OMB Website Exposes Thousands of SSNs

msblack writes "The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online. As many as 100,000 to 150,000 individuals may have been affected. The cost to taxpayers just for notifications and credit monitoring is estimated to run $4 million. 'While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week. Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. '"

Permanent Fix for SSN

[HighOrbit]

Here a permanent fix: render SSNs worthless for financial transactions by making it illegal for any entity besides the IRS, SSA, you employer and your bank to ask for a SSN or keep a record of a SSN for any purpose other than tax collection and Social Security. The employer and bank would only be allowed use it for tax reporting purposes. The credit reporting companies, banks, and data brokers might howl, but too bad. They can use other data identifiers, or even better, learn to personally know their customers beyond a mechanically created credit score tied to a SSN.

semi-secret number bad tool for ID

[Hoplite3]

A "semi-secret" ID number is a bad tool for ID. You don't need to be an expert in cryptography to realize that a password sent around is plain-text is bogus.

The deeper issue is why identity theft is my problem. Shouldn't the credit agencies etc. be very very liable for loaning money to someone who is not me? It seems like they are part of the fraud whether they were willing participants or not. I should be able to collect damages when their negligent checking of my identity harms my credit score. Identity theft is a con job, where the perp convinces Visa (or whoever) that they are me. Usually, when cons happen, BOTH the conman and the victim are liable for damage caused. Suppose I conned you into thinking I was a cop and told you to drive me around while I robbed banks. You would still be accessory to my crime even if you claimed you didn't know better. Visa wants to (and currently is) claiming that they are not accessory to the theft of my credit score. That's not right.

The SSN is just a proxy for the fact that there are different standards for people citizens and corporate citizens.

Mine

[Sparr0]

My SSN is 427347246. This is not a secret. Everyone I have ever worked for knows this. Everyone who has ever drug screened me for employment. Everywhere that has ever had to tell the IRS about my gambling winnings. Half a dozen real estate agents. Over a dozen banks, and over a thousand bank employees. Anyone in earshot every time I have ever called my bank. Broward County got it right, publish them all, expose the farce that is SSN secrecy.

What happened to privacy act and common sense?

[Shadowlore]

What is disturbing to me is not that these SSNs were exposed, but that they were simply included in "other" databases to begin with. We were told that our SSNs would be limited only to those entities that had a legitimate reason to NEED it. The fact that they were included as a matter of common practice belies this claim. The reference to "before identity theft was a problem" is unadulterated crap. Identity theft has been a problem since biblical times (Jacob and Esau)! The reference to it is a red herring.

What should have been happening is that SSNs should not simply be included in various databases. They should have been following the rules that we were told they were. Whether or not that was successful, they should have had policies and processes for vetting the database for privacy issues prior to dumping it online. Federal privacy laws predate the Internet. The basic notion of checking your data for data that should not be publicly available predates the Internet.

IMO this is similar to the claim that "nobody imagined using airplanes as missiles before 9/11". The problem of Identity Theft existed, was well documented, and alone should have given them reason to examine their DB first. The basic laws on privacy should have. And failing that common sense should have. This is a failure on many grounds.

The third time it's enemy action.

[SpaceLifeForm]

1. SEC [cnn.com]
2. DOJ [arstechnica.com]
3. OMB [nytimes.com]

"Once is happenstance. Twice is coincidence. The third time it's enemy action."

People still use SSN's?

[Demona]

I would have thought that silly Ponzi scheme discredited decades ago.

Re:Permanent Fix for SSN

[Shadowlore]

Too late that law was passed decades ago. Later they changed their minds. How about we go one better and revert to it's original purpose: to identify your Social Security account? nah that won't do it either.

In 1976 they passed a law:
"To make, under federal law, unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment."

Take a peek at http://yro.slashdot.org/comments.pl?sid=231667&op= Reply&threshold=3&commentsort=0&mode=thread&pid=18 816893 [slashdot.org]

You'll see them say repeated "no national id". Then it is followed with "but this other thing which we mandated means you need to have a defacto ID called the SSN". Yes that's a paraphrase but read the original and you arrive right there.

The "observed law" is simple:
As long as an entity such as the SSN exists, the government will spew rhetoric against it being used more and more as a form of ID while moving solidly and irrefutably in that direction. It doesn't require complicity or conspiracy, or malevolence. All it requires is some "need" to track, some "need for accountability" for some program ostensibly meant for the public welfare.

And it is set up in a way to deny you are required to have one. You are only required if you want to take advantage of some "benefit" the fedgov decides to "grant" you. You know, like not having your income taken from you. Like getting a job in the first place, or a bank account. These types of backdoor requirements feed conspiracy theories left and right. Sure, you aren't required to have one to live - officially. But if you want to do anything that living entails such as having a job, property, driving, banking, etc. you need one.

No, there is one and only one permanent fix: ban the existence of the SSN or any multi-agency identifier. Let each agency have it's own ID for people who it tracks err I mean services, and let there be no legal cross-checking between. Let the credit industry provide it's own identifier system. let the banking have it's own. Let Blockbusters have it's own.

But limiting the use of any ID will not solve it. You have to ban them. Of course, getting rid of those agencies that feel they need them is also another part of a complete solution.

Re:Thanks a Lot, FDR

[lawpoop]

"Hell, even a bank account with 1% interest would give you a better return than social security,"

Not if you get disabled at 25 and you draw social security benefits for the rest of your life.

Social Security is an insurance program. If we got rid of it, we would have destitute old people living out on the streets, like they did during the depression. If that's the society you want to live in, fine. I don't want to see that one bit.

Re:Thanks..

[Anonymous Coward]

Go ahead. I am not someone that you want to be. Good luck getting a loan or a credit card, I haven't managed it.

Not posting your SSN online might be a good first step in getting that credit card.

Re:Thanks a Lot, FDR

[TubeSteak]

The entire social security program is absurd. Ignoring the economics of the retirement portion of the program

I'm not sure what set of facts you're working from, but the economics of the social security program are fine.

The problem has been decades of Democratic and Republican Congresses skimnming surplus money off the SS trust fund to cover their budgetary problems.

Remember how part of Al Gore's 2000 Presidential campaign was to put Social Security funds into a "lock box"? Even then it was too late to 'save' SS.

Maybe if Clinton had actually locked up SS funds at the beginning of his Presidency, the system would be solvent for the long run (>50 years).

Re:Mine

[xlsior]

These are all problems for someone with good credit and/or assets or maybe even money. For the majority of the population this is not the case. Most of us don't own a home or even a decent car. Most of us have no credit worth mentioning and probably bad credit besides. What difference does it make if the number you owe on paper grows?

Maybe now you don't care, but what about 5 years from now? 10 years? 20 years? Do you *ever* intend to buy a house? Would you like to receive medicare/medicaid/social security once you get old? Good luck proving you are 'you' when others applied for the same benefits in your name, especially if they've been able to impersonate you for years and have just as long of a 'history' with your information as you do yourself.

Remember, once your information is out there, it's out there for ever. It's like throwing your email address to a pair of spammers, they're never going to stop abusing it... With the big difference that a SSN can do a whole lote more damage.