Investigation finds some Md. agencies putting social security numbers at risk
(WBFF) -- Some Maryland agencies are not fully protecting social security numbers. Auditors say they aren’t using a security tool to guard against hackers, if they break into agency computer networks.
Since the start of 2016, FOX45 looked through audits released by Maryland’s Office of Legislative Audits. Auditors found seven agencies did not encrypt personally identifiable information (P-I-I), amounting to over 7 million unencrypted social security numbers. The U.S. Census Bureau says Maryland’s population is about 6 million.
“The volume of social security numbers is significant,” says Robert Olsen of COMPASS Cyber Security, that helps business and government protect sensitive data, “there’s really kind of no excuse in today’s technology world to not have sensitive data encrypted.”
Auditors say how agencies protect sensitive information has been a top priority for them, since the advent of electronic records a few years ago.
“They’ll [state agencies] collect social security numbers as an example, and maybe have no reason to have social security numbers. So they even forget they have that because they don’t actually use that particular piece of information,” Deputy Legislative Auditor Gregory Hook says.
The seven state agencies found not to encrypt social security numbers in 2016 audits include:
- Office of the State Treasurer
- Judiciary, Judicial Information Systems
- Maryland Longitudinal Data System Center
- St. Mary’s College of Maryland
- Department of Public Safety and Correctional Services Information Technology and Communications Division
- Maryland State Department of Education
- University System of Maryland Frostburg State University
The above agencies say they are now encrypting, or are in the process of encrypting their P-I-I. The Department of Education no longer collects student social security numbers.
The Maryland Department of Information Technology says no data breaches of state agencies occurred in 2016 so far.
When a breach does happen, the cost to the state can be millions of dollars, such as the stealing of 280,000 social security numbers from University of Maryland College Park in 2014.
Auditors say that cost to taxpayers’, and the damage to an agency’s reputation if data is stolen from it, makes the encryption of social security numbers a top priority.