OMB Website Exposes Thousands of SSNs

msblack writes "The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online. As many as 100,000 to 150,000 individuals may have been affected. The cost to taxpayers just for notifications and credit monitoring is estimated to run $4 million. 'While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week. Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. '"

they're half right

[User+956]

The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online.

Sounds like they got the "Social" part right... "Security", not so much.

Oh no.

[Mockylock]

Was 565-459-9342 on the list? If so, can you please take it off?

Permanent Fix for SSN

[HighOrbit]

Here a permanent fix: render SSNs worthless for financial transactions by making it illegal for any entity besides the IRS, SSA, you employer and your bank to ask for a SSN or keep a record of a SSN for any purpose other than tax collection and Social Security. The employer and bank would only be allowed use it for tax reporting purposes. The credit reporting companies, banks, and data brokers might howl, but too bad. They can use other data identifiers, or even better, learn to personally know their customers beyond a mechanically created credit score tied to a SSN.

Re:Permanent Fix for SSN

[Qzukk]

The credit reporting companies, banks, and data brokers might howl, but too bad.

Yes, too bad. It's obvious by now that the market is not going to come up with a solution for this on their own as long as they can use the SSN as a crutch. It's time to yank that crutch back out. The SSN should be discontinued and replaced with a tax id that should only be used for two things: reporting income to the government and paying your taxes or getting your refund. If someone steals my SSN, they're more than welcome to paying my taxes for me, and if they try to hide their income in my tax id we'll find out about it at the end of the year when my tax forms don't match the reports. And if I don't get my refund, well...

So how...

[FlyByPC]

...does exposing 30,000 SSNs affect 100,000 to 150,000 people?

Oh, I get it. The original SSN recipient and the 3-4 ID thieves. Never mind.

semi-secret number bad tool for ID

[Hoplite3]

A "semi-secret" ID number is a bad tool for ID. You don't need to be an expert in cryptography to realize that a password sent around is plain-text is bogus.

The deeper issue is why identity theft is my problem. Shouldn't the credit agencies etc. be very very liable for loaning money to someone who is not me? It seems like they are part of the fraud whether they were willing participants or not. I should be able to collect damages when their negligent checking of my identity harms my credit score. Identity theft is a con job, where the perp convinces Visa (or whoever) that they are me. Usually, when cons happen, BOTH the conman and the victim are liable for damage caused. Suppose I conned you into thinking I was a cop and told you to drive me around while I robbed banks. You would still be accessory to my crime even if you claimed you didn't know better. Visa wants to (and currently is) claiming that they are not accessory to the theft of my credit score. That's not right.

The SSN is just a proxy for the fact that there are different standards for people citizens and corporate citizens.

Mine

[Sparr0]

My SSN is 427347246. This is not a secret. Everyone I have ever worked for knows this. Everyone who has ever drug screened me for employment. Everywhere that has ever had to tell the IRS about my gambling winnings. Half a dozen real estate agents. Over a dozen banks, and over a thousand bank employees. Anyone in earshot every time I have ever called my bank. Broward County got it right, publish them all, expose the farce that is SSN secrecy.

Re:Mine

[crabpeople]

Well your name is Clarence Risher. You may have attended austin university. LoL, dude I just found your resume so I think I win http://www.trifocus.net/~sparr/resume.html.

Address is

"122 G Stephanie Dr
Clarksville, TN 37042
(931) 980-2760 "

What else do I need for ID theft exactly?

What happened to privacy act and common sense?

[Shadowlore]

What is disturbing to me is not that these SSNs were exposed, but that they were simply included in "other" databases to begin with. We were told that our SSNs would be limited only to those entities that had a legitimate reason to NEED it. The fact that they were included as a matter of common practice belies this claim. The reference to "before identity theft was a problem" is unadulterated crap. Identity theft has been a problem since biblical times (Jacob and Esau)! The reference to it is a red herring.

What should have been happening is that SSNs should not simply be included in various databases. They should have been following the rules that we were told they were. Whether or not that was successful, they should have had policies and processes for vetting the database for privacy issues prior to dumping it online. Federal privacy laws predate the Internet. The basic notion of checking your data for data that should not be publicly available predates the Internet.

IMO this is similar to the claim that "nobody imagined using airplanes as missiles before 9/11". The problem of Identity Theft existed, was well documented, and alone should have given them reason to examine their DB first. The basic laws on privacy should have. And failing that common sense should have. This is a failure on many grounds.