IT Hiccups of the Week: IRS Exposes Up to 100 000 Social Security Numbers Online

Last week saw a hodgepodge of IT-related snafus, errors and problems crop up. We start off our review with another accidental exposure of personal information online, this time involving the U.S. Internal Revenue Service.

Up to 100 000 Social Security Numbers Exposed Online at the IRS

The IRS admitted last Monday night that it had indeed posted a “substantial number” of Social Security numbers on a website hosting publicly available information regarding tax-exempt political organizations known as 527’s (a moniker that comes from the associated Internal Revenue Code (pdf)), a story at the New York Post reported.

The mistake was discovered by the California-based public interest group Public.Resource.org. The group had been investigating a different accidental IRS disclosure of thousands of Social Security numbers related to tax exempt organizations required to file Exempt Organization Business Income Tax Return Form 990-T(pdf), according to a story at the National Journal, which originally broke the story. The reason for the group's original investigation was that the IRS had asked the group to remove some information concerning non-profits on its website that the the IRS had sent it on a CD, and the group was curious to understand why.

According to IRS regulations, unless specifically prohibited, tax exempt political, charitable and similar types of organizations are routinely required to have their various tax forms made available for public review.  To be fair, the IRS warns those organizations not to put personal information on any tax form the agency is required to publicly disclose, but obviously some personal information (Social Security, Employer Identification, or Individual Taxpayer Identification Number) has to accompany those submitted tax forms for the IRS to track who is filing the tax forms. While typically there is an Employer Identification Number on the publicly available tax forms, detailed information linking the EIN to a real person or persons can be found in a related IRS form (Form SS-4 Application for Employer Identification Number) that is originally filed along with the other tax forms the IRS routinely discloses.

From what I can gather in the Public.Resource.org letter to the IRS (pdf), the information on the Form SS-4, which typically requires an individual’s Social Security Number, was able to be accessed online at the IRS 527 website if the SS-4 was sent to the IRS along with the other publicly disclosed tax forms. In other words, basically whatever information the 527 organization sent to the IRS, the IRS just went ahead and posted it regardless of whether it contained personal information or not.

Carl Malamud, the founder of Public.Resource.org, estimated that up to 100 000 Social Security Numbers were posted by the IRS at its 527 website. The IRS, after being notified by Public.Resource.org of the issue, said it had restricted all access to the tax information on 527 organizations “out of an abundance of caution." Online access to 527 organization information is still restricted as of today.

Public.Resource.org noted in its letter to the IRS that similar personal information disclosure problems involving routinely disclosed IRS tax forms have been known to exist for the past five years, and isn’t it time for the IRS to solve them once and for all? It also asked, “Why is there no easy way for people who find these problems to notify you?”

Both are good questions.

In a similar accidental information disclosure story from last week, ComputerWorld reported that the Japanese government admitted that the default settings were left untouched when the Ministry of Environment set up a Google email group account for those officials involved in its international standard negotiations on limiting mercury use. As a result, thousands of sensitive e-mails and associated negotiating documents were publicly accessible since January. The Japanese Ministry of Environment has said the information has now been removed, no doubt out of an abundance of caution.

UK Payday Lender Sends Threatening Debt Collection E-mails to Customers Who Didn’t Owe Money

UK payday lender QuickQuid sent e-mails to an unknown number of its customers threatening to turn their accounts to third party debt collectors if their debts were not repaid. The only trouble was that the customers receiving the threatening e-mail did not owe QuickQuid any money, the London Telegraph reported. The error was apparently discovered after those non-debt-owing customers started to call QuickQuid to find out what the heck was going on.

The Telegraph stated that QuickQuid placed a notice on its website stating, “An erroneous e-mail message was sent to a number of QuickQuid customers. Please note this was sent in error and should be disregarded. As a result, our call centre is currently receiving a high volume of calls and therefore customers may experience longer wait times than normal. We apologise for any inconvenience.”

It is hard to tell if QuickQuid was apologizing for the erroneous email or for the long wait times experienced by people calling to complain.

New York City Goes Back to Mechanical Voting Machines

Back in May, I wrote about the New York City primary elections to be held on 10 September for mayor, public advocate, and comptroller, and that if no candidate receives 40 percent of the vote, then a runoff election is required to be held. In such a case, New York state law requires that the runoff has to occur within two weeks.  This year, at least one if not two runoff elections are looking like a distinct possibility.

Unfortunately, the electronic voting machines on which New York City spent US $52 million cannot be reprogrammed in that short time frame (although the machine’s manufacturer, Elections Systems & Software of Omaha, Nebraska says the machines can be made ready if New York City is willing to pay it enough money to make it happen).

Last week, New York Governor Andrew Cuomo signed legislation that allowed New York City to go back to using mechanical voting machines for the primary elections, the New York Times reported, even though he said doing so was a “poor solution.” The legislation also extended the time between the primary and any runoff election by a week.  After Cuomo signed the legislation, the New York City Board of Elections prompted voted unanimously to use the lever machines for the primary, although the electronic voting machines will be used for the general election in November.

Everyone is hoping that a better solution is found over the next four years, although I wouldn’t make book on it.

Also of Interest…

Mitsubishi Australia Recalls 5000 2013 Model Outlander SUVs for Multiple Safety System Issues

Kenyan Equity bank Suffers Massive IT Failure

Hardware Failure Destroys Colorado Gambling and Medical Marijuana Business Licenses

Communication Failure Delays Flights at King Khalid International Airport in Saudi Arabia

Communication Failure Delays Flights at Jorge Newbery Airport in Argentina

IT Issue Delays Flights in United Kingdom

New Software Inflates Water Bills in Ohio

Photo: iStockphoto

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement