Carl Malamud, founder of Public Resource (a non-profit dedicated to publishing and sharing public domain materials in the US), described the incident on 7 July. The SSNs are contained in the database of filings of Section 527 political organizations – such as campaign committees. "While the public posting of this database serves a vital public purpose", says Malamud, "the failure to remove individual Social Security Numbers is an extraordinarily reckless act." The database is an important resource for political researchers and journalists.
Malamud made the discovery during an audit it performed itself following receipt of a DVD which it processed and placed online before later receiving a request from the IRS for that information to be recalled. Public Resource did so, but subsequently analyzed both its logs and the original data to see if any sensitive data had been exposed. What it discovered was that the IRS political organization database includes social security numbers.
"It is with greatly conflicted feelings that we requested the administration make the political organization database go dark temporarily," says Malamud. "We understand that this is an essential tool for researchers and even temporary unavailability hurts their efforts."
Malamud wrote to the US Treasury Inspector General for Tax Administration 2 July. "The IRS needs to take action about SSNs displayed on the government web site. This is illegal and inappropriate. I believe you should pull the entire site for now, but that is your decision to make." The database was removed from public view the next day.
He was less restrained in comments aimed directly at the IRS. "It is time now for the administration to send a tiger team over to the I.R.S. to help fix their information management practices. The I.R.S. has indulged too often in bad Information Technology and this habit has become ingrained in the culture and procedures of the Service. It is time now for the I.R.S. to admit that it needs help. That is the first step towards recovery."
The question then is what might a tiger team recommend? The problem is one faced by all organizations: data can be replicated, shared and moved across multiple systems – quite literally at the touch of a button. Voltage Security believes the solution can be found in the encryption and tokenization of sensitive data.
“The takeout for me", says says Dave Anderson, a senior director at Voltage, "is that this saga highlights the need to obfuscate or de-identify the sensitive information in your organisation, wherever it is stored and however it is used and moved. The problem with multi-dimensional data – especially spreadsheet or SQL database files – is that it is very difficult to understand which elements contain private data. For this reason, encryption and tokenisation of all data becomes a driving imperative,” he added.