Your Identity Could Depend on a Punctuation Mark

In a case that is almost too mindboggling to be true, the Department of Veterans Affairs sent an email to a citizen in Wisconsin last April that contained the names and complete identifying information (including Social Security numbers) for hundreds of veterans within the state.

The spreadsheet with the information was unsolicited, and was immediately reported. How did such an important document as that list make it past the government’s security filters? A punctuation error.

Currently, the VA’s software blocks outgoing emails that contain SSNs that have been separated by a dash, as in “123-45-6789.” In order to send this information to someone across the VA’s email servers, a password is required. But in the case of the unsolicited file that was sent to a Wisconsin man, the SSNs were written as “123456789,” since the file number for veterans who’ve served from the Vietnam War forward is an SSN that doesn’t contain the dashes. No dashes means no software security protection, and therefore the file was emailed out across the server.

A news channel in the state began its own investigation, and started by “asking six people located around the state of Wisconsin with VA.gov email addresses to send emails from that account to their personal or work email addresses including the words ‘Social Security Number’ and a ‘123456789’ sequence…When it was sent without dashes, each time, the email went through unabated. When the dashes were included, the sender received a ‘Message Blocked’ message from the VA.gov server that included a directive to either ‘remove the SSN or encrypt the email’ if they wanted it to go through. “

The incident was first reported on in April 2015, and state and federal officials moved quickly to demand answers from the VA. At that time, a November 11th deadline was given for the administration to provide answers, and several stakeholders are still awaiting answers.

Wisconsin senator Tammy Baldwin is one such stakeholder, and she’s taking the issue further by introducing legislation in Congress that will put a stop to the use of Social Security numbers as identification numbers for veterans. Baldwin and her co-sponsors on both the legislation and a letter to the VA’s Inspector General are concerned that this issue isn’t limited to Wisconsin, as the VA initially indicated, but that it has the potential to affect the 22 million veterans currently living around the country.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

 

ITRC Sponsors and Supporters 

 

 

 

 

Go to top

 

The TMI Weekly

Breaches here, identity theft there and invasions of privacy everywhere... Should you be worried and, if so, how can you protect yourself? Sign up now to receive The TMI Weekly and get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.