED it. The fact that they were included as a matter of common practice belies this claim. The reference to "before identity theft was a problem" is unadulterated crap. Identity theft has been a problem since biblical times (Jacob and Esau)! The reference to it is a red herring.
What should have been happening is that SSNs should not simply be included in various databases. They should have been following the rules that we were told they were. Whether or not that was successful, they should have had policies and processes for vetting the database for privacy issues prior to dumping it online. Federal privacy laws predate the Internet. The basic notion of checking your data for data that should not be publicly available predates the Internet.
IMO this is similar to the claim that "nobody imagined using airplanes as missiles before 9/11". The problem of Identity Theft existed, was well documented, and alone should have given them reason to examine their DB first. The basic laws on privacy should have. And failing that common sense should have. This is a failure on many grounds.
My Suburban burns less gasoline than your Prius.
yes and with this number I can now make a fake identity of you, take a loan out in your name, and get as many credit cards as I want. (if you have a SSN you can reverse engineer other identity information from other sources.) Now I can call your university and gather all of your scholarly records posing as you. Medical records? Oh and how do you verify almost all of your billing information? the last 4 digits of your what?
The point is, someone who is willing to target you because you threw that out there (were talking millions of Russians and Chinese who live in poverty, along with a host of other nations) will do it. Maybe you will consider that next time you post your SSN to a board read by thousands of people.
I first read the headline as "OMG Website Exposes Thousands of SSNs" and wondered if I had typed in digg.com by accident. Of course, if I had, it would read, "OMG!!! Top 10 AMAZING Websites that Expose SSNs!!!!111!1!ones!!! [PICS]"
mandated that credit card agency could no longer use or collect SSN in anyway, this probelm would go away.
The credit card agencies can use their own number systems.
Yes, that system might be comprimised, but damage will always be limited to the CC agencies.
The Kruger Dunning explains most post on
There's a reason the expression "good enough for gov't work" exists.
We've given these Bush "administration" jerks a blank check for years for security, after they barked "PRE-9/11 THINKING!!!" at anyone suggesting they were going too far, it wasn't worth the tradeoffs, or they were incompetent.
So they have taken all the power and money, and given us ZERO extra security, while routinely sending us into more and worse danger.
And if anyone had any doubts about how much this Bush regime thinks we're idiots, just watch a replay of their Attorney General shabbily lying and denying his way through even the most basic questions about how he runs the Justice Department. That's the guy in charge of the FBI.
Thanks, Republicans!
--
make install -not war
The entire social security program is absurd. Ignoring the economics of the retirement portion of the program, using SSN's for identification is a terrible idea. The program was never initially designed for the numbers to be used as ID's, but the need for one was so overwhelming that people started accepting them.
Scrap the entire Social Security program. If you think the government ought to force people to prepare for their retirement, withdraw money from their paychecks and put it in a personal account for them. Hell, even a bank account with 1% interest would give you a better return than social security, and it guarantees ownership of your money, instead of allowing the government to waste it building bridges to nowhere when you die.
Once that's done, let's design a proper identification system, so it doesn't matter if someone gets your ID number.
My blog
Why?????
Because rules like Sarbanes-Oxley only apply to businesses, not government groups.
Support NYCountryLawyer RIAA vs People
Just for the rest of the world please explain. :)
Unless it was a database of people who failed to respond to the census.
OMB Web giving out SSNs to NWHIPBs(Nerdy White Hackers In Parents Basement)? OMFG!! STFU!!
I think TFA means SSAN's? Of course, exposing thousands of SSN's would be quite a trick - being as our Navy hasn't got nearly that many of 'em, and goes to great pains to hide 'em.
The USA PATRIOT act mandates the presentation of a SSN or Tax ID number to open accounts at a financial institution. whee.
Curb CO2 emissions: Kill yourself today!
No, actually, the New York Times is reporting that a publicly-released database from the Census Department related to Agriculture Department contained social security numbers. The connections with the OMB are:
1) Questions about the release were directed to the OMB because the OMB, among other things, coordinates information policies for executive branch departments.
2) The nongovernment website through which the presence of the SSNs in the database was discovered was one run by a group whose parent is "OMB Watch", a public "watchdog" organization.
Everyone gets all huffy that commenters don't RTFA, but how can you be surprised when, apparently, those writing the summaries don't, either?
And let's not even get started on the laughable concept of Slashdot "editors".
We call them illegals.
I prefer the "u" in honour as it seems to be missing these days.
"Once is happenstance. Twice is coincidence. The third time it's enemy action."
You are being MICROattacked, from various angles, in a SOFT manner.
I would have thought that silly Ponzi scheme discredited decades ago.
Fuck Slashdot
No, that's not true. What should be happening is that SSNs should not be useful for identity theft, since (whether or not they are in public databases), SSNs—because they are also tax identifiers for individuals and thus mandatory in a wide number of applications—are not secrets suitable for identification purposes in the first place.
OTOH, a public identifier like the SSN that serves the role of a tax ID would make sense as public key in a more secure identification system; the trick is designing the rest of the sytem.
Even with "minimum disclosure" (something that, mandatory as it may be, seems rather elusive) SSNs aren't secret enough to be relied on the way they are for identification.
http://lifelock.com/ LifeLock is a fix for the problem of data theft and its a non-government fix making it more attractive, voluntary, and overall less expencive.
Bringing liberty to the masses. - http://freetalklive.com/
Uhhh, dude, if your organization is called "OMB Watch" and hosting a mirror of the database, shouldn't you have noticed that the database contained SSNs??? Not watching too closely, are you?
Everyone with power to do something about the situation always wants to limit the distribution of SS#'s, credit card numbers, and other personally identifiable information, as if somehow this will solve identity theft. That's security through obscurity - your SS# is not a password, and trying to keep it secret and keep it safe only leads to failed security.
The solution is to implement a scheme whereby we can still use SS#'s as an identification number, but where we don't use it as a verification of identity.
I'm in favor of a voluntary scheme where people can register with a (currently hypothetical) government "identity clearinghouse" that checks with the registrant upon any request by a financial institution to determine whether a request for credit is legitimate or not. Financial institutions would be forbidden by law to extend credit or open an account in the name of someone who is registered with the clearinghouse if the identity of a credit requestor can't be confirmed as being the same as the clearinghouse registrant. To change your registration information, you would have to show up in person with a photo ID at an appropriate government office (e.g., DMV).
It wouldn't completely eliminate all possibility of identity theft, but it would make these sorts of wholesale raids on identity information worthless, especially when done from outside the country. And if personally identifiable information becomes worthless due to proper identity verification, people will stop bothering to steal it.
for extra protection always use proxies. http://www.mysecureisp.com/