County Mistakenly Posts Personal Taxpayer Info Online

http://www.wral.com/news/10407868/detail.html

SMITHFIELD, N.C. -- Johnston County officials recently posted personal information for thousands of residents, including Social Security numbers, on the county Web site by mistake.

A resident discovered the information by searching his own address on the Google search engine. In addition to seeing his own Social Security number online, the man, who wanted to remain anonymous, said he found another man's name, address, Social Security number and information that he was retired.

When the man clicked on a link, he said it took him to the Johnston County Web site, where tax office files contained thousands of other names and identifying information.

"That contains more information that folks would want out there -- cell phone numbers, in some cases I think, Social Security numbers," County Manager Rick Hester said, adding that the information was taken off the county Web site within an hour of officials learning about it.

County technology officials said the names are part of an annual list the tax office puts together for financial institutions. The personal information ended up in the file by mistake and might have been online for five or six weeks, officials said.

Hester said there was something peculiar about the man's address that pulled the information through Google.

"I still think it was only accessible by certain ways and certain information people put in there," he said. "I'm so glad it was brought to our attention because when we have problems like that its our responsibility to get to the bottom of it."

No one has reported identity theft resulting from the mistake, and county officials said they hope that means they caught the problem early enough. But Hester encouraged people to check their crdit reports in the near future.

Although North Carolina recently enacted a wide-ranging identity theft protection act requiring state agencies to report security breaches that could put people at risk, Johnston County isn't required by law to notify the people whose personal information ended up in the public domain.

 

I wonder why they aren't required to notify the people affected?

 

Yeah.. what makes them better than the federal government? When that government laptop was stolen (last year?) with all the database information for inactive military personnel, all those people were notified, my DH got a letter informing him that his info may have been made public and what steps he should take to protect his credit, etc.

 

It's not a bad idea to Google your own name from time to time to see what comes up about you online. Try your full name with quotes, as well as without.

Ex: Billy Joe Smith AND "Billy Joe Smith"

 

You should email the county commissioners, and ask them what they are going to do to protect our identities and credit. The county should take responsibility for it's actions.

 

double amen to that!!!

 

Google Ordered To Remove Personal Info Posted Online

POSTED: 4:49 pm EST November 29, 2006
UPDATED: 10:13 pm EST November 29, 2006

SMITHFIELD, N.C. -- A judge on Wednesday ordered Google.com to remove remnants of personal information on Johnston County residents that still show up on its search engine.

Johnston County officials mistakenly posted a file with thousands of names, addresses, Social Security numbers and cell phone numbers on the county Web site. Officials said the information might have been online for as much as six weeks before it was removed.

A county resident found the information when he searched his address on Google. Within an hour of him informing county officials about it, the information was pulled off the county Web site, officials said.

But getting the information removed from Google took a court order.

"They were telling us it was going to be five business days before they could remove it. We wanted it removed as soon as possible," Johnston County Manager Rick Hester said.

Still, removing the information from the Internet doesn't mean county residents can rest easy.

"You can't guarantee that somebody who got the information before you took it offline hasn't made copies and distributed those copies to other people," said Douglas Reeves, a professor of computer science at North Carolina State University. "It's very impractical for Google to police the appearance of that information in other places."

County officials haven't determined how the personal information ended up online, but Hester said the county has made security changes to prevent it from happening again.

"I want to apologize to the people of Johnston County for this situation. It has been embarrassing, but we are committed to doing the right thing," he said.

Officials are trying to determine how many people are affected and are working to determine how many times the information was accessed.

The state Attorney General's office said Johnston County is required by law to notify anyone whose identity might have been at risk. Hester said officials plan to send out thousands of letters to local taxpayers.

"(We want) to let folks know that they need to monitor their credit reports just in case," he said.

 

Got my letter today. They are recommending placing a fraud alert with the credit bureaus. "A fraud alert tells creditors to contact you before they open any new accounts or change you existing accounts."

I've previously heard putting a fraud alert on your accounts makes it difficult for you...having then to prove who you are sometimes with multiple forms of ID. Has anyone ever placed such an alert and had any difficulty?

 

WHY ARENT THEY REQUIRED TO PROVIDE IDENTITY THEFT PROTECTION? :shock:

 

A quick web search found

"What is a Fraud Alert?
A fraud alert is something that the major credit bureaus attach to your credit report. When you, or someone else, tries to open up a credit account by getting a new credit card, car loan, cell phone, etc., the lender should contact you by phone to verify that you really want to open a new account. If you aren't reachable by phone, the credit account shouldn't be opened.

A creditor isn't required by law to contact you, however, even if you have fraud alert in place."


SO ... who is to say they won't give a bogus # and call the thief to verify that they are me? AND ... if creditor's are not even required to check for a fraud alert ... why bother?

 

What good is a fraud alert then?

 

What a PITA!

 

I called Equifax today and put the 90 day fraud alert in place. It was quick and easy to do. They are sending more info by mail in 7-10 days including info on the free credit check I will get because I placed the fraud alert. If you have already had your free one this year, you can get another by placing the fraud alert I believe.

They are also offering a more intense fraud alert service (of course) for $65 that steps up the alert level. I called JC Tax Office today to determine how I can get them to pay for the increased level of security since they distributed my personal info all over the internet. I have not yet received a call back. Should be an interesting conversation when it does take place and I will post results.

 

frug have you heard anything back yet, I got my letter yesterday and called this morning and added the fraud alert...

 

Thanks, Frugal!

 

The tax office is refusing to pay for the extra $65 coverage that Equifax is offering.

I am expecting a call from Pat Goddard (supervisor in the office) this morning to discuss how this info was leaked. A JC employee told me 2 days ago that it was a vendor who leaked the info from certain mortgage companies and that name, address and SS# were put out on the web. My mother was told by Terry Keel in the tax office that it was not a vendor and that they don't have that info. The stories are not straight and I am hoping to have names and numbers today.

Has eveyone put their fraud alert in place? If you do, you will get a free credit check as well. Once per year, anyone can get a free credit check from www.annualcreditreport.com .

I am calling my bank today to alert them as well and put in place any precautionary measures I can.

 

That doesn't surprise me in the least.

 

I did receive a call from Pat Goddard with the JC Tax Office this morning , as promised. She was very friendly, apologetic and professional. I did not feel at any time like I was getting the run around and she had answers for all my questions.

This is what Pat told me when I asked exactly how this breach occured:

The fault lies with both JC and the software vendor Bi-Tec, out of Charlotte. Apparently (keep in mind I am not a technie) a JC employee typed in a command with a file name which contained our names, addys and ss#'s. The parameter file set by Bi-tec was supposed to exclude ss#'s before being posted to the JC website. The parameter was not in place the the ss#'s were included. The JC employee who posted the info did not check the file content before downloading to the JC website. She did not know why the parameters did not filter out the ss#'s.

She then told me that google has software that crawls the web looking for info that meets certain algorythm requirements and then indexes them. The info was then accessible on google and they removed it per court order.

The Bi-tec name she offered when I requested a Bi-tec contact was Perry Brown.

I am still going to put an alert on my banking info and continue the 90 day fraud alerts for many more months. I will also continue to check my credit every quarter as an added safety measure.

 

We did our fraud alert yesterday too...felt the same thing, that JC should pay for the extra monitoring fee. But oh well....

You said you were contacting your banks....won't the fraud alert handle that too? If someone tries to extend your credit from the bank that is.

 

Just an FYI once you place the fraud alert you can not get your credit report online. Also I was told by someone else that about 800 people have found problems on their reports. Not sure how true this is just what I was told..