Interior center inadvertently exposes personal data of thousands of SEC employees

An Interior Department payroll processing center that provides services to several agencies unintentionally exposed the full names and Social Security numbers of nearly 4,000 Securities and Exchange Commission employees earlier this month, according to Interior officials.

On May 4, a customer support contractor inadvertently replied to a routine question from an SEC employee in an unprotected email format, and a device that was supposed to block outbound emails containing personal information failed to catch the error. A second detection system immediately notified the center's staff about the problem, however, Interior spokesman Drew Malcomb said.

Officials have no indication any information was intercepted by intruders during the approximately 60 seconds the data was in transit. Nor was sensitive information from other agencies or employees affected by the lapse at Interior's National Business Center, a shared services facility that handles administrative work for the Transportation and Defense departments, among others.

The employee responsible is now barred from dealing with personal data. Interior has launched an investigation into the matter and will hold accountable workers who were at fault, Malcomb said.

In addition, all outgoing files with sensitive information now must be approved for release by federal supervisors before they are sent over the Internet, he noted. Every customer support agent also will be required to undergo more computer security training.

While they are not aware of any instances of identity theft, officials sent a letter to all affected employees offering credit-monitoring services.

Such exposures of unencrypted personal information go unnoticed almost daily because they are not reported, according to John Gilligan, a member of the Obama-Biden transition team who helped formulate the administration's information technology policies in defense and intelligence.

Making matters worse, he says, is that many federal IT systems do not automatically protect with code, or encrypt, sensitive information.

"We put the burden of encryption on lots of individuals, many of whom are busy," said Gilligan, previously a chief information officer at the Air Force and Energy departments. "It's not that it's not possible to do. Computers are very powerful. The developers have not yet really said, "Ah, this is a design problem, not a human problem.' "

The government should start requiring vendors to configure their software in a secure manner before deploying it, he added.

"The folks [who] are working on whatever particular project are not IT experts in all cases," said Gilligan, now a private consultant. "They don't need to be IT experts."

SEC officials referred questions about the incident to the Interior Department.

One year ago, the same Interior center lost in the mail -- and eventually recovered -- a compact disc containing personal information on about 7,500 employees from several federal agencies. The files on the CD were encrypted and password-protected, so the chances of the information falling into the wrong hands were low, officials said at the time.