washingtonpost.com > Business > Local Business

Posting of Social Security Numbers Results in Suspension of 3 Workers

By Lena H. Sun
Washington Post Staff Writer
Tuesday, July 15, 2008

Three Metro employees have been disciplined after the Social Security numbers of nearly 4,700 current and former employees were mistakenly posted on the transit agency's Web site last month, officials said yesterday.

The information was posted between June 9 and June 25, when the breach was discovered. The information was part of a solicitation from Metro to companies interested in providing workers' compensation and risk management services. The document mistakenly included the Social Security numbers of 4,675 employees. The names and Social Security numbers of a smaller group of employees also were posted in the lengthy document.

Letters warning of the breach dated July 3 were sent to all affected employees, Metro spokeswoman Candace Smith said. Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.

Although the affected employees were informed through letters and an e-mail sent last week, officials did not make the security breach public until yesterday, in response to a reporter's query.

The letter to employees urges them to watch their credit reports for signs of identity theft. Metro is offering the employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services. Smith said she was not aware of any cases of reported identity theft as a result of the breach.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," Metro Chief Safety Officer Ronald Keele said in a statement. "However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."

Smith said the Social Security numbers were buried within a document that officials had posted on the Web as part of Metro's effort to hire a company to handle some of its workers' compensation and risk management work. Included in that document, she said, were typical claims that Metro handles. The information about names and Social Security numbers should have been redacted but was not.

"Thankfully, somebody in the office spotted it and they pulled it down immediately," she said.

Metro sent out letters based on information the agency had on file. Smith said she did not know whether all of the former employees' addresses are current.

Security breaches have become a common problem for companies, government agencies and universities nationwide. Metro officials, citing the Identity Theft Resource Center, a nonprofit fraud-prevention group, said such data breaches were up 69 percent in the first half of 2008, compared with a similar period in 2007.

© 2008 The Washington Post Company