A state employee posted the Social Security numbers of nearly 3,000 Maryland residents online for weeks, a security breach that experts say raises questions about the way the government guards personal data and whether it needs it in the first place.
The information was collected by an employee of the state Department of Human Resources, which handles welfare benefits for needy families. The worker, who posted the information on a private website, has been suspended. State officials are notifying those whose information was available.
The watchdog who uncovered the breach said the episode illustrates how Maryland's government and others need to restrict access to data and better protect it.
"The goal should be to create a culture where everyone knows they'll be held responsible for dealing with this very precious asset called personal information," said Aaron Titus, privacy director of the nonprofit Liberty Coalition, which works to maintain online privacy.
Titus and other security experts say that instead of using Social Security numbers, governments could create other unique identifying numbers for people who receive benefits. But older government computer systems are set up around those nine digits, said Paul Stephens, director of privacy and advocacy for the Privacy Rights Clearinghouse, and attempts to overhaul the system can be difficult and expensive.
"The cost to convert, in many cases, becomes prohibitive," Stephens said.
The Maryland information had been transferred by a state worker from government files onto a private website and had been stored in a folder marked "downloads," which was not protected by a password, encryption or a firewall.
"It was available to potentially anyone in the entire world with an Internet connection," Titus said.
Nancy Lineman, a spokeswoman for the state agency, declined to identify the worker or his job.
The department handles thousands of applications a month for government services that include food stamps and emergency medical benefits, and processes the benefits using data such as Social Security numbers. All employees that handle sensitive information must sign forms stating that the information they review is confidential, Lineman said.
The spokeswoman stressed that the breach was caused by a staff member acting against protocol and said employees are given the minimum access necessary to perform their jobs and that access is monitored and periodically reviewed.
Department of Human Resources officials say they do not believe the breach will lead to changes in the way personal information is collected and stored. But Lineman acknowledged that such breaches, which she said are rare, "harm the clients and the integrity of our work."
State officials said they do not know whether any of the information has been used fraudulently.
Titus, a Fort Washington attorney, found the problem by using a search engine to uncover Social Security numbers that might be unprotected on the Internet. He has been conducting such checks for years, notifying organizations of problems when he finds them.
He said he started the website NationalIDWatch in 2007 because those organizations often would delete evidence and pretend the problem never occurred.
Those affected "are real people, this has real consequences and it ruins real lives," said Titus, a 31-year-old father of four.
Government files account for a sizable proportion of inadvertent data releases, experts say.
Of more than 1,600 data breaches examined by the Privacy Rights Clearinghouse since 2005, at least 20 percent have been from the government or military, Stephens said.
"The government agencies have tended to be among the worst offenders," said Andrea Rock, senior editor of Consumer Reports, which studied government data breaches in 2008.
She said governments might have less incentive to prevent breaches than banks, who can be held financially responsible if consumers are victims of identity theft.
Titus discovered the Maryland breach in early July and notified the Department of Human Resources on July 12. The agency investigated, uncovered the employee responsible and placed the worker on administrative leave. The department might pursue legal action pending results of an investigation by the state attorney general's office, the DHR's inspector general and others, officials said.
"We don't really know why the employee took the action that the employee took," Lineman said.
The attorney general's office sent the employee a letter July 14 instructing him to remove the data, and he complied that day, officials said. The employee contacted Internet search engines to ensure that the information is not stored anywhere, Lineman said.
Titus said the incident can be held up as a lesson that governments must take responsibility for the data they keep.
"They have to foster a culture of security where they keep meaningful logs and can hold people accountable for extracting information out of their database and make sure they know where it goes and who has access to it," he said.
He noted that an awareness of what information is collected on the Internet — and where it is stored — is just as important. For instance, Google or Yahoo toolbars in browsers collect information from sites you visit and send it back to those search engines.
"If you have a secret file online, and you visit it, you probably just let Google know it exists," Titus said.