http://securityratty.com/tag/dmf Mon, 07 Jul 2008 04:44:12 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/83b43862a5d586f2e8d29257c1e832ef http://securityratty.com/article/83b43862a5d586f2e8d29257c1e832ef Security Breach

Date Reported:
6/26/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Social Security Administration

Victims:
United States citizens

Number Affected:
"more than 20,000"

Types of Data:
Name, date of birth and Social Security number

Breach Description:
"The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive"

Reference URL:
FederalComputerWeek

Report Credit:
Michael Hardy, FederalComputerWeek

Response:
From the online source cited above:

The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.
[Evan] "The DMF is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. " (Source: SSA Inspector General AUDIT REPORT A-06-07-27156).  This breach was not the result of single occurrence, but instead is a result of errors in current process.

The IG's analysis dates to January 2004.

Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database
[Evan] The organization that distributes and manages the "system" cannot secure the information.  Is this is just another case that proves that the "system" is busted?

After learning that those people were not deceased, SSA deleted the information

The IG's investigators found some instances where the personal information was available for free viewing on the Internet

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers.
[Evan] Selling a dead man's (or woman's) information doesn't seem right to me.  Do you see anything wrong with it?

Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers.

Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's  recommendations include:

• Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
• Limiting information included in the data sold to public customers.
• Starting required breach notification evaluation procedures.
• Providing appropriate notification to living individuals whose information was released in error.
  

In response to the IG's report, SSA said limiting the personal information might be difficult, but it would consider doing so.
[Evan] There are many practices to secure information that "might be difficult", but this is not a good excuse.  Life "might be difficult", so what?

The agency agreed with the other recommendations.

Commentary:
The use of Social Security numbers as personal identifiers as well as authenticators seems to be a very significant contributing factor to the identity theft mess we face today.  So how did Social Security numbers become so important in the first place?  Read the "Social Security Number Chronology" on the Social Security Administration web site for some clues.

To my knowledge, the victims in this breach have not been (nor will they be) notified.

Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates 
March, 2008 - Laptop stolen from NHLBI contained personal health information

]]> Mon, 07 Jul 2008 04:44:12 +0000 information secure information social security social security administration personal information information online dmf information death master file ssa Social Security Administration lists live people in the Death Master File