Census Bureau exposes personal data on public Web site

The Census Bureau this week announced that it accidentally posted personal information concerning 302 American households on a Web site where it was publicly accessible intermittently for about five months.

Bureau Director Charles Louis Kincannon said in a statement that as soon as agency officials learned of the improper posting, they shut the site down and started an investigation. The information did not include Social Security numbers, and bureau officials have no evidence that it was misused.

"A breach of this kind is unacceptable, and we are committed to providing the highest level of public service," Kincannon said. "We are strengthening our internal procedures to further safeguard our data to prevent a recurrence."

Officials discovered the file on Feb. 15. It had been uploaded onto one of the Census Bureau's externally accessible servers, and contained names, addresses, phone numbers, birthdates, family income ranges and other demographic data for the 302 households. This information was mixed in with 250 fictitious test records.

The information was posted multiple times between October and February to test new software applications. This site is typically used to make large public-use files available.

The bureau said the public nature of the information and the mingling of actual data and test records make it unlikely it would have been useful to the casual user or someone with malicious intent. The bureau is in the process of notifying those affected and offering assistance with credit monitoring.

Census law prohibits the disclosure of sensitive data, and the bureau has strict policies protecting it. These prohibit the uploading of data to a nonsecure Web site, bureau officials said. The employees who posted the information also failed to follow a required review process to avoid placing confidential information on the agency's Web site, the bureau stated.

"Appropriate administrative action" has been taken against those employees, pending the results of the investigation, Census officials said.

The matter has also been referred to the inspector general for the Commerce Department, of which the Census Bureau is a part.

Over the past 10 months, federal agencies have reported dozens of incidents of exposing sensitive personal information -- such as Social Security numbers and dates of birth -- on millions of people.

In September 2006, Commerce released data showing the Census Bureau reported 672 missing laptops over the last five years, of which 246 contained some degree of personal data. The agency employs a large number of temporary workers to conduct field work.

Census employees will receive additional training on the proper handling of survey responses and telework policies.

Despite Census' recent problems, the Ponemon Institute, a group that advocates responsible information and privacy management practices in business and government, named the bureau as one of the top agencies in terms of protecting privacy in a report released last month.