The U.S. Department of Agriculture narrowed the number of people whose personal data was exposed on a Web site to 38,700, as agency officials stressed the steps being taken to protect those affected by the situation.
The 38,700 people affected were awarded funds through the FSA (Farm Service Agency) or USDA Rural Development. The data leak was uncovered by a farmer in Illinois who performed a Google search on her farm name nearly two weeks ago. The search led her to a Web site run by government watchdog group OMB Watch, USDA officials said.
The data came from a publicly available database maintained by the U.S. Census Bureau since 1981, and has been posted online since 1996, federal officials have said.
When the data exposure was first uncovered, USDA officials feared as many as 150,000 individuals might be affected. USDA Press Secretary Keith Williams said that number included all individuals whose identification number could possibly contain private information. But they have whittled the number down to 38,700 over the past several days.
Williams said there has been no evidence that data from the site was misused. One of the reasons, he added, is that the social security numbers were embedded within the 15-digit Federal Award ID number given out to those who received funds. As a result, if a person were searching for a nine-digit social security number, they wouldnt necessarily recognize it since it appeared to be part of a larger number, he explained.
USDA is offering free credit monitoring services to those affected by the exposure because of the potential that the information was downloaded prior to removal. There is no evidence that this information has been misused, Williams said.
The disclosure comes on the heels of an annual report by the House Government Oversight and Reform Committee that judges compliance with the Federal Information Security Management Act. In the report, the USDA received an F for 2006—the same grade it received in 2005. The government as a whole was given a C-minus in 2006.
OMB Watch officials posted a statement on their Web site reporting the group redacted all FAADS (Federal Assistance Award Data System) records from the Web site, and the government has committed to fixing the problem with the information within 30 days.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.