Updated: Apr 13
The US government inadvertently exposed dozens of people’s personal details which included social security numbers because of an online mishap on a public transparency site, FOIA.gov.
The site was operated by the Environmental Protection Agency and was mainly used as a go-to source for requesting information from the government, such as inquiries about criminal cases or government expenses. The site would then send the requested information to appropriate agencies, followed by the delivery of the results.
Users may even input sensitive personal data and are even encouraged to do so by various government agencies to help in their requests. However, the public transparency site went a little overboard on the transparency when a bug affected the site’s search facility, resulting to the exposure of personal details that are normally withheld until the originating agency gives permission to divulge the information.
The masking feature stopped working, and the portal started displaying all sensitive information including birthdates, immigrant certification numbers, addresses and contact details by default, rendering them publicly available and up for grabs for anyone interested. CNN identified at least 80 Social Security numbers during its research. CNN reported that the glitch disabled the site’s masking feature after the portal updated from version 2.0 to 3.0 on July 9. This meant that people’s personal data would have been publicly available until CNN alerted the government.
Apparently, exposing sensitive data on websites by mistake is a recurring problem for governments. Just earlier this year, around 7,000 documents were inappropriately downloaded from provincial freedom of information site in Nova Scotia, Canada, after a programming error left them accessible to the public, affecting hundreds of citizens.
In some cases, data are exposed through third-party online services. Just this August, researches found UK and Canadian government data, including server passwords leaked on the project collaboration site Trello. Misconfigured databases have now also been a popular target for security researchers due to exposed MongoDB data. A prime example of this was the exposure of 2.3 million Mexican healthcare records via a MongoDB instance and indexed by IoT search engine, Shodan.