BreachExchange mailing list archives
GAO recommends that Congress sets SSN truncating standards for information resellers
From: security curmudgeon <jericho () attrition org>
Date: Mon, 12 Jun 2006 17:51:20 -0400 (EDT)
The following article is from GSN: Government Security News (May 1, 2006). Any typos are my own. -- GAO recommends that Congress sets SSN truncating standards for information resellers If you contact the right information resellers on the Internet, you may be able to obtain a range of personal information about a specific individual, including his date of birth, driver's license data, telephone records and even his social security number, or a truncated version of that SSN. The Government Accountability Office (GAO) looked into the availability of SSNs over the Internet, contacted 21 resellers and reached two interesting conclusions: SSNs are not that widely available, but when they are, there is no standardized format in which they present the entire SSN or a truncated version of the number. The GAO reported "there are few federal laws and no specific industry standards on whether to display the first five or last four digits of the SSN, and [Social Security Administration] officials told us the agency does not have the authority to regulate how public or private entities use SSNs, including how they are truncated." As a result, the GAO has recommended that Congress consider setting standards for truncating SSNs, or delegating authority to the SSA or another agency to set such standards. The SSA agreed with this recommendation, the GAO siad. When it requested SSN information from 21 different resellers, the GAO said it received one full SSN, four truncated SSNs (which displayed only the first five digits), and nothing at all from 16 of the resellers. "In one case, we also received additional unrequested personal information including truncated SSNs of the search subject's neighbor," said the GAO document issued earlier this month. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- GAO recommends that Congress sets SSN truncating standards for information resellers security curmudgeon (Jun 12)