California Unemployment Exposing Social Security Numbers

Tuesday, October 12, 2010

Lawrence Pingree


As many of us already know corporations and banks have changed the way they provide printed information to customers (at least for the most part).

Corporations over the last 10 years have increasingly adopted policies against using social security numbers and personally identifiable information (PII) in their mailed reports, bills or customer invoices.

This was primarily chartered by privacy advocates to reduce the exposure of customer data and prevent it from being used as a data source for identity theft.

The increase of dumpster diving and drive by mailbox raids made it clear that we had to do something about what we disclose.

Our governments don't always seem to adopt the same protections that we'd expect of our public and private corporations, so I'm hopeful my article will entice the citizenry to contact their government agencies and demand some changes.

Governments are often inefficient entities that are typically 'behind the times' due to the bureaucratic nature of consensus decision making and due process.

Most people realize that Hollywood embellishes in their TV shows quite a bit and the shows such as 24 and CSI:Miami, New York etc are far beyond the real operational capabilities of government.

I suspect that most people believe our government is so much more advanced than it really is, so they often think they'd already have good protection in place.

However, this is not as true as Hollywood might make us believe. There are steps that our government could take that are both simple and easily implemented to protect our data more effectively which does not require much advanced technology or process.

Apparently, the California Employment Development Department (EDD) is still in the practice of sending out it's customer statements with some of the information needed to perform a successful identity theft.

This includes a persons name, address and social security number.

What I find more ironic is the disclosed information is even included on the PIN code mailing their customers receive to establish a PIN for "extra security protection".

Realizing they did make a small attempt to protect their customers by reducing the first name used in many of their mailings to just the first letter of a person's name, but I found that to be a bit silly that the social security number was not obfuscated.

A simple lookup on zabbasearch or netdetective can easily glean a person's full name based on their address so reducing a person's name to their initials is a daft attempt at increasing security and I suspect they only did it to save on printing costs.

I would definitely suggest that our government agencies all take a hard look at what they are sending to it's customers, if it's just about cost, why not remove the social security number entirely?

Don't these people already know their social security number? If not, shouldn't they?

Cross-posted from Pingree on Security

Possibly Related Articles:
Privacy Social Security Numbers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.