Gov't Posted SS Numbers Online Since '96

Googling Farmer Discovers USDA Had Exposed Her Personal Data, Along With That Of 63,000 Others

(AP)  The Social Security numbers of 63,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week.

Free credit monitoring is being offered to those affected.

The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday.

The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber.

A review has determined that none of the other 32 agencies had a similar problem, said Sean Kevelighan, spokesman for the Office of Management and Budget.

"There is no evidence that this information has been misused," Teuber added. "However, due to the potential that this information was downloaded prior to being removed, USDA will provide the additional monitoring service."

The breach was discovered by Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill. "I was Googling my farm name at 11 p.m. when I couldn't sleep," she said in a telephone interview, and details of her land loan came up in the second listing of the Google search, a private Web site that reposted the government data.

The next morning, April 13, she contacted the Agriculture Department, her congressman, Rep. Tim Johnson, the private Web site and the Census Bureau and was surprised by how quickly they removed the personal information.

"If somebody downloaded it, it's still out there in the world," she said. "That will never be a private number again."

Chris Hoofnagle, senior attorney at the University of California at Berkeley law school clinic on technology, said the only federal law violated by such a breach is the Privacy Act, but the Supreme Court had ruled last year that victims could only collect damages for measurable losses to ID thieves, not merely for anxiety.

Nevertheless, the incident is likely to spur passage of a federal law requiring notification of potential victims when personally identifiable information is disclosed or stolen electronically, Hoofnagle predicted. Already 35 states have such a law.

When the breach was reported to the Agriculture Department on April 13, there were Social Security numbers for 47,000 recipients of grants from the department's Farm Services Agency and from USDA Rural Development on a public Web site maintained by the Census Bureau.

The department originally said Friday the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But by Friday evening, after they calculated how many people had been entered more than once, USDA announced that 63,000 individuals had their Social Security numbers exposed. The data has only been posted on the Internet by the Census Bureau since 1996.

The Census Bureau collects the grants made by 33 federal agencies and posts them on the Internet without analysis. By law, the names of these recipients and how much money they got are public records.