On April 13, a user of FedSpending.org, an online database on government spending run by OMB Watch, discovered that the U.S. Department of Agriculture (USDA) was publishing personally identifiable information about a loan she received from the agency.

The data in question appears in the Federal Assistance Award Data System (FAADS), which is a government database of all federally provided financial assistance (not including procurement). The database is run by the U.S. Census Bureau. FedSpending.org makes FAADS and publicly available data about government contracts accessible to the public in a searchable format in order to shine a light on government spending patterns. The individual found her Social Security number embedded in a field that provides a unique identifier about the financial award. After the breach was discovered, the FAADS database was completely removed from the Internet, and USDA and the Census Bureau began to request other institutions who posted the data to remove it from the public sphere. (Read more about OMB Watch's involvement in and response to this issue.)

On April 27, Sens. Barack Obama (D-IL) and Tom Coburn (R-OK) wrote a letter to USDA Secretary Mike Johanns stating that the disclosure of personally identifiable information was "improper and unacceptable." Obama and Coburn called on USDA to provide three things by May 18:

1. An assessment of the harm caused by disclosing Social Security numbers and a report on utilization of the credit monitoring service;
2. A report on what is being done to ensure that data security problems are fixed; and
3. A detailed plan and timeline for adopting a new unique identifier without disclosing personally identifiable information.

On May 2, at the request of Rep. Zack Space (D-OH), the House Agriculture Committee held a hearing to review the release of personal information by the USDA. At the hearing, USDA Chief Financial Officer Charles Christopherson, Jr. testified about the incident, providing additional information and some answers for Obama and Coburn. Christopherson testified that since first being notified of the breach, the USDA had narrowed its estimate of the number of affected individuals from 93,000 down to 38,700. These individuals participated in one of two different loan programs within the USDA — the Farm Service Agency and Rural Development.

The USDA said it contacted each of the affected individuals by mail from April 23 through May 1 to notify them of the security breach and offered free credit monitoring services to all those affected for 12 months.

While USDA testified it acted quickly to discover the extent of the problem and identify solutions, it attempted to downplay the breadth of the security issue. USDA testified it knew of 92 entities or individuals who had signed up to receive quarterly updates about FAADS data from the U.S. Census and that USDA had begun contacting each of them. At the time of the hearing, USDA said it had been able to contact 65 percent (58) of those entities. Most committee members, especially Rep. Earl Pomeroy (D-ND), were not at all satisfied with the 65 percent success rate. Unfortunately, USDA implied this was the extent of the entities that had downloaded the data from the U.S. Census website and possibly still had copies of the database.

In truth, the USDA has absolutely no way of determining the number of times the data had been downloaded or the number of people who have copies of the older data that contained personally identifiable information. There is no requirement to sign up or register to download the information from the Census or FedSpending.org websites. USDA could have made a more accurate estimate of the exposure of this data by compiling website visit statistics for the FAADS section of the Census website and other popular sources of the data like FedSpending.org. In the month of April alone, there were over 680,000 searches of the FAADS section of FedSpending.org.

Currently, the USDA has regenerated unique identifiers for the data in question and the Census Bureau is reloading the FAADS database. The Department of Commerce (where the Census is located) claims all FAADS data from 1996 through the third quarter of 2006 will be made available again through the FAADS database on the Web by June 1.