IRS, nonprofits unwittingly leak 630K Social Security numbers
They didn’t mean to do it.
Not the scholarship funds, alumni associations or garden clubs.
Not the nonprofit hospitals, union groups or corporate foundation arms.
Yet more than 130,000 tax-exempt organizations unwittingly leaked hundreds of thousands of Social Security numbers belonging to unsuspecting board members, donors, employees and college students.
“Our concern is really making sure that it doesn’t happen again,” said a Pennsylvania nonprofit spokeswoman, stunned to learn from the Tribune-Review that her organization was one of them.
No hacking required
Identity thieves don’t need hacking skills or sophisticated scheming to steal from this body of sensitive information: More than 630,000 Social Security numbers — including tens of thousands of numbers of Pennsylvanians — have become public record inadvertently on tax-exempt Form 990 filings with the Internal Revenue Service since 2001, according to independent audits and documents the Trib obtained. Names and addresses also appear. Armed with such data, identity thieves can apply for credit, file fraudulent tax returns and more.
“I was surprised myself that it is as big a problem as it seems to be,” said Betsy Krisher, a nonprofit tax preparer at Maher Duessel in Pittsburgh’s North Side. She sits on an American Institute of Certified Public Accountants panel focused on the exempt sector and said the issue came up at a recent meeting with the IRS.
In 2012-13, nearly 2,400 nonprofits disclosed 11,361 Social Security numbers representing 7,255 people, according to a 2014 audit by Identity Finder, a New York firm that supplies software to help companies protect sensitive information.
Federal law deems Form 990 documents public records — a transparency trade-off in exchange for nonprofits getting tax breaks, and a mechanism that helps ensure charities act in the public interest.
In its instructions for filling out 990s, the IRS warns, “Reminder: Do Not Include Social Security Numbers on Publicly Disclosed Forms.” The label “Open to Public Inspection” appears in the top right corner of the first page of each form. The IRS urges organizations to file 990s electronically to reduce security risks and to refrain from including unneeded personal information.
A small percentage of groups include Social Security numbers anyway — often in attached lists alongside identifiers such as names, addresses and phone numbers. Even some trained tax preparers make the mistake. One preparer put his Social Security number on more than 1,000 forms, Identity Finder found.
“When we see Social Security numbers on a 990, we’re entirely flabbergasted,” said Jacob Harold, CEO of GuideStar.org , the most popular source for accessing the tax forms.
Overlooking the problem
Amid mounting concern about cybercrime and large-scale hacks, people tend to underestimate “low-tech” security breaches such as these — a far more common risk than many realize, said Eva Casey Velasquez, CEO of Identity Theft Resource Center, a California-based nonprofit whose call center aids about 10,000 victims annually.
“High-tech (crime) often gets all the attention because the numbers tend to be so massive that they’re staggering — 80 million records, 50 million records — and it makes our heads explode,” Velasquez said, “but the reality is that many low-tech breaches or compromises of information occur on a regular basis.”
Last year, sensitive information of an estimated 100 million Americans was exposed, and more than 12 million fell victim to identity thieves who stole a total of $16 billion, according to the Bureau of Justice and Javelin Strategy & Research. That equates to a new victim every two to three seconds across nearly 10 percent of households.
It’s extremely difficult to trace the source of a victim’s exposure, Velasquez said.
Savvy thieves harvest large sums of identifiers and sit on data for years before using it to open lines of credit, take out loans, file fraudulent tax returns or rack up criminal charges while posing as a victim, Identity Finder CEO Todd Feinman said.
“We’ve heard from some victims of identity theft who we’ve been able to correlate in the 990 reports,” Feinman said. “However, it’s very specious to say one led to the other, because their identity could have been stolen from another source.”
Stemming the breach
One organization the Trib contacted — which asked to remain unnamed to protect those at risk of identity theft — alerted the IRS and GuideStar immediately upon learning one of its tax forms included Social Security numbers of more than a dozen recipients of its charitable services.
GuideStar moved quickly to redact the leaks from its online database.
“Any time where (a Social Security number) is identified, we immediately pull it down, redact it and then repost the 990 without that information,” Harold said. “The thing is, we don’t have the resources to be able to go through all the many, many millions of 990s we have.”
Northern California public domain advocate Carl Malamud of Public.Resource.Org, another site that posts tax forms, estimates he found and removed about 450,000 Social Security numbers from his database. In July 2014, Malamud mailed to the IRS and GuideStar thumb drives with up to 600,000 numbers he flagged from about 8 million forms.
GuideStar is “actively working through the pile with the resources we have,” spokesman Gabe Cohen said.
As more nonprofits file electronically — roughly half now do so — the percentage of those leaking Social Security numbers is dropping. In 2001, 16.6 percent of exempt organizations published at least one, compared to fewer than 1 percent in 2013.
But the sheer number of exempt filings more than doubled over the period, to more than 1.1 million, while the IRS lost more than 12,000 positions and $1 billion from its budget. The number of identities exposed on tax forms continues to climb.
“We did see the trends moving in the right direction but not quickly enough,” Feinman said.
Historically, the IRS declined to delete those Social Security numbers, citing a policy of not tampering with public records.
IRS pressured to act
IRS officials have a potential solution that might be put in place by early 2016.
“The IRS has made substantial progress in developing a technology solution that, when perfected, will allow the IRS to provide electronically-filed Forms 990 in a machine-readable format,” the agency said by email.
“This solution will ensure that sensitive or personally identifiable information continues to be protected from public distribution.”
If done effectively, the upgraded e-file system could prevent organizations from including attachments with sensitive information, as well as flag nine-digit numbers so they can be redacted before becoming public record.
The effort, though consistent with a 2009 directive from President Obama, was sparked by a lawsuit Malamud filed demanding the IRS release Form 990s in digitally searchable formats.
“By cleaning the data at the source, it is more likely that privacy issues will be nipped in the bud, before many copies of this public data are made and dispersed on the Internet,” Malamud said.
It’s unclear if a new online database would include forms from previous years.
“Whether you can fix the ones you have, and whether you can fix the system so people don’t do that anymore, is a tougher problem,” Malamud said.
“But a bit of elbow grease (at the IRS) and somebody like GuideStar, who lives and breathes this database, should take the time to put that effort in. It isn’t that hard.”
Natasha Lindstrom is a Trib Total Media staff writer. Reach her at 412-380-8514 or [email protected]