DOGE might be storing every American's SSN on an insecure cloud server
theverge.comFor people who don't read TFA:
> In addition to SSNs, the database reportedly includes Americans’ place and date of birth, work permit status, and parents’ names
This is quite a bit more information than just a number.
The actual report text identifies the uploaded database as "NUMIDENT".
A quick shufti turned up https://aad.archives.gov/aad/series-description.jsp?s=5057 which states that "NUMIDENT" includes things like "mother's maiden name". Other sources imply that the signatures from SSN application forms (form SS-5) are stored here.
Normal methods of access to this database seem to include "NOVU" (https://catalog.data.gov/dataset/numident-online-verificatio...).
Actual article: https://www.hsgac.senate.gov/media/dems/peters-report-finds-...
Which was submitted directly and flagged: https://news.ycombinator.com/item?id=45377439
That 65% figure in the press release has an interesting origin. It seemed oddly specific to me, so I had a look.
In the actual report main text, it says that the risk is between 35% and 65%, but does not explain the calculation, if any, that results in those numbers.
It's not until one reaches Appendix A that one finds that this really means that it has been assigned a value of 3 on a scale of 1 to 5, meaning "medium risk", and the value 3 is arbitrarily assigned that percentage range, originating with the U.S.A. FDA's Office of Information Security, where "low risk" (2) is similarly 10% to 35% and "very low risk" (1) is less than 10%.
I assume everybody's SSN has been leaked at one time or another by now.
Which means we no longer need to store and handle them securely, right? Can I have yours?
You can probably look it up online if you really want to, since it was already leaked.
Mine was leaked several times. At least once by the government itself. See https://iapp.org/news/a/21-5-million-breached-in-second-opm-... for example.
SSNs where never meant to be secret. It's an ID not a password. You can thank banks and credit card companies for treating them like a verification system.
I have stored every americans ssn in a text file, you can too!
seq -w 0 999999999 | sed -E 's/^([0-9]{3})([0-9]{2})([0-9]{4})$/\1 \2 \3/' | awk '{ area=$1+0; group=$2; serial=$3 if (area==0 || area==666 || area>=900) next if (group=="00" || serial=="0000") next printf "%03d-%02s-%04s\n", area, group, serial }'
What is the point of this kind of reply? To try to diminish the impression of the severity? To distract? To just make reading the contents slightly worse for everyone?
It's so clearly not the point of the db in the article that there is no chance anyone reads this and thinks it is the same thing the article is referencing. Is this just really low quality trolling?
I'm sure they are talking about a database that only contains the numbers and no other identifying information directly linked to those numbers.