IRS, nonprofits unwittingly leak 630K Social Security numbers |

IRS, nonprofits unwittingly leak 630K Social Security numbers

Natasha Lindstrom
Audrius Reskevicius
These are Form 990 tax filings by exempt organizations dating back to 2002 in DVD form — the only way the IRS makes them available to the public. The DVDs, which belong to open records advocate Carl Malamud, weigh 98.7 pounds. It would cost $2,300 for an individual to get a complete set of all returns filed between 2008 and 2014.

They didn’t mean to do it.

Not the scholarship funds, alumni associations or garden clubs.

Not the nonprofit hospitals, union groups or corporate foundation arms.

Yet more than 130,000 tax-exempt organizations unwittingly leaked hundreds of thousands of Social Security numbers belonging to unsuspecting board members, donors, employees and college students.

“Our concern is really making sure that it doesn’t happen again,” said a Pennsylvania nonprofit spokeswoman, stunned to learn from the Tribune-Review that her organization was one of them.

No hacking required

Identity thieves don’t need hacking skills or sophisticated scheming to steal from this body of sensitive information: More than 630,000 Social Security numbers — including tens of thousands of numbers of Pennsylvanians — have become public record inadvertently on tax-exempt Form 990 filings with the Internal Revenue Service since 2001, according to independent audits and documents the Trib obtained. Names and addresses also appear. Armed with such data, identity thieves can apply for credit, file fraudulent tax returns and more.

“I was surprised myself that it is as big a problem as it seems to be,” said Betsy Krisher, a nonprofit tax preparer at Maher Duessel in Pittsburgh’s North Side. She sits on an American Institute of Certified Public Accountants panel focused on the exempt sector and said the issue came up at a recent meeting with the IRS.

In 2012-13, nearly 2,400 nonprofits disclosed 11,361 Social Security numbers representing 7,255 people, according to a 2014 audit by Identity Finder, a New York firm that supplies software to help companies protect sensitive information.

Federal law deems Form 990 documents public records — a transparency trade-off in exchange for nonprofits getting tax breaks, and a mechanism that helps ensure charities act in the public interest.

In its instructions for filling out 990s, the IRS warns, “Reminder: Do Not Include Social Security Numbers on Publicly Disclosed Forms.” The label “Open to Public Inspection” appears in the top right corner of the first page of each form. The IRS urges organizations to file 990s electronically to reduce security risks and to refrain from including unneeded personal information.

A small percentage of groups include Social Security numbers anyway — often in attached lists alongside identifiers such as names, addresses and phone numbers. Even some trained tax preparers make the mistake. One preparer put his Social Security number on more than 1,000 forms, Identity Finder found.

“When we see Social Security numbers on a 990, we’re entirely flabbergasted,” said Jacob Harold, CEO of , the most popular source for accessing the tax forms.

Overlooking the problem

Amid mounting concern about cybercrime and large-scale hacks, people tend to underestimate “low-tech” security breaches such as these — a far more common risk than many realize, said Eva Casey Velasquez, CEO of Identity Theft Resource Center, a California-based nonprofit whose call center aids about 10,000 victims annually.

“High-tech (crime) often gets all the attention because the numbers tend to be so massive that they’re staggering — 80 million records, 50 million records — and it makes our heads explode,” Velasquez said, “but the reality is that many low-tech breaches or compromises of information occur on a regular basis.”

Last year, sensitive information of an estimated 100 million Americans was exposed, and more than 12 million fell victim to identity thieves who stole a total of $16 billion, according to the Bureau of Justice and Javelin Strategy & Research. That equates to a new victim every two to three seconds across nearly 10 percent of households.

It’s extremely difficult to trace the source of a victim’s exposure, Velasquez said.

Savvy thieves harvest large sums of identifiers and sit on data for years before using it to open lines of credit, take out loans, file fraudulent tax returns or rack up criminal charges while posing as a victim, Identity Finder CEO Todd Feinman said.

“We’ve heard from some victims of identity theft who we’ve been able to correlate in the 990 reports,” Feinman said. “However, it’s very specious to say one led to the other, because their identity could have been stolen from another source.”

Stemming the breach

One organization the Trib contacted — which asked to remain unnamed to protect those at risk of identity theft — alerted the IRS and Guide­Star immediately upon learning one of its tax forms included Social Security numbers of more than a dozen recipients of its charitable services.

GuideStar moved quickly to redact the leaks from its online database.

“Any time where (a Social Security number) is identified, we immediately pull it down, redact it and then repost the 990 without that information,” Harold said. “The thing is, we don’t have the resources to be able to go through all the many, many millions of 990s we have.”

Northern California public domain advocate Carl Malamud of Public.Resource.Org, another site that posts tax forms, estimates he found and removed about 450,000 Social Security numbers from his database. In July 2014, Malamud mailed to the IRS and GuideStar thumb drives with up to 600,000 numbers he flagged from about 8 million forms.

GuideStar is “actively working through the pile with the resources we have,” spokesman Gabe Cohen said.

As more nonprofits file electronically — roughly half now do so — the percentage of those leaking Social Security numbers is dropping. In 2001, 16.6 percent of exempt organizations published at least one, compared to fewer than 1 percent in 2013.

But the sheer number of exempt filings more than doubled over the period, to more than 1.1 million, while the IRS lost more than 12,000 positions and $1 billion from its budget. The number of identities exposed on tax forms continues to climb.

“We did see the trends moving in the right direction but not quickly enough,” Feinman said.

Historically, the IRS declined to delete those Social Security numbers, citing a policy of not tampering with public records.

IRS pressured to act

IRS officials have a potential solution that might be put in place by early 2016.

“The IRS has made substantial progress in developing a technology solution that, when perfected, will allow the IRS to provide electronically-filed Forms 990 in a machine-readable format,” the agency said by email.

“This solution will ensure that sensitive or personally identifiable information continues to be protected from public distribution.”

If done effectively, the upgraded e-file system could prevent organizations from including attachments with sensitive information, as well as flag nine-digit numbers so they can be redacted before becoming public record.

The effort, though consistent with a 2009 directive from President Obama, was sparked by a lawsuit Malamud filed demanding the IRS release Form 990s in digitally searchable formats.

“By cleaning the data at the source, it is more likely that privacy issues will be nipped in the bud, before many copies of this public data are made and dispersed on the Internet,” Malamud said.

It’s unclear if a new online database would include forms from previous years.

“Whether you can fix the ones you have, and whether you can fix the system so people don’t do that anymore, is a tougher problem,” Malamud said.

“But a bit of elbow grease (at the IRS) and somebody like GuideStar, who lives and breathes this database, should take the time to put that effort in. It isn’t that hard.”

Natasha Lindstrom is a Trib Total Media staff writer. Reach her at 412-380-8514 or [email protected]

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.