Governments are some of the biggest sources of ID leaks, according to the September issue of Consumer Reports magazine. Whether it’s Social Security numbers printed on the face of Medicare cards, Social Security numbers linked to traffic tickets which are then posted on the Web, or whether it’s disappearing laptops, federal, state and local governments can be blamed for about one in five security breaches periodically making the news.
CR analyzed records of publicly reported data breaches compiled by the nonprofit Privacy Rights Clearinghouse and found that more than 230 security lapses by federal, state, and local government from 2005 through mid-June 2008 resulted in the loss or exposure of at least 44 million consumer records containing Social Security or driver license numbers and other personal data.
That represents almost one out of five ID breaches of all types reported during that period. But even those statistics probably don’t accurately portray the problem. CR reports that a 2006 investigation by the House Oversight and Government Reform Committee found that 788 breaches had occurred in the three and a half years between January 2003 and July 2006 at 17 federal departments and agencies. Few of these incidents were publicly disclosed.
A 2007 report from the Treasury Inspector General for Tax Administration revealed 24 incidents in which IRS laptops containing sensitive data for 480 taxpayers were lost or stolen because IRS employees put them in checked baggage at an airport, left them in unlocked cars, or lost them on trains or buses. Only one of the employees was disciplined.
What’s more, according to the House Oversight Committee’s annual security report card, the government as a whole got a C for 2007, up from a D+ two years earlier. And several federal departments including the Departments of the Treasury, Veterans Affairs, Agriculture, Interior, and the Nuclear Regulatory Commission got failing grades.
“Only a small portion of data breaches get publicized, and with government data breaches, even fewer get identified because the government, unlike business, doesn’t have a financial incentive to do so,” said Robert Tiernan, managing editor, Consumer Reports. “It’s very important that the government view citizens as their customers and place more value on sensitive information.”
The full report is available in the September issue of Consumer Reports on sale August 5 on newsstands and online at www.ConsumerReports.org.
The problem is not limited to lost laptops. Social Security numbers are visible on 40 million Medicare cards, as well as military identification cards and public court records throughout the country. The number of data breaches that result in ID theft is unknown because most victims don’t know how their personal information was obtained. And it might be a year or two before the stolen ID is used.
One Man’s Nightmare
CR recounted how Joe Protain, a 36-year-old surgeon from Warren, Ohio, received a far greater penalty than the $150 fine he paid for speeding. He discovered last year that traffic-court records publicly posted on the Franklin County Municipal Court Web site, including his address and Social Security number, enabled a ring of identity thieves to rack up more than $11,000 worth of charges in his name. He is still trying to recover from the fallout.
One of the suspects confessed the ring used the Franklin County Municipal Court Web site to enter random Social Security numbers, changing one digit at a time until hitting a match with a number belonging to one of the thousands of people whose court records had been posted online since 2001. The records revealed the victim’s name, address, age, and in some cases, driver’s license numbers. That allowed members of the theft ring to obtain a copy of the victim’s credit report and take over existing accounts or open new ones, with bills and purchases sent to a new address.
Data breaches, like Protain’s, in which identity thieves deliberately seek personal information for fraudulent purchases, pose the highest risk of identity theft. But congressional investigators found that unauthorized use of data by government employees and stolen laptops and computer storage devices were the most common sources of federal data losses.
Even the Federal Trade Commission, the agency that imposed fines on businesses for egregious data breaches, disclosed in June 2006 a computer-theft incident: Two of its laptops containing sensitive information for 110 people, including financial-account numbers and Social Security numbers, were stolen when two of the agency’s attorneys left them in a locked car.