OMB Website Exposes Thousands of SSNs

msblack writes "The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online. As many as 100,000 to 150,000 individuals may have been affected. The cost to taxpayers just for notifications and credit monitoring is estimated to run $4 million. 'While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week. Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. '"

they're half right

[User+956]

The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online.

Sounds like they got the "Social" part right... "Security", not so much.

Oh no.

[Mockylock]

Was 565-459-9342 on the list? If so, can you please take it off?

Re:Oh no.

[Kawolski]

Can you provide all your credit card numbers too just in case one of them are on the site?

identity theft?

[homer_s]

Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before...

anyone was stupid enough to identify people using a number which is not supposed to a secret.

30,000 SS numbers?

[Skevin]

That's nothing. Right now, I'm going to threaten to expose every single SS number that has ever existed:

for ($i=1;$i1000000000;$i++) {
    echo $i . "\n";
    }

The first line of output is Strom Thurmond's or George Burns' SSN.

Solomon

Re:30,000 SS numbers?

[winmine]

So your plan of attack is something like this?

Haxor: Hello I need to withdraw all of the money from my account. My SSN is 123-45-6789.
Teller: Is your name John Smith?
Haxor: Uh....yes.
Teller: Thank you, here is your money!

Re:30,000 SS numbers?

[notshannon]

from http://www.ssa.gov/history/briefhistory3.html

Although, John Sweeney received the first SSN account, his was not the lowest number ever issued. That distinction fell to New Hampshire resident, Grace Dorothy Owen. Ms. Owen received number 001-01-0001.

Permanent Fix for SSN

[HighOrbit]

Here a permanent fix: render SSNs worthless for financial transactions by making it illegal for any entity besides the IRS, SSA, you employer and your bank to ask for a SSN or keep a record of a SSN for any purpose other than tax collection and Social Security. The employer and bank would only be allowed use it for tax reporting purposes. The credit reporting companies, banks, and data brokers might howl, but too bad. They can use other data identifiers, or even better, learn to personally know their customers beyond a mechanically created credit score tied to a SSN.

Re:Permanent Fix for SSN

[Qzukk]

The credit reporting companies, banks, and data brokers might howl, but too bad.

Yes, too bad. It's obvious by now that the market is not going to come up with a solution for this on their own as long as they can use the SSN as a crutch. It's time to yank that crutch back out. The SSN should be discontinued and replaced with a tax id that should only be used for two things: reporting income to the government and paying your taxes or getting your refund. If someone steals my SSN, they're more than welcome to paying my taxes for me, and if they try to hide their income in my tax id we'll find out about it at the end of the year when my tax forms don't match the reports. And if I don't get my refund, well...

Re:Permanent Fix for SSN

[Shadowlore]

Too late that law was passed decades ago. Later they changed their minds. How about we go one better and revert to it's original purpose: to identify your Social Security account? nah that won't do it either.

In 1976 they passed a law:
"To make, under federal law, unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment."

Take a peek at http://yro.slashdot.org/comments.pl?sid=231667&op= Reply&threshold=3&commentsort=0&mode=thread&pid=18 816893

You'll see them say repeated "no national id". Then it is followed with "but this other thing which we mandated means you need to have a defacto ID called the SSN". Yes that's a paraphrase but read the original and you arrive right there.

The "observed law" is simple:
As long as an entity such as the SSN exists, the government will spew rhetoric against it being used more and more as a form of ID while moving solidly and irrefutably in that direction. It doesn't require complicity or conspiracy, or malevolence. All it requires is some "need" to track, some "need for accountability" for some program ostensibly meant for the public welfare.

And it is set up in a way to deny you are required to have one. You are only required if you want to take advantage of some "benefit" the fedgov decides to "grant" you. You know, like not having your income taken from you. Like getting a job in the first place, or a bank account. These types of backdoor requirements feed conspiracy theories left and right. Sure, you aren't required to have one to live - officially. But if you want to do anything that living entails such as having a job, property, driving, banking, etc. you need one.

No, there is one and only one permanent fix: ban the existence of the SSN or any multi-agency identifier. Let each agency have it's own ID for people who it tracks err I mean services, and let there be no legal cross-checking between. Let the credit industry provide it's own identifier system. let the banking have it's own. Let Blockbusters have it's own.

But limiting the use of any ID will not solve it. You have to ban them. Of course, getting rid of those agencies that feel they need them is also another part of a complete solution.

So how...

[FlyByPC]

...does exposing 30,000 SSNs affect 100,000 to 150,000 people?

Oh, I get it. The original SSN recipient and the 3-4 ID thieves. Never mind.

Re:So how...

[HTH+NE1]

So how does exposing 30,000 SSNs affect 100,000 to 150,000 people?

One of them was Kevin Bacon's.

Re:So how...

[number1scatterbrain]

I exposed myself once. The cops asked me for my Social Security number.

semi-secret number bad tool for ID

[Hoplite3]

A "semi-secret" ID number is a bad tool for ID. You don't need to be an expert in cryptography to realize that a password sent around is plain-text is bogus.

The deeper issue is why identity theft is my problem. Shouldn't the credit agencies etc. be very very liable for loaning money to someone who is not me? It seems like they are part of the fraud whether they were willing participants or not. I should be able to collect damages when their negligent checking of my identity harms my credit score. Identity theft is a con job, where the perp convinces Visa (or whoever) that they are me. Usually, when cons happen, BOTH the conman and the victim are liable for damage caused. Suppose I conned you into thinking I was a cop and told you to drive me around while I robbed banks. You would still be accessory to my crime even if you claimed you didn't know better. Visa wants to (and currently is) claiming that they are not accessory to the theft of my credit score. That's not right.

The SSN is just a proxy for the fact that there are different standards for people citizens and corporate citizens.

Re:semi-secret number bad tool for ID

[Kattspya]

I don't get this either. To me it looks like identity theft is mostly an north American problem. In Sweden we've got personal identification numbers that are used in all dealings with the state and sometimes when dealing with banks etc. It's your birth date followed by four digits and the last digits signifies male of female by being even or uneven. I haven't ever heard of any identity theft cases reported in the media. They may happen but they're not on the news or anywhere else.

I've seen a lot of ID-theft reported on different US sites and TV programs but I still don't get how it's possible. If someone issues a loan to a con man it should be their loss entirely and should be easily fixable. I cannot understand how this is an issue.

Can someone please tell me how this can me more than a small nuisance (i.e. that's not me fix it now please)?

Re:semi-secret number bad tool for ID

[smoke'n'mirrors]

The problem is twofold:

1. If somebody is the victim of identity theft, they are held responsible for any debts that the criminal creates in their name until they prove the theft occurred. The victim may not know the theft has occurred until months later, when collection proceedings have begun. The problem here is that it is incredibly difficult to prove that those debts were not created by the victim, and the victim can suffer years of harassing phone calls from debt collectors, and a bad credit rating. I don't know how Swedish debt collectors are, but here in the States many are virulent and threatening. (Even though that's illegal.)

2. The bad credit rating means that the victim will then be charged higher interest rates for mortgages, in most states higher auto insurance rates, and may be unable to get new loans for valid purposes (car, house, school, etc). Some employers run credit histories on potential employees. Some landlords run credit reports on potential renters. Some people find that they have been a victim of identity theft when they are trying to buy a house and get turned down for a mortgage.

It is hard enough to fix genuine mistakes; intentional misuse is a nightmare to unravel. The unending beaurocracy of the credit agencies hinders the solution and it is difficult for individuals to fight such a large system. In a nation built on capitalism, where the worse your credit is the more expensive and difficult your life becomes, this is a big big problem.

Mine

[Sparr0]

My SSN is 427347246. This is not a secret. Everyone I have ever worked for knows this. Everyone who has ever drug screened me for employment. Everywhere that has ever had to tell the IRS about my gambling winnings. Half a dozen real estate agents. Over a dozen banks, and over a thousand bank employees. Anyone in earshot every time I have ever called my bank. Broward County got it right, publish them all, expose the farce that is SSN secrecy.

Re:Mine

[crabpeople]

Well your name is Clarence Risher. You may have attended austin university. LoL, dude I just found your resume so I think I win http://www.trifocus.net/~sparr/resume.html.

Address is

"122 G Stephanie Dr
Clarksville, TN 37042
(931) 980-2760 "

What else do I need for ID theft exactly?

Re:Mine

[Sparr0]

Thanks for the reminder that my resume is out of date there, my current address shouldnt be much harder to find. Someone above mentioned my birthdate and mother's maiden name, you can come up with those with a little more work. I don't believe in identity theft. Identity borrowage, maybe. If some other guy is out there somewhere using all my info, what do I care? It's not me, and it doesn't impact me in the slightest. What you won't find online is my signature, which would be expensive and/or time consuming to convincingly fake even if you could. Ditto my fingerprints and retinal pattern. Double ditto my actual secret information, such as passwords and passphrases.

Re:Mine

[shaitand]

'Umm... This is really an odd statement, here. What do you care that someone can convincingly file any sort of transaction under your name (SSN and Mother's Maiden Name). What do you care that someone could borrow $150,000, and put up your house as security.'

These are all problems for someone with good credit and/or assets or maybe even money. For the majority of the population this is not the case. Most of us don't own a home or even a decent car. Most of us have no credit worth mentioning and probably bad credit besides. What difference does it make if the number you owe on paper grows? It isn't like you could have paid what was there anyway. A few more collectors harassing you? That is why you got a machine years ago. Time in court? Please, you can't afford to file bankruptcy, especially if the only purpose it serves to erase an imaginary debt (I say imaginary because the only chance it has of being paid or collected is in the imagination).

'What do you care that someone could use your info to launder money, with a trail leading right to you when the feds look into it and an onus on you to prove it wasn't you?'

The burden is on the feds, not on you. Someone must have gained access to your information, you never went to those places and conducted business. The guy on the bank security cameras wasn't you. The information and picture on the ID the bank photocopied doesn't match yours. How about proof of address? What did they use for that? If they used your address then you would have been sent paperwork before that became an issue. And even without any of that, a claim that someone else used your information is easily within the realm of reasonable doubt. The feds would have to prove not only that my information was used but that it was me who used it. That is of course assuming that you can manage to force your public defender to go to trial instead of plea bargaining. Typically they have enourmous case loads and often are regular attorneys who don't want to waste time on the freebie case.

Re:Mine

[xlsior]

These are all problems for someone with good credit and/or assets or maybe even money. For the majority of the population this is not the case. Most of us don't own a home or even a decent car. Most of us have no credit worth mentioning and probably bad credit besides. What difference does it make if the number you owe on paper grows?

Maybe now you don't care, but what about 5 years from now? 10 years? 20 years? Do you *ever* intend to buy a house? Would you like to receive medicare/medicaid/social security once you get old? Good luck proving you are 'you' when others applied for the same benefits in your name, especially if they've been able to impersonate you for years and have just as long of a 'history' with your information as you do yourself.

Remember, once your information is out there, it's out there for ever. It's like throwing your email address to a pair of spammers, they're never going to stop abusing it... With the big difference that a SSN can do a whole lote more damage.

What happened to privacy act and common sense?

[Shadowlore]

What is disturbing to me is not that these SSNs were exposed, but that they were simply included in "other" databases to begin with. We were told that our SSNs would be limited only to those entities that had a legitimate reason to NEED it. The fact that they were included as a matter of common practice belies this claim. The reference to "before identity theft was a problem" is unadulterated crap. Identity theft has been a problem since biblical times (Jacob and Esau)! The reference to it is a red herring.

What should have been happening is that SSNs should not simply be included in various databases. They should have been following the rules that we were told they were. Whether or not that was successful, they should have had policies and processes for vetting the database for privacy issues prior to dumping it online. Federal privacy laws predate the Internet. The basic notion of checking your data for data that should not be publicly available predates the Internet.

IMO this is similar to the claim that "nobody imagined using airplanes as missiles before 9/11". The problem of Identity Theft existed, was well documented, and alone should have given them reason to examine their DB first. The basic laws on privacy should have. And failing that common sense should have. This is a failure on many grounds.

Thanks a Lot, FDR

[MarkPNeyer]

The entire social security program is absurd. Ignoring the economics of the retirement portion of the program, using SSN's for identification is a terrible idea. The program was never initially designed for the numbers to be used as ID's, but the need for one was so overwhelming that people started accepting them.

Scrap the entire Social Security program. If you think the government ought to force people to prepare for their retirement, withdraw money from their paychecks and put it in a personal account for them. Hell, even a bank account with 1% interest would give you a better return than social security, and it guarantees ownership of your money, instead of allowing the government to waste it building bridges to nowhere when you die.

Once that's done, let's design a proper identification system, so it doesn't matter if someone gets your ID number.

Re:Thanks a Lot, FDR

[lawpoop]

"Hell, even a bank account with 1% interest would give you a better return than social security,"

Not if you get disabled at 25 and you draw social security benefits for the rest of your life.

Social Security is an insurance program. If we got rid of it, we would have destitute old people living out on the streets, like they did during the depression. If that's the society you want to live in, fine. I don't want to see that one bit.

Re:Thanks a Lot, FDR

[TubeSteak]

The entire social security program is absurd. Ignoring the economics of the retirement portion of the program

I'm not sure what set of facts you're working from, but the economics of the social security program are fine.

The problem has been decades of Democratic and Republican Congresses skimnming surplus money off the SS trust fund to cover their budgetary problems.

Remember how part of Al Gore's 2000 Presidential campaign was to put Social Security funds into a "lock box"? Even then it was too late to 'save' SS.

Maybe if Clinton had actually locked up SS funds at the beginning of his Presidency, the system would be solvent for the long run (>50 years).

Re:What is SSN?

[MarkPNeyer]

Every American citizen is issued a "social security number." Social Security is a "retirement" program instituted by the American government to provide for its citizens when they retire. The numbers are now used largely to identify citizens by banks, schools, hospitals, and many other organizations. If you have someone else's social security number and driver's license, you can most likely apply for a line of credit in their name.

It's basically a combination user-id and password which is transmitted in plain text. Very stupid.

Re:Thanks..

[Sparr0]

Go ahead. I am not someone that you want to be. Good luck getting a loan or a credit card, I haven't managed it.

The third time it's enemy action.

[SpaceLifeForm]

1. SEC
2. DOJ
3. OMB

"Once is happenstance. Twice is coincidence. The third time it's enemy action."

Re:The third time it's enemy action.

[lawpoop]

A chart of personal data stolen from laptops from government organizations, schools, and corporations.

Re:30k for 150k people? Huh?

[DragonWriter]

So 30,000 SS#'s were exposed, and 150k people might be in trouble?

The person who noticed the SSNs were available identified approximately 30,000 records with SSNs (not sure if that corresponds to 30,000 SSNs, or more -- because each record might have more than one -- or less, because there might be dupes.)

The subsequent review by the Agriculture Department suggested 100,000 to 150,000 people may have been affected, which I would assume reflects the range of social security numbers that may have been exposed.

People still use SSN's?

[Demona]

I would have thought that silly Ponzi scheme discredited decades ago.