The Social Security Numbers of tens of thousands of Americans ended up in a searchable public database that provides access to the tax filing applications of Section 527 political organizations on the Internal Revenue Service’s website.

According to OpenSecrets.org, 527s are “…tax-exempt group[s] organized under section 527 of the Internal Revenue Code to raise money for political activities including voter mobilization efforts, issue advocacy and the like.”

The public information dissemination nonprofit, Public.Resource.Org, wrote a letter to the IRS [PDF] earlier this month requesting that the government’s tax collector temporarily remove the forms from their website in order to properly redact the highly sensitive information.

In a phone interview, Carl Malamud, the founder of Public.Resource.Org, told Threatpost that the IRS exposed tens of thousands of Social Security Numbers at the least, and may have in fact exposed more than 100,000.

The IRS has since taken the forms offline, but finds itself in something of a catch-22.

“When we were alerted last week that a substantial number of Social Security numbers were posted on IRS.gov in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public web access to the records,” the agency said in a statement.

“The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations,” the statement goes on. “The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including Social Security numbers, in their public filings.”

8871, 8872, and 990 forms are all documents that an organization must complete in order to apply for Section 527 tax-exempt status.

As Malamud clarified, none of these forms explicitly or directly ask for Social Security Numbers. However, sometimes applicants attach to these forms other tax documents, such as their SS-4, that do ask for Social Security Numbers. The SS-4 is an application form through which individuals may request an employee identification number (EIN). The IRS does require that applicants provide their EIN in order to achieve 527 status, but they are not required to attach the SS-4 form. Only the number itself is necessary. Malamud claimed that applicants attach such documents in an attempt to more concretely prove the legitimacy and accuracy of the information they are providing as part of their 527 filings, despite the fact that there is no need to do so and, furthermore, the IRS urges applicants not to do so.

“While the public posting of this database serves a vital public purpose (and this database must be restored as quickly as possible) the failure to remove individual Social Security Numbers is an extraordinarily reckless act,” Malamud wrote in a statement.

It is not clear why applicants feel the need to attach private documents along with public filings, but it is clear, according to Malamud, that the IRS is not doing enough to protect the privacy of filers.

“I think we can all agree that it is not proper for the United States government to be disclosing such information on your website as such practices are prohibited under the Privacy Act of 1974 and the E-Government Act of 2002,” Malamud wrote in a letter to the IRS and Treasury Department.

There is no doubt that this is a touchy situation for the IRS, which is required by law to publish such documents without removing or altering any information, as noted on the tax agency’s website:

“Because the IRS is required to disclose approved exemption applications and information returns, exempt organizations should not include Social Security numbers on these forms. By law, with limited exceptions, the IRS has no authority to remove that information before making the forms publicly available. Documents subject to disclosure include attachments filed with the form and correspondence with the IRS about the filing.”

Malamud, though, suggests that the IRS either bounce public filings back to applicants when they include sensitive information or that they develop some algorithmic means of scanning these documents for Social Security Numbers and redacting them when necessary.

Categories: Data Breaches, Government, Privacy

Comments (3)

  1. Dave K
    1

    I am continually astounded by the ineptitude of governmental organizations, seemingly without any sense of responsibility; how is it that there remains an almost total lack of accountability?

    • stine
      2

      You should have read the rest of the article where it says that the IRS is prohibited from doing this.

  2. Deramin
    3

    I’m not sure this is actually a case of ineptness this time, as they did exactly as specified. This is more of a logic fault with the law. If the law says post without altering, then why would we expect the underpaid drudgeon scanning these in to break the law and alter them? Most of us in that position would probably chuckle to ourselves, think “Sucks to be you filer,” and get on with our job. Let this be a lesson to our lawmakers in careful wording.

Comments are closed.