The U.S. Bureau of the Census has admitted to posting the personal information of 302 households on a public Web site over a six-month period between 2006 and 2007.
The posted information included names, dates of birth, addresses, and income levels, but not Social Security numbers, according to Ruth Cymber of the Bureau's Public Information Office.
According to Cymber, employees of the bureau had been using fake data to test a new software system while working at home. However, genuine data on families which had been compiled from the Bureau's Current Population Survey had been mixed in with the false data, leading to the breach.
Households from nine states and the District of Columbia were affected. According to Cymber, the employees conducting the testing did not follow proper policies for posting information or conducting work from home.
"Once the improper posting was discovered, the file was immediately removed," Cymber said in a statement. "The generally public nature of the information, and the commingling of data and test records indicated that it is unlikely the downloaded information would be useful to the casual user or someone with malicious intent. The Census Bureau is notifying the respondents and offering credit-monitoring assistance."
In addition, the employees involved will be facing "appropriate administrative action," and the incident was reported to the Bureau's Office of the Inspector General.
The Census Bureau had previously disclosed that its employees had "lost or misplaced" 672 laptop computers between 2001 and 2006. 241 of those laptops contained personally-identifying information. The Commerce Department, which oversees the Census Bureau, "lost" 1,137 laptops in the previous five years.
Identity Theft On The Rise
Despite Cymber's statement, personal information of any kind can be of great use to identity thieves. Hackers and criminal groups are increasingly engaging in "synthetic identity theft," where pieces of data from different people are mixed together to create new fraudulent identities, which are much harder to detect.
Companies and agencies involved in data breaches tend to minimize the risks of identity theft involved, if there is no immediate indication the breached information is stolen or used for fraud. However, any information that is purloined in a data breach can be traded and resold by identity thieves for months before actually being used.
A new study released by the Gartner research firm found that 15 million Americans fell victim to some form of identity theft in a twelve-month period between mid-2005 and mid-2006, an increase of 9.9 million from a Federal Trade Commission (FTC) study in 2003.
Average losses from ID theft in that period totaled $3,257 per victim, and the percentage of victims who were able to recover their money fully dropped from 87 percent in 2005 to 61 percent in 2006.
Gartner vice president and research analyst Avivah Litan, who conducted the study, said that hackers and thieves were getting smarter and taking advantage of a wider variety of scams to get personal information.
"Often consumers have no idea how criminals hijack their accounts and/or identities," Litan said. "They also typically have no clue if one or more of their personal attributes, such as their social security number, is used to piece together a new fictitious identity [for] synthetic identity fraud."
The Gartner study contradicts findings from another research firm, Javelin Strategy & Research, which found losses from identity theft and fraud on the decline, supposedly because of better security measures by business and more awareness of the problem among individuals.
