Submitted by GunHead416 t3_10gzn2e in Washington
Comments
Shaggy_One t1_j583nud wrote
Probably just unencrypted raw text files on the desktop in a folder labeled "Everyone's private information do not steal"
PNW_Explorer_16 t1_j55no5q wrote
You too, hu?
What exactly is going to come of this?
RManDelorean t1_j55oqtu wrote
Nothing it's fine. They asked nicely so I'm sure they deleted it. /s But hopefully it was just an innocent mistake, lol I can see some hacker out there like "..wait, we could've just asked??"
PNW_Explorer_16 t1_j562u4z wrote
Right! “Hey. You broke a federal law”. “Hacker”: oh. Whoops here you guys go. Sorry about that. I’ll just ask next time. Wanna go grab a coffee?
blaaguuu t1_j55z79q wrote
While this is a pretty shitty situation - I feel like you have to give out your last 4 to so many institutions, and there is no way to validate that any of them have decent security practices, so I generally assume that the 'last 4' might as well be treated as public info, already...
JustARandomBloke t1_j560r41 wrote
The problem being if you know the last four and their birthday and where they were born you can recreate their full ssn.
flipfreakingheck t1_j571ea7 wrote
Wait, really?
JustARandomBloke t1_j572k5u wrote
The first 3 numbers are tied to specific geographic areas. The middle two are based on when you were born. The last 4 are a unique number.
adamr_ t1_j573mze wrote
This used to be true, and so still is for all eligible voters, but since 2011 SSNs have been generated randomly.
WhiteWashTXP t1_j583xh2 wrote
I wonder why I have a NY ssn when I was born in WA, I'm 23 lol.
[deleted] t1_j57hvfb wrote
[deleted]
Bigbluebananas t1_j5744ep wrote
So theoretically you can get their social by finding their place of birth and date- after you get the special 4 digits?
JustARandomBloke t1_j574hpl wrote
Yes, though another poster said this is only true for those born before 2011.
Bigbluebananas t1_j576zmg wrote
Man... thats friggin bonkers to me
renownbrewer t1_j58eafh wrote
You used to be able to guess Wa. driver's license numbers with key information and there was even an embedded check sum.
script372 t1_j587ejx wrote
Not necessarily where they were born but where they applied… and it wasn’t until 1987 that people were assigned an SS # at birth.
GunHead416 OP t1_j55of51 wrote
Hopefully nothing but I kinda shocked this was all it took for the government to fuck up.
Shocked....well, not that shocked.
Ben_A t1_j55v065 wrote
Worked at dominos as a delivery driver. For some reason my manager sent my full name, address, social security number, and license number to someone I delivered to. I do not know why. He’s just dumb.
rosesandpiglets t1_j569719 wrote
I’m usually not a very litigious person, but you might want to talk to a lawyer. Breaking federal law and saying “oh whoops” “we fixed it and totally trust this dude” doesn’t cut it IMO. They need to provide legal documentation that they did what they said at the bare minimum.
[deleted] t1_j58otp7 wrote
[deleted]
PNW_Explorer_16 t1_j56svm9 wrote
Agreed. We’re you part of it as well? Sounds like a lot were, and I don’t mind getting the ball rolling.
rosesandpiglets t1_j56viua wrote
I was not fortunately. I hope the victims take action though, this is completely unacceptable and I don’t trust the “cooperation” of a third party one bit
SoftwarePatient5050 t1_j57epdh wrote
Which federal law was broken?
[deleted] t1_j57gbsy wrote
[deleted]
SoftwarePatient5050 t1_j581tae wrote
That does not appear to apply here:
>Binds only federal agencies and covers only records under the control of federal agencies (and, by contract, also applies to contractor personnel and systems used by a federal agency to maintain the records).
rosesandpiglets t1_j57ihm7 wrote
SoftwarePatient5050 t1_j580j9v wrote
Did you just find a random law to cite or something? What in the world do you think antitrust laws have to do with election information?
SirDouglasMouf t1_j576jeq wrote
I'm guessing you don't know about how god awful WA state unemployment fraud was/is/has become. The amount of identity fraud in this state is bonkers.
PNW_Explorer_16 t1_j562m94 wrote
Right. On one hand it’s shocking, on the other, the ineptitude isn’t a surprise at all.
I know we can do better, it’s just takes that initiative, which I don’t have much faith in.
SoftwarePatient5050 t1_j57fd2b wrote
What should come of this?
PNW_Explorer_16 t1_j57i82j wrote
Based on your username, I get the sense you understand PII and possibly GDPR rules. So you know at a corporate level how serious these things can get.
As with anything, there are loop holes, which I understand. However, a “whoops, trust our guy it was handled in two hours” is negligent.
What I’d like to see is a security audit within pierce county (digital and physical). how records are stored, kept, shared, etc. next, an audit on personnel security levels, and a chain of command for releasing records.
In the event of a breach, what’s the protocol, and how does the county plan to mitigate risk, while protecting its people. A “oh it’s totally cool” piece of mail isn’t on par with standards of where we should be.
Next, what entity requested our data? If it was a company, they should be listed, and we should have communication options to address directly with them. If this was a personal (non entity) request, that person should have a representative from pierce county tagged so we can understand the intent on which this person requested our data.
Lastly, comes the monetary side. While no one may be victim to identity theft which, may lead to erroneous monetary charges, there should be a plan in place to address this should it occur. Pierce had an obligation to help it’s citizens. Listing the three credit agencies doesn’t suffice.
Lastly, let’s say that someone, or a group, is targeted (harassment, violence, etc). This again falls into malicious intent, but dives into more murky waters.
I don’t have the answers. This is just what comes to mind. I’m not a “let’s sue and get everything we can” kinda person. I’m more of a “hey, let’s be a leading example for privacy of our citizens data, and also a leader in mitigating risk to its citizens” kinda guy.
Cuidado_roboto t1_j55wkwp wrote
Ok, but requests for voter registration info is sus, is it not? What’s their motivation and who has the time for that?
TVDinner360 t1_j564swe wrote
It’s hella common. Political parties and candidates do it routinely. It’s how they decide how to market candidates to you. For example, if they see you only vote in presidential elections, they might not bother to market to you as heavily as someone who votes in every election. But if you vote in every election, you will get ALL THE FLYERS until you turn in your ballot. Yes, they track that, too. Flyers are pricey.
Cuidado_roboto t1_j57e7hx wrote
That makes total sense! Thank you for your explanation
Macemore t1_j56rld7 wrote
What's even scarier is how easy it is to get someone's SSN just by knowing some details about them, they did t randomize SSNs until around 2008. So you're saying they have the last four (the only random part) and all the information necessary to get the other 7 digits? Hmmm
MJBrune t1_j57d3a9 wrote
other 7? My SSN is only 9 digits long...
Macemore t1_j57fa25 wrote
Yeah I counted wrong, I even remember thinking "7 has to be wrong" but I posted it anyway. I think we all understand the gist of what I was saying, the first 5 digits are based off locations of birth and certificate registration, the last 4 are sequential (basically random from guessing perspective). It's actually scary how little security there is with SSNs especially knowing the potential damage.
MJBrune t1_j57hfjj wrote
it's because SSNs were simply supposed to be ID tax numbers that you could give to anyone. Someone knowing your tax number wasn't meant to confirm your identity. It was just supposed to track how much you put into Social Security. The IRS tried to prevent people from using it as an ID security measure but eventually just gave up.
It's like how business EIN operates. It's literally just a number to track the taxes that the business is responsible for. In some cases it even replaces the business owner's SSN on some forms.
Macemore t1_j57hzy1 wrote
Wow that makes a lot of sense, thank you! It's sad that the IRS tried and they failed. I've wondered why it was so cavalier to give my EIN out, I figured it must not mean as much as the SSN and now I know why!
AdUnfair1643 t1_j55sc2r wrote
I have seen absolutely nothing but absolute incompetence from local government and businesses since we’ve moved here. I wasn’t surprised when I received my letter.
MJBrune t1_j57dh66 wrote
The question is, why are voters' addresses and birthdays public information?
renownbrewer t1_j58fi6j wrote
Transparency and political parties really like a good database dump too. Unfortunately it's pretty tough for people from dysfunctional families who aren't terrible enough to qualify them for Washington's address conveniently program. I didn't register to vote for years until I moved out of state because I didn't want shitty family on my doorstep.
MJBrune t1_j58fttv wrote
>Transparency and political parties really like a good database dump too.
Not a good enough reason IMHO. I hate how the government bend over backwards for politicians.
pala4833 t1_j55tx6m wrote
"an whoopsie"?
Studious_Noodle t1_j56jfsu wrote
That threw me too.
Bigseth0416 t1_j57gkrh wrote
This is actually a pretty common scam for government and why some sectors charge a large fee per page of information. One might for example use the freedom information act to obtain documents/emails from the purchasing department of what ever government entity and hope someone does not notice a credit card number or other sensitive information that was not redacted.
herbnoh t1_j56shgq wrote
Didn’t divulge personal info of “Requester” though, why not just all get on the same page, what’s that auditors SSN, I pay their salary anyway, just tell me who’s asking about me.
TheTarquin t1_j57dlrx wrote
Just a little oopsie-doodle privacy breach.
KittenKoder t1_j583u1g wrote
This is what happens when you don't hire computer literate people to operate computers. I bet the clerk is not paid enough to do this job too.
Don't cheap out on your IT, it's a stupid mistake that many organizations and businesses have been doing lately and all this shit will y2k if if continues.
Zer0sober t1_j58dvov wrote
I got the same notice... funny how so many people were included in something that was not "widespread".... smfh
Macemore t1_j56rd91 wrote
Same here. Must have been a lot bigger than theyre reporting. I'm wondering if there's any legal action we can take, how can we verify it was only the last four? What caused this and how is it not going to happen again? I have LifeLock from UW because they lost a hard drive that could have had my information on it. Why isn't Peirce doing something similar for the individuals affected by this?
0112358g t1_j58h4qx wrote
I GOT THAT IN THE MAIL YESTERDAY MORNING; I’m pissed af
lumbersom t1_j58ner5 wrote
As if just deleting from their computer is simply enough to ensure recovery safety.
Sure-Survey9192 t1_j59m9xl wrote
Never registering for voters card ever again no matter where i live this is ridiculous.
GlobalCodec t1_j5aqyc5 wrote
Probably should have ran the release past legal before releasing :')
Gigglenator t1_j5chzyp wrote
Everyone in my house got this letter. They fucked up big time.
hham42 t1_j5fcduv wrote
Ok guys, they didn’t “ask nicely”- the person the information was sent to allowed the Pierce County IT group to go onto their laptop, into their email and full delete the file and any trace of it. Your information is safer than any of the six or so notices you’ve gotten from other data breaches. (That number is an assumption based on my experiences, it seems like every six months I’m notified of a data breach and they just offer me credit monitoring for another year.)
discodawg02 t1_j58bfob wrote
I got the same letter. Should I do anything?
[deleted] t1_j56n5uw wrote
[deleted]
herbnoh t1_j56rr4h wrote
Happy Cake 🍰!
CWcooper2 t1_j56rcve wrote
And this is why I don’t give out my personal information to local or federal government
GunHead416 OP t1_j56zyxs wrote
My guy I got some bad news
[deleted] t1_j57ad7t wrote
[removed]
MJBrune t1_j57dc4g wrote
your personal information, like the government-issued social security number. You don't think the organization that gave you that SSN doesn't have it already?
CWcooper2 t1_j57dtj4 wrote
I know SSN is already known by the government (duh) but my point is I don’t give out my name, address, phone number etc. for this reason
MJBrune t1_j57giij wrote
The government already knows your name (you legally have to provide one at birth.) They also know your address because you provide one if you own the house, if you don't there are numerous systems that require you to provide a mailing address, and Washington state IDs require one. They also already know your phone number if it's a landline or can get it from the mobile company at the drop of a hat if it's a cell phone.
So really of the things you mentioned. The phone number is maybe the only thing that the government doesn't have direct access to. Maybe they don't have your address if you've avoided filling out government forms like taxes but likely you are just breaking the law at that point.
fordry t1_j55rdgt wrote
In other words, their system for managing that data is not properly setup to ensure security of private data...