Friday, July 22, 2005

Information insecurity: County government assisting ID thieves

In a topic near and dear to my heart for a couple of reasons, I read where an ID thief managed to acquire the data on his victim from an interesting source - the web site of the county government. Hamilton County, OH apparently started scanning in speeding tickets and posting them on-line. Apparently, the web site wasn't too discriminating in who it gave those scanned images out to because a woman whose ticket was so posted found that an ID thief managed to rack up $20K in spending on her information. The reason? The woman's name and social security number were listed on the ticket.

This is just stupid. Every single information officer these days is fully aware of the sensitivity of certain data items and the social security number is the absolute worst of the bunch. It shouldn't be, because that number is only supposed to be used to track income for the purposes of handling social security benefits. It's not supposed to be used for anything else. Its use has blossomed into far, far more, as we all know, becoming a virtual "national ID" on its own. The fact that so many private enterprises also use the number to identify customers only compounds the problem. In fact, it's the use by financial institutions like banks and credit reporting agencies that allows someone to do what this thief did.

The fault, however, is primarily on the IT/IS systems and staff of Hamilton County, OH. We can even take a step back further and ask why a person's social security number is listed on a speeding ticket. The only info needed to ID a person for that purpose is name, address, and driver's license number. (If she was an out-of-state driver and her state uses social security numbers as driver's license numbers, then her state needs to fix their program to avoid exposing its citizens to this risk.) Under no circumstances should it have been posted on the damned internet. If the management there at Hamilton County are that clueless and out-of-touch, then they should be demoted to working the desktop support line and more qualified personnel should be brought in. It's Ohio - they're available.