Security Needed During Applications Development: Social Security Numbers Part Of Addresses on 7,601 Envelopes

7,601 people from Columbus Ohio had their social security numbers visible as part of the address on mailings they received from the city’s income tax department.

"More than 7,500 people received letters from the city’s income tax division with their Social Security numbers visible through the envelope window, a problem blamed on a computer glitch. No recipients have reported problems with identity theft, and the numbers will not be visible from the outside on future mailings, city tax administrator Melinda Frank said. Social Security numbers serve as city taxpayers’ account numbers and are included in mailings for identification."

Gee, good to know they will not continue to mail letters with visible SSNs!

Why wasn’t this noticed before the mailinges left the government office?  They should have had QA procedures for this. 

This is also a good example for the need to incorporate information security and privacy requirements and checks into the applications development process.  The inappropriate placement of the SSNs on the printouts that were subsequently stuffed into the envelopes should have been something checked during the application testing and quality assurance.  Blaming a "computer glitch" certainly is a weak effort to offload responsibility onto technology as though it was beyond their control.  Humans program computers, and humans are ultimately responsible for the applications flubs that result…not some mysterious and uncontrollable computer troll.

"The 7,601 mailings were sent Aug. 4 to alert people who had filed tax estimates for this year that they could pay their balances online. Followed by one or two additional characters, it wasn’t obvious that the nine-digit numbers were Social Security numbers, Frank said. "To their next door neighbor who doesn’t know what their Social Security number is, it’s a line of numbers with an alpha letter after it," she said."

Making what comes across as a flippant remark is not a good way to respond to an incident.  Most people in the U.S. *could* identify a SSN followed by "one or two additional characters" as being an SSN…especially on an envelope with a return address from the city income tax division. 

Make sure when you create your own incident response plans that your communications to the press and directly to the victims are not flippant, dismissive or condescending to the victims and readers.  This spokesperson comes across as basically saying that most people are too dumb to know a SSN when they see it.  This fans the flames of anger for those impacted by the incident.  Your communications should instead be compassionate, apologetic, truthful and show concern.

"The tax division received three complaints by phone and two by e-mail. "Yes, the nine digits are followed by a letter, but it’s not that hard to look at it and figure out that it might be a Social Security number," one taxpayer wrote. "You would think that in this day of ID theft, the last thing a taxing authority would want to do is expose all their taxpayers to identity theft and open the city up to being sued.""

The numbers of concerned victims who come forward voicing their concerns will continue to grow.  Don’t underestimate the impact their concern and anger over an incident could have on your organization.  This quote summed it up nicely…"the last thing a taxing authority would want to do is expose all their taxpayers to identity theft and open the city up to being sued."  No organization wants to be sued for something that could have easily been prevented with good information security and privacy practices built into their SDLC process, and with basic QA procedures.

This is another good example to put within your awareness files.

Technorati Tags

Leave a Reply