Consumer Reports Warns Public About Government ID Leaks

Joe Protain, a 36-year-old surgeon from Warren, Ohio, received a far greater penalty that the $150 fine he paid for speeding. He discovered last year that traffic-court records publicly posted on the Franklin County Municipal Court Web site, including his address and Social Security number, enabled a ring of identity thieves to rack up more than $11,000 worth of charges in his name. He is still trying to recover from the fallout.

One of the suspects confessed the ring used the Franklin County Municipal Court Web site to enter random Social Security numbers, changing one digit at a time until hitting a match with a number belonging to one of the thousands of people whose court records had been posted online since 2001. The records revealed the victim's name, address, age, and in some cases, driver's license numbers. That allowed members of the theft ring to obtain a copy of the victim's credit report and take over existing accounts or open new ones, with bills and purchases sent to a new address.

While Americans trust government officials to safeguard sensitive personal and financial data, government is among the biggest sources of ID leaks, according to a Consumer Reports (CR) investigation.

The report ID Leaks, A Surprising Source is Your Government at Work, in the September issue claims that penalties are also rarely imposed on those who are negligent.

CR analyzed records of publicly reported data breaches compiled by the nonprofit Privacy Rights Clearinghouse and found that more than 230 security lapses by federal, state, and local government from 2005 through mid-June 2008 resulted in the loss or exposure of at least 44 million consumer records containing Social Security or driver's license numbers and other personal data.

That represents almost one out of five ID breaches of all types reported during that period, said CR in a release. CR reports that a 2006 investigation by the House Oversight and Government Reform Committee found that 788 breaches had occurred in the three and a half years between January 2003 and July 2006 at 17 federal departments and agencies. Few of these incidents were publicly disclosed.

A 2007 report from the Treasury Inspector General for Tax Administration revealed 24 incidents in which IRS laptops containing sensitive data for 480 taxpayers were lost or stolen because IRS employees put them in checked baggage at an airport, left them in unlocked cars, or lost them on trains or buses. Only one of the employees was disciplined, claims CR.

According to the House Oversight Committee's annual security report card, the government as a whole got a C for 2007, up from a D+ two years earlier. And several federal departments including the Departments of the Treasury, Veterans Affairs, Agriculture, Interior, and the Nuclear Regulatory Commission got failing grades.

"Only a small portion of data breaches get publicized, and with government data breaches, even fewer get identified because the government, unlike business, doesn't have a financial incentive to do so," said Robert Tiernan, managing editor, Consumer Reports. "It's very important that the government view citizens as their customers and place more value on sensitive information."

The problem is not limited to lost laptops. Social Security numbers are visible on 40 million Medicare cards, as well as military identification cards and public court records throughout the country. The number of data breaches that result in ID theft is unknown because most victims don't know how their personal information was obtained. And it might be a year or two before the stolen ID is used.

Data breaches, like Protain's, in which identity thieves deliberately seek personal information for fraudulent purchases, pose the highest risk of identity theft. But congressional investigators found that unauthorized use of data by government employees and stolen