Charities expose almost 500K Social Security numbers by filing their own taxes
Forms to identify donors, with SSNs, become public record after tax filing
The big data-security news today is the revelation that the data breach announced by Utah Medicaid services last week compromise the financial, medical and other personal information of between 280,000 and 500,000 people, not the 24,000-some that previous reports estimated.
Investigators have theorized that organized crime gangs in Eastern Europe are responsible for the attack April first or second on the Utah Department of Health servers, which netted private data on 181,604 Medicaid clients.
It's a huge attack that will have repercussions for years to come. A far lower-key series of data leaks may pose a far greater risk than any one-time data heist, however.
The problem is the tax forms that both corporations and individuals fill out in order to get credit for their largesse.
To make a donation tax deductible, taxpayers need a receipt. To get it they often have to fill out and submit to the charity a copy of IRS tax form 990. Donors don't have to put their Social Security numbers on the forms.
Until concerns about identity theft began to grow earlier this decade, however, it was common for non-profits to ask for SSNs on the 990 forms, even though the forms are officially public property and are stamped with the words "Open to Public Inspection."
In a review of millions of IRS 990 forms, New York identity-theft-prevention vendor Identity Finder reports it was able to harvest almost 500,000 Social Security numbers (full report as a PDF).
Identity Finder's main product Identity Finder, can be installed on PCs and Macs, or on corporate networks to scan all available hard drives and identify sensitive data that is stored unencrypted and unsecured. It can then either delete the data, lock it up or send business managers a notice highlighting the potential exposure of their departments.
In a review of almost three million tax returns and other formsfiled by non-profits between 2001 and 2006, Identity Finder discovered 132,362 charities and non-profits filed 990s exposing a total of 472,866 Social Security numbers – 171,005 of which were unique.
About 18 percent of all non-profit tax returns included at least one Social Security number, at least 35 percent of the time, one of the SSNs on the tax documents was that of the accountant or other tax preparer, who identified themselves using the number.
"Unlike a credit card number, Social Security numbers cannot easily be revoked," according to a statement from Todd Feinman, CEO of Identity Finder. "Given the seriousness and ubiquity of identity fraud, tax preparers should avoid including SSNs on Form 990s."
One West-Coast charity published the names, addresses, SSNs and payment amounts for 2,901 people, the most complete breach in the list.
According to General Accountability Office definitions, the 990 forms for 76,799 organizations qualify as data breaches, though laws requiring organizations reveal data breaches, Security Management points out.
The magazine also points out the additional risks tax data breaches pose. The National Gang Intelligence Center, for example, warns that prison gangs have been requesting public tax information as a way to create fake tax returns that can be filed by accomplices on the outside, netting the gang a significant source of cash from tax returns.
Identity Finder recommended that donors leave their SSNs off documents whenever possible and ask non-profits or anyone else to justify their request for the number before providing it.
Non-profits shouldn't put SSNs of donors on their own tax documents and should check
Tax preparers, who should probably know better anyway, should identify themselves using Preparer Tax Identification Numbers (PTIN) rather than SSNs.
Unfortunately, the other recommendations have less chance of being honored. Among them is the suggestion the IRS and courts should only provide copies of IRS form 990s with the SSNs blacked out and that the IRS should publish updates that say explicitly SSNs are not required on form 990 and should not be included.
The vendor also put up a web tool that can tell you if any SSNs from your company are among those that could have fallen into the wrong hands.
It doesn't work for individuals, because it would require they type in their own SSNs, exposing them further.
To use the tool, type in your company's Employer ID Number and hit Enter.
Using it is nearly as easy as it would have been for non-profits not to publish your Social Security number on public documents in the first place.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.