Social Security numbers exposed on US government transparency site

The US government exposed dozens of people’s personal details, including social security numbers, due to an online mishap on a public transparency portal, it emerged this week.

FOIA.gov, a site that centrally administers freedom of information act requests, had been serving up the information for weeks, CNN reported on Monday.

People use the site, operated by the Environmental Protection Agency, as a single go-to source for requesting information from the government. They can submit requests concerning everything from data about criminal cases through to government expenses through the portal. The site then routes information requests through to the appropriate agencies and delivers the results.

Those requesting information may enter sensitive personal data and are even encouraged to do so by government agencies to help service their requests – information such as status on an immigration application or information about criminal cases.

A little too transparent

The problem stemmed from a software bug in the site’s search facility. This allows people to search existing FOIA requests and find out who has requested information about what. These records include personal details that the site normally withholds until the originating agency gives permission to reveal it.

That masking stopped working. Instead, the site began displaying all of the information by default, including sensitive data, effectively rendering it publicly available.

The software glitch meant that sensitive information about individuals, including birthdates, immigrant identification numbers, addresses and contact details were available online. CNN identified at least 80 full or partial Social Security numbers during its research.

According to the news site, the masking feature had been working properly until 9 July, when the website upgraded from version 2.0 to version 3.0. This means information would have been publicly available until shortly after reporters from CNN, tipped off by a source, alerted the government.

At that point, FOIA.gov attempted to re-mask sensitive information, but some data needed to remain publicly viewable. Last Thursday, it sent a notice to the relevant originating agencies asking them to review the publicly viewable information on the site to ensure that FOIA.gov was authorized to disclose it.

Exposing data on websites by mistake is becoming a common problem for governments. In August 2016, a security researcher discovered 15GB of voter registration data and other sensitive information on the website of Kennesaw State University, which had a contract with state government to help run its voting system.

In March this year, 7,000 documents were inappropriately downloaded from a provincial freedom of information site in Nova Scotia, Canada, after a programming error left them publicly accessible. Hundreds of them contained sensitive information.

Some mishaps see data exposed on third-party online services. In August, researchers found UK and Canadian government data, including server passwords, exposed on the project collaboration site Trello. Google had indexed them.

Additionally, misconfigured databases have also become common, with exposed MongoDB data proving a popular target for security researchers. In August, 2.3 million Mexican healthcare records were exposed via a MongoDB instance and indexed by IoT search engine Shodan.