[BreachExchange] Government transparency site revealed Social Security numbers, other personal info

[Inga Goddijn]

https://www.cnn.com/2018/09/03/politics/foia-revealed-social-security-numbers/index.html

A federal government transparency website made public dozens, if not
hundreds, of Social Security numbers and other personal information in a
design error during a system upgrade.
The error, on a Freedom of Information Act request portal, was fixed after
CNN alerted the government to the situation. For weeks prior, however,
individuals' sensitive personal information was available on the
public-facing database unbeknownst to them or the government.
After a tip from a source who had noticed the glitch, with two quick
searches, CNN discovered that the government had published at least 80 full
or partial Social Security numbers. There were other instances of sensitive
personal information, including dates of birth, immigrant identification
numbers, addresses and contact details.
The glitch also exposed other sensitive information about individuals. In
one instance, a victim of a violent crime seeking information about the
case described the crime. In others, victims of identity fraud seeking more
information about their cases had their Social Security Numbers exposed in
the process. (In some instances, government agencies require Americans to
submit FOIA requests for their own personal information.)


Before publication, CNN alerted the government to the issue. CNN has been
told by a spokesman for the agency that maintains the website that the
information has been protected. Participating agencies were also notified
of the situation.
close dialog
Receive Fareed Zakaria's Global Analysis
including insights and must-reads of world news
Activate Fareed's Briefing
By subscribing you agree to our
privacy policy.
<http://www.cnn.com/privacy>
The portal, foiaonline.gov, is the one-stop clearinghouse for Freedom of
Information Act requests to a number of government agencies, ranging from
Customs and Border Protection to the Small Business Administration. It is
designed to provide a streamlined and transparent way for Americans to
request information from their government.
How the error was made and addressed
A design bug also revealed information about the requester with no
safeguards for personally identifiable information.
The problem was with the feature that allowed anyone to search existing
FOIA requests. The idea is that people can see what has already been
requested, by whom, and in some cases what may have been provided. When
users click through to the individual request, the description field is
withheld, pending agency approval. Yet those descriptions were viewable in
full on the search results page, including if Americans had included their
or others' Social Security numbers or any other personal information.
The FOIA clearinghouse is maintained by Environmental Protection Agency,
which provides the IT resources to keep it up. It is up to each government
agency that uses the portal, however, to take the care to input the
information correctly.
When the website was switched from the 2.0 version to the 3.0 version on
July 9, the masking feature for descriptions somehow ceased to exist. No
one was aware of the issue until alerted by CNN. Upon being alerted, the
EPA office managing the site said it attempted to re-mask everything that
was an obvious privacy concern, including sensitive information like Social
Security numbers.
However, because FOIA requests are public information, it is up to the
agencies involved whether to determine whether to withhold information
based on a case-by-case application of any FOIA exemptions. Thus, EPA said
it was not able to simply turn on a blanket masking of all the descriptions
on the 3.0 site, because that could have withheld things that agencies have
already determined to be public.
After completing what EPA determined was within its ability, the notice
went out to all the agency FOIA system administrators that they should
check what was in their control and whether they wanted certain information
public. That notice went out Thursday night after EPA completed its piece
of the work.
"Recently it was discovered that PII (SSN) information in some records was
exposed to the public," the email said, according to a copy obtained by
CNN. PII stands for personally identifiable information. "The PMO [Primary
Management Office] has identified the cause of this issue and this
afternoon implemented program fixes that resolved the problems. This issue
will shortly be publicized by the press. It will also be reported that
after our fix, that some names and addresses still do appear in publicly
available FOIAonline records. A review by the PMO has found that this
information has been marked as publicly viewable by the reporting agencies.
It is requested that partner agencies review publicly viewable information
to ensure that any personal information is specifically intended to be
presented as such."
While FOIA requests to the government are considered public, there are many
exemptions that the government often applies to protected individual
privacy.
EPA spokesman John Konkus told CNN the agency would also investigate if
further action was warranted.
"The EPA is aware and working with partner agencies to remediate an issue
with the FOIAonline 3.0 system," Konkus said. "The issue affects a limited
number of cases and inadvertently displays descriptive information that
may, in some instances, include Social Security Numbers. EPA will follow
the Agency's Breach procedures to evaluate the situation further and take
the appropriate mitigation measures."
It's unknown how many individuals may have had information exposed in the
glitch, and for how long. The transition to the new site occurred in
mid-July, but older FOIA requests continue to be migrated to the new site.
'It defies logic'
"This is a really significant mistake," said Nuala O'Connor, a former chief
privacy officer of the Department of Homeland Security.
"These sorts of data points allow people to engage in identity theft or
some kind of harassment, or other malicious behavior," said O'Connor,
president and CEO of the Center for Democracy and Technology, a
tech-focused privacy and civil liberties advocacy group. "It puts
potentially already vulnerable people at greater risk."
There is no disclaimer about keeping sensitive information out of the
request when users go to submit FOIA requests.
In fact, the Customs and Border Protection form encourages anyone seeking
information about themselves to "please include as much information as
possible to assist us in locating the record(s) you are seeking, to include
your Date of Birth, Alien number [an identifier number for US immigrants],
your parents' names, and any Alias' you may have used at the time of entry
or apprehension."
The Social Security Administration form, though, says the website is not
the appropriate place to make requests about individual records.
A privacy notice linked to at the very bottom of the website does warn that
"any personal information included in the comment form will be submitted to
the Department or Agency to which your request is directed and may be
publicly disclosed on FOIAonline or on third-party Web sites on the
Internet."
Even if there was some sort of disclosure anywhere about the risk of
information becoming public, O'Connor said, "it defies logic and it defies
expectation that anyone would think their Social Security number is being
exposed when processing a request like this online."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180904/93bad39b/attachment.html>