A government portal for Freedom of Information Act requests accidentally revealed information it wasn’t supposed to, including dozens of social security numbers, if not more. CNN confirmed the problem after receiving a tip, noticing that upon searches, they could find personal data such as people’s dates of birth, addresses, and immigrant identification numbers.
According to the cable outlet, the problem with foiaonline.gov was part of the site’s feature that allows people to view existing requests. Normally, when people view past requests, descriptions of their substance are withheld pending review, CNN noted, but the error caused the descriptions to be viewable in search results, including the sensitive personal information. At least 80 partial or full social security numbers were visible, according to CNN.
CNN brought this problem to the government’s attention, and they stated that they fixed the glitch. Apparently this was all the result of an upgrade the site went through on July 9, and no one in the government was aware of the issue until now. The site is maintained by the Environmental Protection Agency, but used by other agencies, including the Department of Justice, Department of Defense, Customs and Border Protection, the Social Security Administration, and the Federal Communications Commission.
“The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system,” spokesperson John Konkus told CNN. “The issue affects a limited number of cases and inadvertently displays descriptive information that may, in some instances, include Social Security Numbers. EPA will follow the Agency’s Breach procedures to evaluate the situation further and take the appropriate mitigation measures.”
The EPA reportedly said they tried to hide information that obviously was meant to be hidden, but they couldn’t implement a broader solution out of concern that they would end up hiding data that was meant to be released. Each government agency handles their own requests, and the EPA didn’t want to risk covering up anything that other federal bodies intended to be public. After doing what they could, the EPA emailed notifications to the other agencies.
Nuala O’Connor, former privacy officer of the Department of Homeland Security, called it “a really significant mistake.” O’Connor is currently the head of an advocacy group focusing on issues related to privacy and civil liberties.
“These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior,” O’Connor said.
[Image via Dmitry Tishchenko/Shutterstock]