A state employee posted the Social Security numbers of nearly 3,000 Maryland residents online for weeks, a security breach that experts say raises questions about the way the government guards personal data and whether it needs it in the first place.
The information was collected by an employee of the state Department of Human Resources, which handles welfare benefits for needy families. The worker, who posted the information on a private website, has been suspended. State officials are notifying those whose information was available.
The watchdog who uncovered the breach said the episode illustrates how Maryland's government and others need to restrict access to data and better protect it.
"The goal should be to create a culture where everyone knows they'll be held responsible for dealing with this very precious asset called personal information," said Aaron Titus, privacy director of the nonprofit Liberty Coalition, which works to maintain online privacy.
Titus and other security experts say that instead of using Social Security numbers, governments could create other unique identifying numbers for people who receive benefits. But older government computer systems are set up around those nine digits, said Paul Stephens, director of privacy and advocacy for the Privacy Rights Clearinghouse, and attempts to overhaul the system can be difficult and expensive.
"The cost to convert, in many cases, becomes prohibitive," Stephens said.
The Maryland information had been transferred by a state worker from government files onto a private website and had been stored in a folder marked "downloads," which was not protected by a password, encryption or a firewall.
"It was available to potentially anyone in the entire world with an Internet connection," Titus said.
Nancy Lineman, a spokeswoman for the state agency, declined to identify the worker or his job.
The department handles thousands of applications a month for government services that include food stamps and emergency medical benefits, and processes the benefits using data such as Social Security numbers. All employees that handle sensitive information must sign forms stating that the information they review is confidential, Lineman said.
The spokeswoman stressed that the breach was caused by a staff member acting against protocol and said employees are given the minimum access necessary to perform their jobs and that access is monitored and periodically reviewed.
