Colorado State Website Reveals Social Security Numbers of Top U.S. Executives

Documents accessible from the website contain the names, Social Security numbers, dates of birth and home addresses of top officers at well-known U.S. companies.

The Website of the Colorado Secretary of State is making available the Social Security numbers and other personal data of numerous CEOs, company chairmen, presidents, board members and other senior executives at some of the country's largest companies, a privacy advocate said.

MORE ON CIO.com

How to Minimize the Impact of a Data Breach

My Company Has Had a Data Breach. What Do I Do?

Data Breach Target: Your Company

The documents containing the information were discovered by Betty "BJ" Ostergren a privacy advocate based in Hanover County, Va. For the past several years, Ostergren has been trying to get state and local governments to redact public documents before posting them online.

A spokesman for the Secretary of State's office said the agency is working on the issue and taking steps "to protect sensitive personal information."

Speaking with Computerworld, Ostergren claimed that she has discovered hundreds of documents containing the Social Security numbers of senior executives at dozens of companies, including some large companies with instantly recognizable brand names.

The numbers are contained in images of corporate documents filed with the state of Colorado and include documents with titles such as periodic reports, amendments and name change filings.

At Ostergren's direction, Computerworld was able to easily access two such documents simply by going to the Secretary of State Mike Coffman's Web site and entering specific terms in the fields provided on the search page.

One of the documents contained the names, Social Security numbers, dates of birth and home addresses of 93 top officers at a financial corporation being acquired by another large financial institution.

The other document contained similar information on 14 top executives at a Fortune 100 company, including those of its chairman and CEO, the chief financial officer, vice president and controller and general counsel. One of the men in the list has been listed in the past by Forbes magazine as among the richest in America.

Both of the documents viewed by Computerworld were filed in the early to mid-90s. Searches for similar documents using commonly known company names turned up numerous results. Some of the documents on the site dated back to the mid-80s while a few appear to have been filed in the early to mid-2000s. Computerworld , however, wasn't able to independently uncover any documents containing Social Security numbers on its own.

According to Ostergren, not all of the corporate filings contain Social Security numbers, although she said she has downloaded numerous documents containing the numbers so far. She estimated there are thousands more on the site.

"These are corporate filings. The people who filed them have no clue that their SSN is sitting on a Web site open to the entire world," Ostergren said. Many of the records containing SSNs appear to be those filed by companies that are incorporated outside of Colorado, she said.

Ostergren, who highlights such cases on her The Virginia Watchdog Web site, said the Colorado Secretary of State's Web site previously posted Uniform Commercial Code (UCC) documents containing Social Security numbers on its Web site. UCC documents are financial statements filed with the state by banks and other creditors when an individual takes out certain types of loans. But those documents appear to be no longer available online on the Secretary of State site, she said.

Richard Coolidge, a spokesman for Coffman's office, confirmed in an e-mail that the secretary of State has suspended access to the images in the state's secured transactions Web page, which contains UCC documents. The action was taken Sept. 16 while the state evaluates "what additional measures we can take to protect sensitive personal information," Coolidge wrote.

"We're also testing and developing new software to identify these numbers," in other documents, he added. Any time such numbers are discovered in a document or someone notifies the office about them, "they are redacted immediately," he said.

The issue of state and local government Web sites posting unredacted images of public records online has received wide attention. Privacy advocates have warned for sometime that millions of documents containing Social Security numbers are easily available to anyone with an Internet connection, including identity thieves.

Less than two weeks ago, an appeals court in Ohio ruled that a woman whose identity was stolen after an image of a speeding ticket containing her personal information was posted on her county's Web site can sue the official responsible for putting the record online.

In September, the Iowa County Recorders Association said it would disable online access to mortgage documents and personal financing statements on a statewide land-records Web site after concerns were raised about the possible compromise of Social Security numbers that are included in some of the documents.

This story, "Colorado State Website Reveals Social Security Numbers of Top U.S. Executives" was originally published by Computerworld.

Related:

Copyright © 2008 IDG Communications, Inc.

7 secrets of successful remote IT teams