U.S. Exposed Personal Data

By Ellen Nakashima
Washington Post Staff Writer
Saturday, April 21, 2007

For more than a decade, the Census Bureau posted on a public Web site the Social Security numbers of 63,000 people who received financial aid, officials said yesterday. The apparent violation of federal privacy law prompted concerns about identity theft.

Government officials removed the data from the Web site on April 13, the day they were alerted to the breach by an Illinois farmer who discovered the numbers while surfing the Internet. They did not publicize the matter until yesterday, saying they needed the delay to enable information-security officials to contact those whose numbers were revealed and to contact "at least a half-dozen" mirror sites.

"We take full responsibility for this and offer no excuses for it," said Terri Teuber, a spokeswoman for the U.S. Department of Agriculture. "We absolutely do not think it was appropriate."

A watchdog group countered that officials tried to suppress the news.

"The bottom line is the government screwed up," said Gary Bass, executive director of OMB Watch. "What's really important is that they now try to rectify the problem. Thousands of research groups have copies of this site."

Government officials said they knew of no misuse of the personal data, but the breach underscores the ease with which such data can be exposed in the digital age.

Last month, Los Alamos National Laboratory discovered that a subcontractor working on a security system in 1998 had posted the names and Social Security numbers of 550 lab workers on the subcontractor's Web site. The site was removed that day, a spokesman said.

In the current incident, Marsha Bergmeier said she was bored April 12, so she did an Internet search for her farm's name. It brought up a link to FedSpending.org, a site created by OMB Watch to allow monitoring of federal spending.

The site includes a searchable database of federal contract information, and her farm loan amount, under an Agriculture Department program, was listed. Also listed, Bergmeier discovered, were the Social Security numbers of 28,000 farmers.

"I was in disbelief," she said.

Teuber said the USDA had been using Social Security numbers as part of a 15-digit federal contract identifier number. The practice dates back more than 25 years, she said, to when Social Security numbers were printed on checks. She said the USDA's information-security division was not aware of this continuing practice until last week.

The loans database was part of a larger public Web site run by the Census Bureau, which collects all federal loan and grant data. The site has been up since 1996.

Bureau spokeswoman Ruth Cymber said the site hosts data from about 33 federal agencies. On Tuesday, the agency removed all contract identifier numbers from the site. A review is underway to see if other agencies exposed personal data.

The USDA's action "would seem to violate the Privacy Act," said Ari Schwartz, deputy director of the Center for Democracy & Technology. "Social Security numbers should not be used as an identifier for account purposes."

The USDA is offering one year of free credit monitoring to those affected.

Staff researchers Robert Lyford and Richard Drezen contributed to this report.

© 2007 The Washington Post Company