YOKOTA AIR BASE, Japan - The military is playing catch-up on a year-old complaint that hundreds of thousands of officers’ Social Security numbers have been floating around on the Internet.
In an October 2008 letter to the Defense Department and the Federal Trade Commission, Public.Resource.org detailed its discovery of roughly 232,000 military officers’ Social Security numbers in government and commercial databases, available to anyone with an Internet connection.
The nonprofit group, devoted to making public records available online, found the numbers in the Congressional Record. Copies are available online and in print at libraries throughout the United States.
Carl Malamud, the founder and president of Public.Resource.org, estimates that 500,000 officers’ Social Security numbers were printed in the Congressional Record between 1971 — when the military began using them to identify troops — and 1996. Moreover, digitized versions of the federal publication have been available online for years.
But his complaint, addressed to military Inspector General Gordon Heddell, did not reach the Defense Privacy Office until August. The office is now in the process of ensuring the numbers have been redacted, both online and in print, director Samuel Jenkins said.
"We’re at the beginning stages of this," Jenkins said. "We’re taking this very seriously and aggressively pursuing action."
Military officials could not explain why it took nearly a year to address the complaint.
Malamud, however, said he acted immediately when his group discovered the problem in 2008. He notified the Government Printing Office, which prints the Congressional Record and publishes it online, and the three major commercial databases that publish online versions of the federal publication: W.S. Hein, LexisNexis and Westlaw.
Malamud has not conducted a follow-up audit.
When contacted by Stars and Stripes after the newspaper discovered officers’ Social Security numbers were still available on HeinOnline.org, W.S. Hein acknowledged that it had received the complaint from Malamud but had yet to redact its catalog.
"We have tried some redacting software … but it is not that accurate and it requires a great deal of manual intervention," company President Kevin Marmion said in an e-mail Friday to Stars and Stripes. The problem, he said, is that Hein’s versions are scanned copies of the original documents and were not manually typed into the database like most other digitized editions.
"We are currently redacting Social Security numbers from another online project that has more recent Social Security numbers in it and the Congressional Record will follow," Marmion said.
LexisNexis spent seven months redacting the numbers from its online databases, completing the task in 2008, company spokesman Jorge Martinez wrote in an e-mail to Stars and Stripes.
Westlaw immediately took down its database last October following Malamud’s complaint, according to its parent company, Thomson Reuters.
After manually redacting the information it was put back online within a day, and the company now scans all Congressional Record content for Social Security numbers and other sensitive information before posting it in its database, company spokesman John Shaughnessy wrote in an e-mail to Stars and Stripes.
But even after a database is scrubbed there is the potential to miss information, Malamud said.
An oversight was responsible for the 2,700 Social Security numbers he found in 2008 in the GPO’s online archive of the Congressional Record from the mid-1990s. The agency, which has since removed them, had redacted most of the Social Security numbers in the late 1990s under the direction of the Senate, GPO spokesman Gary Somerset said in an e-mail to Stars and Stripes.
Malamud said there needs to be a process to ensure the material has been removed from the public files. He has urged the military to inform the affected officers.
Jenkins, with the Defense Privacy Office, said it would be too difficult to contact individuals and that his office is instead considering posting a notice on its Web site directing them to closely monitor their credit.
Credit monitoring is provided by the DOD only to those who can prove their credit already has been hurt by documents the military published, Jenkins said.
And questions still linger about how to remove the Social Security numbers in print editions of the Congressional Record held by many of the 1,250 libraries around the country that participate in the Federal Depository Library Program.
Jenkins said his office is committed to redacting the records but has yet to develop a plan for the massive undertaking.
"This is an ongoing process," he said.
The information became part of the Congressional Record because the military needs Senate approval to officially promote officers. Generals and admirals typically appear before the Senate before they rise in rank, though most promotions are approved en masse through a list provided by the military.
Before 1997, the list included officers’ names, ranks and full Social Security numbers. From then until last year, it included only the last four digits of the Social Security numbers along with the corresponding names and ranks and is still available through the GPO’s Web site. This year, the numbers were completely removed from the process, according to the GPO.
Said Pentagon spokesman Lt. Col. Les’ Melnyk: "It was appropriate to provide [the full Social Security numbers] when they were provided. We’re now taking steps to alleviate the possibility that [ID theft] could happen."
Jenkins said the military had not received any reports of fraud as a result of the Congressional Record, but media reports from 1999 indicate that identity thieves successfully obtained credit cards for scores of high-level military officers using Social Security numbers culled from the Congressional Record.
Stars and Stripes reporter Jeff Schogol contributed to this story.