The Department of Housing and Urban Development inadvertently made public the personal information of more than 475,000 people on its website, the agency announced this week, putting those people at risk of identity theft.
The information posted included social security numbers and dates of birth. In an announcement on HUD’s websites, Helen Goff Foster, HUD’s executive secretary and senior agency official for privacy, said HUD removed access to the associated web pages and links as soon as the disclosures were confirmed and conducted further review to determine the scope of the incidents, the extent of data exposed, and likelihood of unauthorized use of the information. To date, HUD has no evidence that any of the data has been used inappropriately, she wrote.
According to Foster, here’s how both incidents were discovered:
The first incident, discovered Aug. 29, 2016, involved businesses uploading excess employee data in HUD’s EZ/RC Locator. This online tool helps businesses determine eligibility for tax credits. The excess data included employee social security numbers and was stored on an unsecured web server. Although this excess data was uploaded to the department’s web server by private businesses, the data was not requested by the department and was not necessary for determining whether the businesses were eligible for the tax credit. HUD immediately shut down the Locator once the disclosures of sensitive personally identifiable information were confirmed. Approximately 50,727 impacted individuals will receive notification and an offer of free credit monitoring for one year as a result of this incident.
Another incident, discovered on Sept. 14, 2016, involved some personal information pertaining to public housing residents. While sharing community service requirement information with local public housing authorities, HUD discovered that personal information was made available through its website. The information included the individual’s last name, the public housing building code, and last four of their social security number for approximately 428,828 public housing residents. These residents will be notified by HUD and offered free credit monitoring services for one year.
Forster concluded the announcement by saying, “HUD deeply regrets any inconvenience caused by these incidents.”
