A Freedom of Information Act request portal accidentally exposed personal information, Social Security numbers and other sensitive information due to a design error during a system upgrade. Following a tip about the glitch, CNN discovered that the government transparency site revealed the partial or full Social Security numbers of at least 80 individuals on a public-facing database.
Other information including dates of birth, immigrant identification numbers, contact details, addresses along with other sensitive information about individuals seeking further information were exposed, CNN reported.
In one case, A victim of a violent crime seeking additional information on the incident described the crime. Victims of identity fraud seeking more information about their cases also had their Social Security Numbers exposed in the incident.
The error lied in a feature that allows anyone to search through existing FOIA requests. Under normal circumstances, the public can view individual FOIA requests, who requested it and, in some cases, what information has been provided in response. However, the the description field is typically withheld until agency approval has been granted.
However, the design error allowed these descriptions to be completely viewable on the search results page, along with the individuals' personal information.
CNN alerted the government to the glitch prior to publication. The government said the information has since been secured and participating agencies have been notified.
An email alert has been sent out by the Environmental Protection Agency (EPA) office that provides the IT resources to maintain the FOIA clearinghouse.
"Recently it was discovered that PII (SSN) information in some records was exposed to the public," the email read, CNN reports. "The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems."
The agency also acknowledged that the glitch would be reported by the media.
"It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records," the email continued. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such."
EPA spokesman John Konkus told CNN that the agency is working with partner agencies to address the issue with the FOIAonline 3.0 system, noting that a "limited number of cases" were affected in the incident.
It is not immediately clear how many people were impacted by the glitch, how long their personal information was publicly exposed or whether it has been exploited by any malicious actors.
"EPA will follow the Agency's Breach procedures to evaluate the situation further and take the appropriate mitigation measures," Konkus said.