FOIA Request Portal Exposed Social Security Numbers, PII
Until it was fixed last week, an error in a Freedom of Information Act (FOIA) request portal exposed information belonging to requesters, including full and partial Social Security numbers.
An error in the way a federally maintained Freedom of Information Act request portal was configured was accidentally leaking Social Security numbers of American citizens until it was remedied last week.
According to CNN, which both broke the news Monday and helped fix the issue, the portal - foiaonline.gov - was also leaking individuals' dates of birth, immigrant identification numbers, addresses and contact details.
Freedom of Information Act, or FOIA requests, allow any U.S. citizen with the statutory right, to obtain access to government information, provided its not protected by an exemption.
The latest iteration of the portal, which allows individuals to submit requests to any of the 116 agencies covered by a FOIA request, was launched on March 6 after it was developed by the Justice Department's Office of Information Policy, its CIO office, the General Services Administration’s 18F, along with technical contractors.
A Data-Centric Approach to Federal Government Security
Ironically the portal was meant to streamline and safeguard the process of filing FOIA requests but it sounds as if the issue, something CNN has chalked up as a "design bug," mistakenly revealed information about individuals who made a request. According to the report anyone could have searched existing FOIA requests and seen what was requested, by whom, and what, if anything, may have been provided. On the search results page of foiaonline.gov anyone could have seen a description of requests made, including whether or not requesters included their Social Security Number alongside the request.
According to CNN 80 full or partial SSNs were spotted before the bug was addressed.
While the main FOIA request site can accept requests from handful of agencies, some FOIA systems aren't 100 percent linked to FOIA.gov, meaning individuals have to make requests directly through agency websites.
The specific FOIA microsite that was affected by the bug was maintained by the Environmental Protection Agency, which fixed the issue last Thursday after CNN alerted the agency. The issue was apparently caused in the shuffle from version 2.0 to version 3.0, in July, meaning it’s believed the bug left that information out in the open for nearly two months.
While some names and addresses - along with publication names and request descriptions - do still appear on FOIAonline.gov's advanced search section, that's because the data has been marked as publicly viewable by the agencies themselves. The EPA, per CNN, sent out a notice to other agency FOIA system administrators last week.
That memo falls in line with foiaonline.gov's FAQ section, which says an agency can choose whether or not to release records on a document-by-document basis. Some agencies can decide to make all requested records requested available to the public. Some may release records that contain sensitive information directly to requesters but not make them available to the public.