Identity Finder Determines that Non-Profit Tax Forms Posted by IRS Expose 630,000 SSNs
Leader in sensitive data management finds many non-profit organizations reveal SSNs on publicly-posted tax forms, urges consumers to take steps to protect information
NEW YORK, NY - February 25, 2014 - Identity Finder, leaders in sensitive data management solutions, today released research which uncovers that an estimated 630,000 social security numbers (SSNs) on non-profit organizations' tax returns—Form 990s—have been posted online by charities and the IRS since 2001, leaving unprotected consumers at risk of becoming identity theft victims. Unlike personal tax returns on Form 1040, Form 990s are public documents.
Because the IRS does not redact personal information on the original forms, sensitive data belonging to scholarship recipients, donors, trustees and employees remains in the public domain. In some cases, names, full addresses and detailed transaction information accompany SSNs. In addition, the organizations' accountants who identified themselves by using their SSN, rather than their Preparer Tax Identification Number (PTIN), were also exposed. The most common offenders include:
- Advocacy organizations
- Alumni associations
- Community and scholarship foundations
- Private trusts
Identity Finder's research team used the same sensitive data management solution they provide to enterprises, Sensitive Data Manager, and was able to discover the information by searching more than 3.8 million 990 forms between 2001 and the first half of 2013. Although the alarming amount of available personal data is still a big problem, Identity Finder learned that progress is being made to protect data on newer forms: The percentage of organizations that published at least one SSN has decreased from 16.6 percent in 2001 to under one percent in 2013. However, the total number of SSNs exposed continues to increase year after year, and the IRS' Office of Privacy and Information Protection has declined to delete existing SSNs from the public documents.
This is a call to action for enterprises that store sensitive data and have employees who need access to that data. "Organizations must learn from the lessons of their peers and take stock of their sensitive information so it doesn't fall into the wrong hands," said Todd Feinman, CEO of Identity Finder. "The more data companies have, the more important it is to take stock, remove as much as possible and minimize the risk of leakage."
The problem of exposed sensitive data on 990 forms is not getting better, but it is getting worse at a diminishing rate. There were more than 11,000 unprotected SSNs on 990 forms last year and 630,000 social security numbers still remain available for identity thieves.
Non-profit organizations who learn they have published SSNs should warn those affected that their names and SSNs are part of a document on public record and that they may be at increased risk of identity fraud. Further, the IRS should take all available steps to eliminate SSNs from these public documents.
To view the full report, read suggestions to organizations and consumers and to use Identity Finder's EIN search tool to find out whether your organization has exposed SSNs online, visit http://www.identityfinder.com/990report.
About Identity Finder
Identity Finder, LLC, based in New York, NY, is the leader in sensitive data management. Its security and privacy technologies provide businesses and consumers the ability to prevent data leakage and identity theft.
Tiffany Darmetko or David Sprague