Beware: Social Security numbers available online via indexed tax documents

Beware: Social Security numbers available online via indexed tax documents

Summary: Nearing the end of tax season, it's a good time to ask yourself if your personal information is safe. Before you say "yes," read this article.

SHARE:

As one who keeps up with the cutting edge of search engines and advanced search querying, it is with much reservation and disbelief that I bring you the results of my latest online investigative research. As of 4/10/2011, I have discovered in excess of 50 tax documents containing any given combination of Social Security numbers, credit card information, names, addresses, tax IDs, and phone numbers being made available online. However, unlike recent leaks of email addresses and password hashes being made available due to hackers compromising systems, these documents are being unknowingly made freely available to prying eyes by the very owners of said information.

Sounds unbelievable, right? It gets worse.

To clarify, these are tax documents as they have been/will be submitted to State and Federal government: Names, addresses, income, phone numbers, credit card numbers (stored from e-filing), and worse of all, Social Security numbers. The latter is the most detrimental of all not just because of the individual filing their taxes having their identity potentially stolen, but because of individuals who have children that they use for tax credits.

As any parent knows, you must include certain information about your children when using them for tax breaks; namely, their names and Social Security numbers. That takes identity theft into a completely different atmosphere since a child having their identity stolen most likely will not find out until years down the road long after the damage has been done and the perpetrator has vanished. The potential consequences of such ignorance are far-reaching.

Another scenario to consider is for couples who file joint tax returns. Could you imagine if you found out your Social Security number was available for all to see online because your significant other placed your tax documents on a family or business Web site? Never mind the scenario in the paragraph above, then having to tell a child one day that their credit has been destroyed because of such careless actions taken with personal information.

I'm not going to post any names, URLs, or any other information that will identify any of the individuals I've discovered this information from, but let me show you an example of all the information contained on just ONE page from one of the documents I uncovered (click the image below to see the full-sized screen shot):

1040 form page containing 5 SSNs.

1040 form page containing 5 SSNs.

What you see there is one page from a 1040 form containing 5 names, 5 Social Security numbers, one address, and total yearly income. This whole family -- husband, wife, and three children -- is potentially at stake for identity theft, and that is if it hasn't already happened since this particular document has resided on their Web site for quite a while (as noted by the date shown for when the file was uploaded to their site).

Perhaps even more surprising than being able to find this information in the first place is where I found some of the documents residing. Most of the sites contained in my research are comprised of personal, family, and business Web sites. But the real shocker is the educational Web sites I discovered these types of documents residing on.

Wading out past the irony of educating educators, there is a blatantly obvious education that needs to happen on topics of safeguarding personal information. With that in mind, here are some preventative measures and tips to reference that should help you appropriately handle your personal information on the Web and/or take action if you find out your information has been compromised.

Preventative Measures and Tips

1 - DO NOT STORE PRIVATE INFORMATION ONLINE! That's about as cut-and-dry as it gets.

2 - If you must store private information online, then enable authentication which requires you to log in prior to being able to see and download the contents of a directory. Additionally, password-protect your files and change or encrypt file names so that they cannot show up in searches related to their file names or provide intrigue for potential intruders (i.e. if someone is digging around for tax information on your site and they see a file called "Tax-Information-2011.ppsx", then they're most certainly going to be sure to check out that file).

3 - If you find your information has been indexed in a search engine, remove your file(s) immediately from your Web site, then contact the search engine to have both the indexed and cached results removed. Don't just remove the file(s) from your site, because someone could still view a search engine-cached version of the file(s).

4 - To see if your information has been compromised, check any and all logs from your Web site dating back to the day you placed the file on your site. If you see download activity on your file(s) from an IP address you do not recognize, then there's a good chance your personal information has been compromised. Acceptance will undoubtedly be difficult, but it's necessary to move forward with preventing further damage.

5 - If you suspect you have become a victim of identity theft, it may behoove you to obtain a credit report, sign up for credit monitoring, and reach out to your local FBI branch to report any findings you may have with regards to your personal information being stolen and utilized.

Conclusion

Sadly, the 50+ documents I have made note of do not even begin to scratch the surface of what is actually available out there between all the types of search engines there are these days. To note, the results of my investigation are primarily based on just two very simple Web queries using just one search engine. Additionally, I tried other specialized search engines just to see what kind of results they would yield and the results were dumbfounding. I didn't take the time to sift through them simply because I didn't have to.

Last of note is that I have tried reaching out to appropriate channels to have the results I found from this investigation removed from the search engines I found them in. Unfortunately, even with those efforts being made and even after going public with this article, this type of behavior will only continue to go on as more and more people figure out how to store files on their Web sites which they think are somehow disconnected from the rest of the Internet.

Please help create awareness by sharing this article with your friends, family, colleagues, and anyone else you can think of. The more awareness we create, the less people have to worry about suffering the consequences of inadvertently sharing highly-sensitive personal information.

*"Anonymous User" icon courtesy of veryicon.com

Related Stories:

 

Topics: Enterprise Software, Banking, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

177 comments
Log in or register to join the discussion
  • so how did you get it?

    if you have notified the web repositories of it, it might be nice to know, so that people can run checks on their own names to see if they are out there for any reason they might not know of.
    tiderulz
    • RE: Beware: Social Security numbers available online via indexed tax documents

      @tiderulz I intentionally left out how I obtained these. The hope is that if someone reads this and feels they may be at stake, they can exercise the 5 steps I outlined to remedy the situation. By giving out the methods I used, I'm then enabling everyone to go view the documents themselves and if you know anything about the Internet, you're aware of the types of people that come out of the woodwork.
      StephenChapman
      • So, did you contact these people directly to let

        them know their information was publicly available?
        fr_gough
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @StephenChapman - You're not talking about Dropbox/Skydrive type online storage. I'm having trouble figuring out how these got posted on a website in the first place. What possible purpose could people have had for putting them up?
        GusRandall
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @frgough Next-to-last paragraph of the article. :)
        StephenChapman
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @GusRandall No, I'm talking about people storing their documents on their own Web sites in directories that search engines are able to find and index. It takes advanced search queries to mine this data out, but it's out there.
        StephenChapman
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @StephenChapman I know exactly what you're referring to in this article (and I could probably guess the exact query used to come up with the document shown) and I also agree agree that it probably wouldn't be smart to unleash such data to the public.<br><br>On the other hand, to someone without such knowledge of how search engines work, this article does become pretty confusing and not very helpful. I think at the very least you should explain what you mean by public directory... that being any server and not just a physical directory that is run by a 3rd party.
        DrewHammond
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @DrewHammond Thanks for the feedback. I suppose my assumption with this post is that someone who knows -- at the very least -- how to put a file on a Web site they own, will make the connection that if it's possible for this kind of data to be found on someone's Web site, then perhaps it can be found on theirs. At that point, I'm relying on the reader to considering removal of such information, regardless of if it's private, public, or otherwise.

        Again, if this was your average home user who has no idea how to so much as register a Web site -- let alone upload files to it -- then I may have considered getting a little more granular with the details. And for what it's worth, the only people (sans one or two down the comments page) I've had tell me this article is confusing are people who either already know better (like you) or our lovely family of trolls here on ZDNet who tirelessly aim to make our lives a little less peaceful. With that said, I'm not too concerned that I'm missing anything pertinent for those I'm really trying to reach (and do appear to be reaching, thankfully). :)

        Thanks again for the feedback.
        StephenChapman
      • RE: Beware: Social Security numbers available online via indexed tax documents

        <a href="http://www.companyformation.com.sg/corporatesecretary">Corporate services</a><br><a href="http://www.mtac888.com/">money lending</a><br><a href="http://www.localseo.com.sg/">local seo services</a><br><a href="http://www.e-commerce.sg/service/">website with ecommerce</a><br><a href="http://www.e-commerce.com.sg/">Ecommerce website</a><br><a href="http://www.payperclick.com.sg/">PPC management</a><br><a href="http://www.seoconsultants.com.sg/e-commerce.html">ECommerce</a><br><a href="http://www.top3.com.sg/seo/">seo consultant</a>| <a href="http://www.ecommercewebsite.com.sg/">ecommerce design</a>| <a href="http://www.top3.com.sg/">Seo Services</a>| <a href="http://www.wangzhotel.com/">Hotel in Singapore</a> | <a href="http://www.cosmeticsurgery.sg/sculpted-body/vaser-liposuction">Liposuction</a> | <a href="http://www.acmamall.com/">online shopping mall</a> | <a href="http://www.acmamall.com/beauty.html">online beauty store</a> | <a href="http://www.acmamall.com/books.html">selling books online</a> | <a href="http://www.acmamall.com/skin-care-products.html">skin care products</a><br><a href="http://www.yixintang-tcm.com/">Traditional Chinese Therapy</a> | <a href="http://www.italkbb.com.sg/ens/ens_index.asp/">calling philippines</a>
        michealyjhon
      • RE: Beware: Social Security numbers available online via indexed tax documents

        You got a really useful blog I have been here reading for about an hour. <a href="http://www.logodesignmaestro.co.uk">logo design</a> I am a newbie and your success is very much an inspiration for me.
        donnakaran
      • RE: Beware: Social Security numbers available online via indexed tax documents

        I am once again feeling happy and proud to say that this is my favorite web site.The postings are very unique and also out standing performance with the new creativity and excellency with the new different ideas and concepts.Really I am waiting for some more new posts from you.Keep up your excellency and efficiency in this same levels.
        <a href="http://www.dissertationinn.co.uk/">dissertation help uk</a> , <a href="http://www.dissertationinn.co.uk/dissertation-topics/">dissertation topics</a> , <a href="http://www.dissertationinn.co.uk/write-my-dissertation/">write my dissertation</a> , <a href="http://www.dissertationinn.co.uk/dissertation-service/">dissertation service</a>.
        ethanlord
    • RE: Beware: Social Security numbers available online via indexed tax documents

      @tiderulz
      This is not a surprise to me. Countrywide, in 2008, just before the evil boa, took over their dirty deeds, sold all of my personal identity to the open market, investigated by F.B.I., generated a suit won by the attorney General. My compensation, nothing, except two free years access to my credit reports, my browsers designate a dangerous site, do not enter. Just a few days ago, got a notice from Health Net, that they have missing hard drive storage files, my personal private identity is on. They offered the same thing, a two year access to some software. I don't care any more, business and government are so corrupt, nothing matters any more. Enjoy the moments, before they start dropping bombs on us.
      drgzone
      • RE: Beware: Social Security numbers available online via indexed tax documents

        Thanks for sharing this information with us. <a href="http://www.logodesignmaestro.com">custom logo design</a> This is true that we need to have a system that helps us to block all the intruders that want to enter our territory in this country. <a href="http://www.logodesignmaestro.com/cheap-logo-design/">cheap logo design</a> If people always do things like this in their life, other people will do the same thing to protect all the things that they have. This is easy to separate them into two group. <a href="http://www.logodesignmaestro.com/logo-design-service/">logo design service</a> One is to protect and one is the intruder.
        donnakaran
    • RE: Beware: Social Security numbers available online via indexed tax documents

      This is what webmasters make mistakes and make things horrifying for themselves. You have to be very sure that the folders and files that has confidential data should be protected and must be blocked to search engines. I hope now they have learned the lesson.
      <a href="http://www.e2solutions.net/effective_web_promotions_seo_company_india.htm">SEO India</a>
      raghavtt
  • Not helpful.

    I wish I could say this article is helpful, but I can't. I don't have reason to believe my tax records are at risk, but I have no way to double check.
    spstanley
    • Even with the steps I provided for you to check?

      @spstanley As long as you don't store your tax documents on your own personal site in a wide-open directory, you should be fine. The main objective of the article is to create awareness. People should know from here if they've stored their personal information on their own personal Web sites (which is always a bad idea).
      StephenChapman
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @StephenChapman
        I don't think that this is enough! There are too many people out there who don't know how to configure their computers. How many people know what applications may have installed web servers on their desktops or laptops? This is very easy to do and it can be done without the user's knowledge! This effectively opens their entire computer to the outside world!
        tech_ed@...
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @StephenChapman - I have to agree with others here. How do you know if your own personal site is in a 'wide-open' directory? Please dude. Go back to journalism school. Quit with the click-bait articles already!
        The Danger is Microsoft
      • RE: Beware: Social Security numbers available online via indexed tax documents

        @TheDangerIsMicrosoft The premise of the article is to create awareness and press the point that people should think twice about storing sensitive data online -- not cover every base about the entry points to said information on such sites.
        StephenChapman
    • The article could have been clearer up front.

      @spstanley I agree. Perhaps the article could have began with "If you store your information on line and on your website, here's a risk you may run" rather than trying to scare the beejeebees out of people.
      GeoffMichael