Viewing a single comment thread. View all comments

PNW_Explorer_16 t1_j55no5q wrote

You too, hu?

What exactly is going to come of this?

69

RManDelorean t1_j55oqtu wrote

Nothing it's fine. They asked nicely so I'm sure they deleted it. /s But hopefully it was just an innocent mistake, lol I can see some hacker out there like "..wait, we could've just asked??"

53

PNW_Explorer_16 t1_j562u4z wrote

Right! “Hey. You broke a federal law”. “Hacker”: oh. Whoops here you guys go. Sorry about that. I’ll just ask next time. Wanna go grab a coffee?

11

blaaguuu t1_j55z79q wrote

While this is a pretty shitty situation - I feel like you have to give out your last 4 to so many institutions, and there is no way to validate that any of them have decent security practices, so I generally assume that the 'last 4' might as well be treated as public info, already...

49

JustARandomBloke t1_j560r41 wrote

The problem being if you know the last four and their birthday and where they were born you can recreate their full ssn.

42

flipfreakingheck t1_j571ea7 wrote

Wait, really?

10

JustARandomBloke t1_j572k5u wrote

The first 3 numbers are tied to specific geographic areas. The middle two are based on when you were born. The last 4 are a unique number.

18

Bigbluebananas t1_j5744ep wrote

So theoretically you can get their social by finding their place of birth and date- after you get the special 4 digits?

5

JustARandomBloke t1_j574hpl wrote

Yes, though another poster said this is only true for those born before 2011.

3

Bigbluebananas t1_j576zmg wrote

Man... thats friggin bonkers to me

5

renownbrewer t1_j58eafh wrote

You used to be able to guess Wa. driver's license numbers with key information and there was even an embedded check sum.

4

script372 t1_j587ejx wrote

Not necessarily where they were born but where they applied… and it wasn’t until 1987 that people were assigned an SS # at birth.

5

GunHead416 OP t1_j55of51 wrote

Hopefully nothing but I kinda shocked this was all it took for the government to fuck up.

Shocked....well, not that shocked.

11

Ben_A t1_j55v065 wrote

Worked at dominos as a delivery driver. For some reason my manager sent my full name, address, social security number, and license number to someone I delivered to. I do not know why. He’s just dumb.

22

rosesandpiglets t1_j569719 wrote

I’m usually not a very litigious person, but you might want to talk to a lawyer. Breaking federal law and saying “oh whoops” “we fixed it and totally trust this dude” doesn’t cut it IMO. They need to provide legal documentation that they did what they said at the bare minimum.

5

PNW_Explorer_16 t1_j56svm9 wrote

Agreed. We’re you part of it as well? Sounds like a lot were, and I don’t mind getting the ball rolling.

0

rosesandpiglets t1_j56viua wrote

I was not fortunately. I hope the victims take action though, this is completely unacceptable and I don’t trust the “cooperation” of a third party one bit

0

SoftwarePatient5050 t1_j57epdh wrote

Which federal law was broken?

−3

[deleted] t1_j57gbsy wrote

[deleted]

0

SoftwarePatient5050 t1_j581tae wrote

That does not appear to apply here:

>Binds only federal agencies and covers only records under the control of federal agencies (and, by contract, also applies to contractor personnel and systems used by a federal agency to maintain the records).

1

SirDouglasMouf t1_j576jeq wrote

I'm guessing you don't know about how god awful WA state unemployment fraud was/is/has become. The amount of identity fraud in this state is bonkers.

1

PNW_Explorer_16 t1_j562m94 wrote

Right. On one hand it’s shocking, on the other, the ineptitude isn’t a surprise at all.

I know we can do better, it’s just takes that initiative, which I don’t have much faith in.

0

SoftwarePatient5050 t1_j57fd2b wrote

What should come of this?

0

PNW_Explorer_16 t1_j57i82j wrote

Based on your username, I get the sense you understand PII and possibly GDPR rules. So you know at a corporate level how serious these things can get.

As with anything, there are loop holes, which I understand. However, a “whoops, trust our guy it was handled in two hours” is negligent.

What I’d like to see is a security audit within pierce county (digital and physical). how records are stored, kept, shared, etc. next, an audit on personnel security levels, and a chain of command for releasing records.

In the event of a breach, what’s the protocol, and how does the county plan to mitigate risk, while protecting its people. A “oh it’s totally cool” piece of mail isn’t on par with standards of where we should be.

Next, what entity requested our data? If it was a company, they should be listed, and we should have communication options to address directly with them. If this was a personal (non entity) request, that person should have a representative from pierce county tagged so we can understand the intent on which this person requested our data.

Lastly, comes the monetary side. While no one may be victim to identity theft which, may lead to erroneous monetary charges, there should be a plan in place to address this should it occur. Pierce had an obligation to help it’s citizens. Listing the three credit agencies doesn’t suffice.

Lastly, let’s say that someone, or a group, is targeted (harassment, violence, etc). This again falls into malicious intent, but dives into more murky waters.

I don’t have the answers. This is just what comes to mind. I’m not a “let’s sue and get everything we can” kinda person. I’m more of a “hey, let’s be a leading example for privacy of our citizens data, and also a leader in mitigating risk to its citizens” kinda guy.

7

Yuvneas t1_j5ayuqu wrote

Honestly, if it was an individual, their identity should be released as well. People have a right to know who has their personal information.

1