Two data breaches on HUD’s website resulted in the personally-identifiable information of thousands of individuals temporarily being displayed publicly in August and September, according to HUD.
The leaks came to light two months after the second breach happened, after a HUD client received a letter dated November 5, 2016, from HUD’s Senior Agency Official for Privacy, Helen Goff Foster, notifying her of the breach, according to Forbes. The client subsequently shared the letter with the news media. According to HUD, the number of individuals affected was 479,555. In an email to MReport, HUD attributed the data breaches to human error and not hacking.
"As a result of the breaches, we had extensive retraining of our teams that post information to the web site and we’ve reviewed our systems in each program area to ensure we don’t repeat the same errors," said Jereon Brown, General Deputy Assistant Secretary with HUD. "Additionally, we’ve added new monitoring techniques to the material that is posted and captured."
The last names and partial social security numbers of public housing residents were exposed on the site. Foster’s letter states that as for others, “information relating to some people who worked for employers that sought HUD/Empowerment Zone-related tax credits, including name, address, and full or partial social security numbers, was also disclosed.”
Foster did not state how long the personal information was available on HUD's site, but she did say that “As soon as HUD learned of these incidents, all further access to it was stopped and HUD took steps to prevent future incidents.”
Foster’s letter states that HUD is unaware if any unauthorized third parties “accessed or used during the time it was available,” according to Forbes. HUD is offering a year of free credit monitoring from TransUnion to victims of the data breach for their protection; the deadline to sign up to receive the TransUnion service at no cost is March 31, 2017.
“HUD is committed to protecting the personal information with which we are entrusted,” Foster wrote in her letter. “We are continuing to take steps to proactively identify and address security risks to our systems and information. On behalf of the Department, I sincerely apologize for any inconvenience this incident may cause you. ”
The announcement of the data breach on HUD’s website came only one week after the CFPB announced it is seeking information from stakeholders on consumer access to personal financial records, including how much choice consumers have in the use of the records, the security of those records when they are being shared, and how much control consumers have over those records.
Cybersecurity has become an increasingly pressing issue in all industries that store personal information, particularly after a cyber-attack in 2014 against JPMorgan Chase that compromised some 83 million accounts.
Click here to read a copy of Foster's letter.