Skip to main content

FOIA Request Portal Exposed Social Security Numbers, PII

by Chris Brook on Tuesday September 4, 2018

Contact Us
Free Demo

Until it was fixed last week, an error in a Freedom of Information Act (FOIA) request portal exposed information belonging to requesters, including full and partial Social Security numbers.

An error in the way a federally maintained Freedom of Information Act request portal was configured was accidentally leaking Social Security numbers of American citizens until it was remedied last week.

According to CNN, which both broke the news Monday and helped fix the issue, the portal - - was also leaking individuals' dates of birth, immigrant identification numbers, addresses and contact details.

Freedom of Information Act, or FOIA requests, allow any U.S. citizen with the statutory right, to obtain access to government information, provided its not protected by an exemption.

The latest iteration of the portal, which allows individuals to submit requests to any of the 116 agencies covered by a FOIA request, was launched on March 6 after it was developed by the Justice Department's Office of Information Policy, its CIO office, the General Services Administration’s 18F, along with technical contractors.


A Data-Centric Approach to Federal Government Security

Ironically the portal was meant to streamline and safeguard the process of filing FOIA requests but it sounds as if the issue, something CNN has chalked up as a "design bug," mistakenly revealed information about individuals who made a request. According to the report anyone could have searched existing FOIA requests and seen what was requested, by whom, and what, if anything, may have been provided. On the search results page of anyone could have seen a description of requests made, including whether or not requesters included their Social Security Number alongside the request.

According to CNN 80 full or partial SSNs were spotted before the bug was addressed.

While the main FOIA request site can accept requests from handful of agencies, some FOIA systems aren't 100 percent linked to, meaning individuals have to make requests directly through agency websites.

The specific FOIA microsite that was affected by the bug was maintained by the Environmental Protection Agency, which fixed the issue last Thursday after CNN alerted the agency. The issue was apparently caused in the shuffle from version 2.0 to version 3.0, in July, meaning it’s believed the bug left that information out in the open for nearly two months.

While some names and addresses - along with publication names and request descriptions - do still appear on's advanced search section, that's because the data has been marked as publicly viewable by the agencies themselves. The EPA, per CNN, sent out a notice to other agency FOIA system administrators last week.

That memo falls in line with's FAQ section, which says an agency can choose whether or not to release records on a document-by-document basis. Some agencies can decide to make all requested records requested available to the public. Some may release records that contain sensitive information directly to requesters but not make them available to the public.

Tags:  Privacy Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.