Beware: Social Security numbers available online via indexed tax documents

As one who keeps up with the cutting edge of search engines and advanced search querying, it is with much reservation and disbelief that I bring you the results of my latest online investigative research. As of 4/10/2011, I have discovered in excess of 50 tax documents containing any given combination of Social Security numbers, credit card information, names, addresses, tax IDs, and phone numbers being made available online. However, unlike recent leaks of email addresses and password hashes being made available due to hackers compromising systems, these documents are being unknowingly made freely available to prying eyes by the very owners of said information.

Sounds unbelievable, right? It gets worse.

To clarify, these are tax documents as they have been/will be submitted to State and Federal government: Names, addresses, income, phone numbers, credit card numbers (stored from e-filing), and worse of all, Social Security numbers. The latter is the most detrimental of all not just because of the individual filing their taxes having their identity potentially stolen, but because of individuals who have children that they use for tax credits.

As any parent knows, you must include certain information about your children when using them for tax breaks; namely, their names and Social Security numbers. That takes identity theft into a completely different atmosphere since a child having their identity stolen most likely will not find out until years down the road long after the damage has been done and the perpetrator has vanished. The potential consequences of such ignorance are far-reaching.

Another scenario to consider is for couples who file joint tax returns. Could you imagine if you found out your Social Security number was available for all to see online because your significant other placed your tax documents on a family or business Web site? Never mind the scenario in the paragraph above, then having to tell a child one day that their credit has been destroyed because of such careless actions taken with personal information.

I’m not going to post any names, URLs, or any other information that will identify any of the individuals I’ve discovered this information from, but let me show you an example of all the information contained on just ONE page from one of the documents I uncovered (click the image below to see the full-sized screen shot):

1040 form page containing 5 SSNs.

What you see there is one page from a 1040 form containing 5 names, 5 Social Security numbers, one address, and total yearly income. This whole family — husband, wife, and three children — is potentially at stake for identity theft, and that is if it hasn’t already happened since this particular document has resided on their Web site for quite a while (as noted by the date shown for when the file was uploaded to their site).

Perhaps even more surprising than being able to find this information in the first place is where I found some of the documents residing. Most of the sites contained in my research are comprised of personal, family, and business Web sites. But the real shocker is the educational Web sites I discovered these types of documents residing on.

Wading out past the irony of educating educators, there is a blatantly obvious education that needs to happen on topics of safeguarding personal information. With that in mind, here are some preventative measures and tips to reference that should help you appropriately handle your personal information on the Web and/or take action if you find out your information has been compromised.

Preventative Measures and Tips

1 - DO NOT STORE PRIVATE INFORMATION ONLINE! That’s about as cut-and-dry as it gets.

2 - If you must store private information online, then enable authentication which requires you to log in prior to being able to see and download the contents of a directory. Additionally, password-protect your files and change or encrypt file names so that they cannot show up in searches related to their file names or provide intrigue for potential intruders (i.e. if someone is digging around for tax information on your site and they see a file called “Tax-Information-2011.ppsx”, then they’re most certainly going to be sure to check out that file).

3 - If you find your information has been indexed in a search engine, remove your file(s) immediately from your Web site, then contact the search engine to have both the indexed and cached results removed. Don’t just remove the file(s) from your site, because someone could still view a search engine-cached version of the file(s).

4 - To see if your information has been compromised, check any and all logs from your Web site dating back to the day you placed the file on your site. If you see download activity on your file(s) from an IP address you do not recognize, then there’s a good chance your personal information has been compromised. Acceptance will undoubtedly be difficult, but it’s necessary to move forward with preventing further damage.

5 - If you suspect you have become a victim of identity theft, it may behoove you to obtain a credit report, sign up for credit monitoring, and reach out to your local FBI branch to report any findings you may have with regards to your personal information being stolen and utilized.

Conclusion

Sadly, the 50+ documents I have made note of do not even begin to scratch the surface of what is actually available out there between all the types of search engines there are these days. To note, the results of my investigation are primarily based on just two very simple Web queries using just one search engine. Additionally, I tried other specialized search engines just to see what kind of results they would yield and the results were dumbfounding. I didn’t take the time to sift through them simply because I didn’t have to.

Last of note is that I have tried reaching out to appropriate channels to have the results I found from this investigation removed from the search engines I found them in. Unfortunately, even with those efforts being made and even after going public with this article, this type of behavior will only continue to go on as more and more people figure out how to store files on their Web sites which they think are somehow disconnected from the rest of the Internet.

Please help create awareness by sharing this article with your friends, family, colleagues, and anyone else you can think of. The more awareness we create, the less people have to worry about suffering the consequences of inadvertently sharing highly-sensitive personal information.

*”Anonymous User” icon courtesy of veryicon.com.

-Stephen Chapman
SEO Whistleblower

Related Stories:

• How It Works: What Happens When You Search Google?
• How to Become a Search Ninja: Harnessing the True Power of Google - Part 1
• University in ’serious’ data breach; Publishes 17,000 students’ data
• University email disclosed data of students with disabilities
• Gawker hacked: Just the latest sign that Web going Wild West