U.S. Government Freedom of Information Site Leaked Social Security Numbers

US flag and computer code
A spokesperson for the EPA, John Konkus, said in a statement: "The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system. iStock

A U.S. government web portal that facilitates requests under the Freedom of Information Act (FOIA) recently leaked sensitive user data, including social security numbers.

The website flaw, disclosed this week by CNN, impacted FOIAonline.gov, which is maintained by the Environmental Protection Agency (EPA) and used to track data requests sent to government bodies—including the Department of Defense and the Department of Justice.

As a result of the bug—which seemingly emerged during a July software update of the website—dozens, if not hundreds, of partial and full social security numbers were exposed.

Additional personally identifiable information (PII) that was leaked included immigrant ID numbers, dates of birth, addresses and contact details, the publication reported on Monday. The news sparked fears the details could be abused in future cyberattacks or for identity theft.

The issue existed in a feature that let users of the portal search existing FOIA records. The site allegedly exposed requester descriptions in error, meaning that some entries were viewable to anyone—even if they included personal details that should have been redacted. The web portal updated from version 2.0 to 3.0 around two months ago. Work remains ongoing.

A spokesperson for the EPA, John Konkus, said in a statement: "The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system.

“The issue affects a limited number of cases and inadvertently displays descriptive information that may, in some instances, include social security numbers. EPA will follow the agency's breach procedures to evaluate the situation further and take the appropriate…measures.”

FOIAonline did not immediately respond to a request for comment.

CNN obtained a notice that was sent out to FOIA system administrators last Thursday, which acknowledged the cybersecurity issue and asked officials to check their systems. Accurate updates are the responsibility of the relevant government department, CNN reported.

Sensitive information, it appeared, was still exposed online—at least initially. 

"Recently it was discovered that PII (SSN) information in some records was exposed to the public," the EPA notice read, adding that the problems had since been resolved.

It added: “This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records.

“It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such.”

It remains unclear how long the social security numbers and other details were being leaked online. On the FoIAonline homepage, a disclaimer says work on the site is not yet complete. “Much of the information from the previous version of FOIAonline is not yet in 3.0,” it reads. “This process is expected to take several weeks to complete. We appreciate your patience.”

Join the Discussion