Businesses and government agencies seem inept when it comes to protecting personal information, as the list of mishaps keeps getting longer.
How does this keep happening? Companies have been publicly humiliated, slapped with audits, and threatened with prosecution, but sensitive personal data continues to be compromised. The U.S. Department of Justice is the latest to demonstrate its information-security incompetence. The mistake: exposing Social Security numbers on its Web site.
It's the IT problem that just won't go away. From the time early last year that ChoicePoint Inc. admitted it had been duped into revealing personal data to identity thieves, dozens of other businesses, government agencies, and schools have followed with their own admissions of ineptitude. In most cases, victims can't do much more than keep a watchful eye on their financial statements and credit reports--and hope for the best. Not surprisingly, fraud is on the rise and consumer confidence on the decline.
The Justice Department's blunder came to light when InformationWeek investigated the concerns of Nick Staff, a systems security manager at a large bank, who had grown frustrated when Justice failed to remove several Social Security numbers from its Web site, www.usdoj.gov, after Staff contacted the agency directly. In one case, the Social Security number of a woman involved in a 2003 immigration-review case was included in documentation about the case. Additional site searches yielded other peoples' numbers in a half-dozen other places.
It's not clear whether the Justice Department broke any laws or regulations in exposing Social Security numbers. It's bound by the Privacy Act, which sets terms for how federal agencies use and disclose personal information, and by its own privacy policies. The Privacy Act, however, is frustratingly fuzzy and comes with a dozen exceptions.
A spokesman for the Justice Department's Executive Office for Immigration Review acknowledged last week that Social Security numbers shouldn't be available to the public and said the information would be removed from the site. He added that, in the 2003 immigration-review case, the affected person would be notified about what had happened.
But cleaning up is harder than it sounds. A subsequent search of www.usdoj.gov showed that the PDF document on the 2003 immigration case had been blocked from public view, but Google and Yahoo searches provided a link to a text version of the blocked PDF, and the Social Security number continued to be visible. The spokesman said his office still was looking into how to have the documents removed from Google's and Yahoo's search caches. The department was unable to provide further information last week, as many employees were out of the office during the holiday week.
Staff came across the Social Security numbers while looking for FBI comments on phishing and notified the Justice Department by E-mail on Nov. 12 that the numbers were displayed on its site. He followed up via E-mail three weeks later and was notified on Dec. 6 by the site's Webmaster that his E-mail had been forwarded to a "responsible component" within the department. Staff contacted InformationWeek almost two weeks later, on Dec. 19, when he saw that the name and number were still on the site. "I would not have gone public with this had the DOJ acted accordingly," he says.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.