OMB Website Exposes Thousands of SSNs 107
msblack writes "The New York Times is reporting that an Office of Management and Budget website accidentally exposed at least 30,000 social security numbers publicly online. As many as 100,000 to 150,000 individuals may have been affected. The cost to taxpayers just for notifications and credit monitoring is estimated to run $4 million. 'While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week. Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. '"
they're half right (Score:5, Funny)
Sounds like they got the "Social" part right... "Security", not so much.
Re: (Score:2)
Because rules like Sarbanes-Oxley only apply to businesses, not government groups.
Oh no. (Score:4, Funny)
Re: (Score:2, Funny)
Re: (Score:1)
Was 565-459-9342 on the list?
You can't fool us Mockylock. /. ID from the year 2143 and you've traveled back in time to make a first post.
That's your
Diabolical!
Re: (Score:1)
Re: (Score:1)
Or...
Maybe the comment you made in response to his first post in the future was so harsh, so biting, so damaging to his very core, that he went back in time to prevent you from crushing his soul beneath your heel, like a child steps on an ant?
Huh? Why didn't you think of THAT!?
-Red
Re: (Score:2)
I don't understand why SS numbers should be anywhere close to a web server for them to be accidentally exposed in the first place. Let alone why someone had access to the in order to accidentally expose them that didn't have enough sense to double check his work. I guess using a file servers to hold SS number lists and a completely separate webserver is too much to ask for when My
Re: (Score:2)
identity theft? (Score:3, Interesting)
anyone was stupid enough to identify people using a number which is not supposed to a secret.
30,000 SS numbers? (Score:3, Funny)
for ($i=1;$i1000000000;$i++) {
echo $i . "\n";
}
The first line of output is Strom Thurmond's or George Burns' SSN.
Solomon
Re: (Score:2, Funny)
Haxor: Hello I need to withdraw all of the money from my account. My SSN is 123-45-6789.
Teller: Is your name John Smith?
Haxor: Uh....yes.
Teller: Thank you, here is your money!
Re: (Score:2)
The funny thing is that no one asked for ID or compared my signature and I doubt they knew who I was. The funniest thing about it, I didn't think twice about it until just now when
Re: (Score:1, Funny)
int a, b, c;
for (a = 0; a < 1000; a++)
for (b = 0; b < 100; b++)
for (c = 0; c < 10000; c++)
printf("%03d-%02d-%04d\n", a, b, c);
Re: (Score:2, Informative)
Although, John Sweeney received the first SSN account, his was not the lowest number ever issued. That distinction fell to New Hampshire resident, Grace Dorothy Owen. Ms. Owen received number 001-01-0001.
Re: (Score:2)
And people wonder why I love Ruby. Two alternatives, the latter one is more "fun" but slightly less readable for Ruby novices. The latter one reads, "999,999,999 times, run the method puts".
999_99_9999.times {|i| puts i }
999_99_9999.times &method(:puts)
Seriously, which language would you rather use on a daily basis?
Permanent Fix for SSN (Score:5, Insightful)
Re:Permanent Fix for SSN (Score:5, Interesting)
Yes, too bad. It's obvious by now that the market is not going to come up with a solution for this on their own as long as they can use the SSN as a crutch. It's time to yank that crutch back out. The SSN should be discontinued and replaced with a tax id that should only be used for two things: reporting income to the government and paying your taxes or getting your refund. If someone steals my SSN, they're more than welcome to paying my taxes for me, and if they try to hide their income in my tax id we'll find out about it at the end of the year when my tax forms don't match the reports. And if I don't get my refund, well...
Re: (Score:2)
The government collected taxes before social security. They didn't need a number for you back then...
The worst that could happen would be that it would be harder for the government, credit agencies and financial institutions to track you and information about you unless it is directly related to spe
PATRIOT Act (Score:2)
Re: (Score:1)
It should be public and fixed, it means that you can distinguish between two different 43 year old John Does from Queens (incidentally, they share a house).
The problem is not that it is unique, it is that banks assume it is private. There is no magic number a user can type into the keyboard with which a bank can tell if a user is being honest in their responses. *
Before you say but people can lie and give fals
Re: (Score:1)
By their middle names, of course!
Re: (Score:2)
That is a problem as well. In the world of computer databases it has become far too difficult to be anonymous disappear or even stay private via a crowd.
If the bank wants to assign me a unique number so they can distinguish between me and other customers then that is great. I don't see any reason there needs to be a global fixed number that some other bank can refer to in order to find out information that is unrelated to my history with them.
The world functioned before
Re: (Score:2)
This could be something done without trusted computing.
Re: (Score:2)
Re: (Score:3, Insightful)
In 1976 they passed a law:
"To make, under federal law, unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment."
Take a peek at http://yro.slashdot.org/comments.pl?sid=231667&op= Reply&threshold=3&commentsort=0&mode=thread [slashdot.org]
Re: (Score:2)
How about keeping the common identifier so you don't have to remember if your number to put on the form is 184763X/HH8 or 0156-857-39, or maybe even Q-384DS09 and coming up with a decent security infrastructure so you can't have your entire identity stolen by someb
Re: (Score:2)
The way they're phasing out social security benefits, one might wonder as to what exactly the original purpose of the system actually was. "Sure it's ok to get rid of Social Security, but dammit don't lose those numbers!"
Re: (Score:2)
That ship has sailed. SSNs aren't going anywhere and aren't getting reigned in with their entire purpose for exiting being outmoded.
If you want to do away with this kind of exposure, eliminate the need for the SSN to be propogated around with financial transactions. In order to do that, you'd have to eliminate the income tax. Who's up for paying 30%+ sales tax to replace the income tax so that they can keep the
LifeLock (Score:1)
http://lifelock.com/ [lifelock.com] LifeLock is a fix for the problem of data theft and its a non-government fix making it more attractive, voluntary, and overall less expencive.
Re: (Score:2)
Just make the bank responsible for positively identifying people and liable for all looses -- including court costs, loss of time, mental energy -- and they'll start taking identity seriously.
So how... (Score:5, Funny)
Oh, I get it. The original SSN recipient and the 3-4 ID thieves. Never mind.
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
semi-secret number bad tool for ID (Score:5, Insightful)
The deeper issue is why identity theft is my problem. Shouldn't the credit agencies etc. be very very liable for loaning money to someone who is not me? It seems like they are part of the fraud whether they were willing participants or not. I should be able to collect damages when their negligent checking of my identity harms my credit score. Identity theft is a con job, where the perp convinces Visa (or whoever) that they are me. Usually, when cons happen, BOTH the conman and the victim are liable for damage caused. Suppose I conned you into thinking I was a cop and told you to drive me around while I robbed banks. You would still be accessory to my crime even if you claimed you didn't know better. Visa wants to (and currently is) claiming that they are not accessory to the theft of my credit score. That's not right.
The SSN is just a proxy for the fact that there are different standards for people citizens and corporate citizens.
Re: (Score:2, Informative)
I've seen a lot of ID-the
Re: (Score:2, Interesting)
1. If somebody is the victim of identity theft, they are held responsible for any debts that the criminal creates in their name until they prove the theft occurred. The victim may not know the theft has occurred until months later, when collection proceedings have begun. The problem here is that it is incredibly difficult to prove that those debts were not created by the victim, and the victim can suffer years of harassing phone calls from debt collectors, and a bad credit rating.
Re: (Score:2)
The "now" part escalates it from being a nuisance to a process that can draw out from years. People have reported that it has been resolved at the nuisance level, but I have heard other stories of getting lawyers involved, which is an expensive process here in the US. It also affects your credit score to have outstanding issues, which affects the rate at which people will loan you money. If it t
How does one do this? (Score:1)
Mine (Score:5, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:1, Insightful)
Re:Mine (Score:5, Interesting)
Address is
What else do I need for ID theft exactly?
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:1)
Umm... This is really an odd statement, here. What do you care that someone can convincingly file any sort of transaction under your name (SSN and Mother's Maiden Name). What do you care that someone could borrow $150,000, and put up your house as security. What do you care that someone could use your info to launder money, with a trail leading right to you when the feds look into it and an onus on you to prove it wasn't you?
Your signature isn't out there, correct. This also means that, whe
Re:Mine (Score:4, Interesting)
These are all problems for someone with good credit and/or assets or maybe even money. For the majority of the population this is not the case. Most of us don't own a home or even a decent car. Most of us have no credit worth mentioning and probably bad credit besides. What difference does it make if the number you owe on paper grows? It isn't like you could have paid what was there anyway. A few more collectors harassing you? That is why you got a machine years ago. Time in court? Please, you can't afford to file bankruptcy, especially if the only purpose it serves to erase an imaginary debt (I say imaginary because the only chance it has of being paid or collected is in the imagination).
'What do you care that someone could use your info to launder money, with a trail leading right to you when the feds look into it and an onus on you to prove it wasn't you?'
The burden is on the feds, not on you. Someone must have gained access to your information, you never went to those places and conducted business. The guy on the bank security cameras wasn't you. The information and picture on the ID the bank photocopied doesn't match yours. How about proof of address? What did they use for that? If they used your address then you would have been sent paperwork before that became an issue. And even without any of that, a claim that someone else used your information is easily within the realm of reasonable doubt. The feds would have to prove not only that my information was used but that it was me who used it. That is of course assuming that you can manage to force your public defender to go to trial instead of plea bargaining. Typically they have enourmous case loads and often are regular attorneys who don't want to waste time on the freebie case.
Re: (Score:3, Insightful)
Maybe now you don't care, but what about 5 years from now? 10 years? 20 years? Do you *ever* intend to buy a house? Would you like to receive medicare/medicaid/social secur
30k for 150k people? Huh? (Score:1)
Of course (Score:2)
Re: (Score:3, Informative)
The person who noticed the SSNs were available identified approximately 30,000 records with SSNs (not sure if that corresponds to 30,000 SSNs, or more -- because each record might have more than one -- or less, because there might be dupes.)
The subsequent review by the Agriculture Department suggested 100,000 to 150,000 people may have been affected, which I would assume reflects the range of social security numbers that may have been exposed
What happened to privacy act and common sense? (Score:5, Insightful)
What should have been happening is that SSNs should not simply be included in various databases. They should have been following the rules that we were told they were. Whether or not that was successful, they should have had policies and processes for vetting the database for privacy issues prior to dumping it online. Federal privacy laws predate the Internet. The basic notion of checking your data for data that should not be publicly available predates the Internet.
IMO this is similar to the claim that "nobody imagined using airplanes as missiles before 9/11". The problem of Identity Theft existed, was well documented, and alone should have given them reason to examine their DB first. The basic laws on privacy should have. And failing that common sense should have. This is a failure on many grounds.
Good enough. (Score:1)
Re: (Score:2)
No, that's not true. What should be happening is that SSNs should not be useful for identity theft, since (whether or not they are in public databases), SSNs—because they are also tax identifiers for individuals and thus mandatory in a wide number of applications—are not secrets suitable for identification purposes in the first place.
OTOH, a public identifier like the SSN that serves the role of a ta
Is this digg?! (Score:1)
Re: (Score:2)
Why would the Object Management Group have SSNs on file?
you know, if they just (Score:2)
The credit card agencies can use their own number systems.
Yes, that system might be comprimised, but damage will always be limited to the CC agencies.
Re: (Score:2)
> Yes, that system might be comprimised, but damage will always be limited to the CC agencies.
Yes, and damages will be the liability to the CC agencies as well. This is why they do not do it. This is why the government doesn't push away SS#'s
If your CC company came up with its own identification system -- and said system was compromised with your identity stolen, they would be liable for your damages. The way it works now, if your SS is stole
Nothing Has Changed (Score:1, Offtopic)
So they have taken all the power and money, and given us ZERO extra security, while routinely sending us into more and worse danger.
And if anyone had any doubts about how much this Bush regime thinks we're idiots, just watch a replay of their Attorney General shabbily lying and denyin
Re: (Score:2)
You might not like my post, but it's not "Offtopic". Especially when the summary includes this Bush "administration" official running away from responsibility for this breach by saying:
In other
Re: (Score:2)
Thanks a Lot, FDR (Score:3, Interesting)
The entire social security program is absurd. Ignoring the economics of the retirement portion of the program, using SSN's for identification is a terrible idea. The program was never initially designed for the numbers to be used as ID's, but the need for one was so overwhelming that people started accepting them.
Scrap the entire Social Security program. If you think the government ought to force people to prepare for their retirement, withdraw money from their paychecks and put it in a personal account for them. Hell, even a bank account with 1% interest would give you a better return than social security, and it guarantees ownership of your money, instead of allowing the government to waste it building bridges to nowhere when you die.
Once that's done, let's design a proper identification system, so it doesn't matter if someone gets your ID number.
Re: (Score:3, Insightful)
Not if you get disabled at 25 and you draw social security benefits for the rest of your life.
Social Security is an insurance program. If we got rid of it, we would have destitute old people living out on the streets, like they did during the depression. If that's the society you want to live in, fine. I don't want to see that one bit.
Re: (Score:2)
Not if you get disabled at 25 and you draw social security benefits for the rest of your life.
Social Security is an insurance program.
Please explain why I'm responsible for your insurance bill.
Re: (Score:2)
Re: (Score:2)
Lets stop here for a moment. Lets expand that statement...
"If you think government ought to use the threat of imprisonment or death to force people to prepare for their retirement".
Because that is what that force means. It also means that you take away their rights and ability to handle their current situations and needs by removing that money from their control. Perhaps for some people using that money to pay of credit debts,
Re: (Score:2)
Without SOME sort of government program to insure such, it is impossible to guarantee a retirement fund. Read the history [wikipedia.org] which inspired the program and understand how a solution is necessary. When the economy is okay it's easy to postulate that everybody should just take care of themselves, but the economy does not always STAY okay. It is times like that when a civilized society does not throw it's old people out to rot on the street, which is the out
Re: (Score:3, Insightful)
I'm not sure what set of facts you're working from, but the economics of the social security program are fine.
The problem has been decades of Democratic and Republican Congresses skimnming surplus money off the SS trust fund to cover their budgetary problems.
Remember how part of Al Gore's 2000 Presidential campaign was to put Social Security funds into a "lock box"? Even then it was too late to 'save
Re: (Score:2)
When it was started, the average life expectancy was 62 and the benefit collection age was 65. This was by design.
Now, the average life expectance is 82. The benefit collection age needs to be raised, no exceptions, to 85. If you're 73 and collecting already, too bad. Get a job for another 12 years. If you're 64 and feeling entitled, get over it. Suck it up and keep working. Work is a contribution to society as well as a way to keep your mind active. Retirement is
What is SSN? (Score:2)
Re: (Score:3, Informative)
Every American citizen is issued a "social security number." Social Security is a "retirement" program instituted by the American government to provide for its citizens when they retire. The numbers are now used largely to identify citizens by banks, schools, hospitals, and many other organizations. If you have someone else's social security number and driver's license, you can most likely apply for a line of credit in their name.
It's basically a combination user-id and password which is transmitted i
Re: (Score:2)
> license, you can most likely apply for a line of credit in their name.
So it is basically flawed since it needs to be a secret and also needs to be known to number of people (like clerks and so on)? Very, very stupid.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Whose website? (Score:2)
No, actually, the New York Times is reporting that a publicly-released database from the Census Department related to Agriculture Department contained social security numbers. The connections with the OMB are:
1) Questions about the release were directed to the OMB because the OMB, among other things, coordinates information policies for executive branc
The third time it's enemy action. (Score:3, Insightful)
"Once is happenstance. Twice is coincidence. The third time it's enemy action."
Re:The third time it's enemy action. (Score:4, Informative)
Re: (Score:2)
People still use SSN's? (Score:3, Insightful)
pot, kettle, black (Score:2)
Uhhh, dude, if your organization is called "OMB Watch" and hosting a mirror of the database, shouldn't you have noticed that the database contained SSNs??? Not
Treat the illness, not the symptoms (Score:2)
The solution is to implement a scheme whereby we can still use SS#'s as an identification number, but where we don't use it as a verification of identit
Thats what happen when the govt gets websites (Score:1)