The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

FOIA Request Portal Exposed Social Security Numbers, PII

by Chris Brook on Tuesday September 4, 2018

Contact Us
Free Demo
Chat

Until it was fixed last week, an error in a Freedom of Information Act (FOIA) request portal exposed information belonging to requesters, including full and partial Social Security numbers.

An error in the way a federally maintained Freedom of Information Act request portal was configured was accidentally leaking Social Security numbers of American citizens until it was remedied last week.

According to CNN, which both broke the news Monday and helped fix the issue, the portal - foiaonline.gov - was also leaking individuals' dates of birth, immigrant identification numbers, addresses and contact details.

Freedom of Information Act, or FOIA requests, allow any U.S. citizen with the statutory right, to obtain access to government information, provided its not protected by an exemption.

The latest iteration of the portal, which allows individuals to submit requests to any of the 116 agencies covered by a FOIA request, was launched on March 6 after it was developed by the Justice Department's Office of Information Policy, its CIO office, the General Services Administration’s 18F, along with technical contractors.

whitepaper

A Data-Centric Approach to Federal Government Security

Ironically the portal was meant to streamline and safeguard the process of filing FOIA requests but it sounds as if the issue, something CNN has chalked up as a "design bug," mistakenly revealed information about individuals who made a request. According to the report anyone could have searched existing FOIA requests and seen what was requested, by whom, and what, if anything, may have been provided. On the search results page of foiaonline.gov anyone could have seen a description of requests made, including whether or not requesters included their Social Security Number alongside the request.

According to CNN 80 full or partial SSNs were spotted before the bug was addressed.

While the main FOIA request site can accept requests from handful of agencies, some FOIA systems aren't 100 percent linked to FOIA.gov, meaning individuals have to make requests directly through agency websites.

The specific FOIA microsite that was affected by the bug was maintained by the Environmental Protection Agency, which fixed the issue last Thursday after CNN alerted the agency. The issue was apparently caused in the shuffle from version 2.0 to version 3.0, in July, meaning it’s believed the bug left that information out in the open for nearly two months.

While some names and addresses - along with publication names and request descriptions - do still appear on FOIAonline.gov's advanced search section, that's because the data has been marked as publicly viewable by the agencies themselves. The EPA, per CNN, sent out a notice to other agency FOIA system administrators last week.

That memo falls in line with foiaonline.gov's FAQ section, which says an agency can choose whether or not to release records on a document-by-document basis. Some agencies can decide to make all requested records requested available to the public. Some may release records that contain sensitive information directly to requesters but not make them available to the public.

Tags: Privacy, Government

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.