City apologizes for inadvertent release of employee SSNs

City Manager Christine Daniel. March 5, 2013. Photo: Emilie Raguso

City Manager Christine Daniel: “It was a mistake.” Photo: Emilie Raguso

A Berkeley municipal staff member mistakenly disclosed the social security numbers of everyone who works for the city while responding to a public records request, and the city recently sent a letter to staff informing them of the error.

One staffer, who asked not to be identified, called the mistake “appalling,” and another criticized the city for taking weeks to inform employees about the breach.

“The bottom line is the city amateurishly screwed up and it only represents to me the type of incompetence that constantly costs the city,” said another employee, who asked to remain anonymous. “The City should provide better training for whoever handles PRA (Public Record Act) requests so we no longer have inappropriate and illegal withholding or, in this case, sloppy and gratuitous disclosure.”

City Manager Christine Daniel said Friday that the city had taken the matter very seriously: “We value our employees’ confidentiality and we’re very sorry that it happened. All I can say is that it was a mistake.”

Click the image to view the letter in its entirety. The city sent a letter, dated April 15, to all staff members reporting the inclusion of employee social security numbers in a data set about public employee salaries. (The Bay Area News Group (BANG) publishes a database of municipal salaries annually.) The city is required by law to release public employee salaries, and provided BANG the information electronically.

According to the letter: “Although City staff removed one column that clearly was identified as employee social security numbers, social security numbers were also in a second column and not as readily identifiable. Staff failed to remove this second column and, as a result, inadvertently disclosed your social security numbers to BANG.”

Daniel said the city sent the original information to BANG on March 11, and realized the error at the beginning of April. On April 4, the city sent a letter to BANG about what had happened, and requested that BANG destroy all records of the social security numbers. On April 8, the city “received confirmation from BANG that it did not disclose any employee social security numbers and that it has permanently destroyed the information.” The city then sent the April 15 letter to employees to alert them of the situation. One employee said the letter arrived April 17, two weeks after the city realized what had occurred.

The letter informed employees about how to obtain free credit reports and provided a city phone number for them to call should they have additional questions.

“We tried to write it so that it was really clear, so that anybody who read it could get all the facts,” Daniel said. “It states everything as far as we can tell.”

Daniel said the city did not plan to offer any special credit monitoring services, but that all employees are already entitled to free credit monitoring through their Employee Assistance Program benefit.

Daniel acknowledged that it “took us a while to do the mailings” because folding and stuffing thousands of envelopes was a somewhat labor-intensive endeavor. (She said that roughly a couple thousand letters had been mailed.)

One employee said five people in his department had become victims of identity theft since the release of information, but that they did not know whether it was directly linked to the BANG disclosure. Daniel said she had not been informed about any identity theft cases related to the mistake.

She also said Friday that the city has changed how it will handle the BANG request next year.

“We’ve undertaken a whole new programming approach to make sure, when they make the same request, that this won’t happen again,” she said. “We’ve completely revised how we release it.”

Would you like a digest of the day’s Berkeley news sent to your inbox? Click here to subscribe to Berkeleyside’s free Daily Briefing.

Print Friendly
Tagged , , ,
Please keep our community civil. Comments should remain on topic and be respectful.
Read our full comments policy »
  • The_Sharkey

    Not really a big deal, considering that it was given only to Bay Area News Group and not released publicly.

    The comment from a city employee complaining about city employees being amateurish and incompetent is kind of weird.

  • guest

    I don’t know that it’s ever a good idea to send one’s social security number via email… let alone a couple thousand of them, regardless of the ultimate destination of the email.

  • It is actually fairly easy to guess a persons SSN by just knowing where and when they were born. Researchers were able to get about a 10% success rate.

  • guest

    All it takes is one person at BANG to forward that email elsewhere. While I would hope BANG employees are all honest I can’t guarantee that. How secure is BANG’s email system? Have they ever been hacked? Do they have contract IT people who may be located elsewhere and who at a later date may get dismissed and get revenge by distributing the list? I’m a CoB employee and I’m less than happy with idea that an email with my SSN could be floating around the internet.

  • Andrew Doran

    I’m pretty sure the article says the information was sent “electronically” which is not the same thing as “by e-mail”. It simply means the information was not sent on pieces of paper but rather was transferred from computer to computer. The risk of that information being eavesdropped upon by a third party depends on the details of the transfer, but is probably pretty low to insignificant.

  • soij

    BANG said they deleted all copies…but was the original file ever on a network server or on any other storage media that had a backup? Are those backups still unmolested? My guess is that the CoB protocol was terrible and on top of that probably not followed correctly. How hard is it to look at the first five records of the transfer file by hand to make sure you are sending what you think you are sending?

  • EBGuy

    The bigger question: How is Berkeley Unified School District able to avoid these requests? (BUSD data does not appear in the BANG database).

  • David D.

    I don’t think it’s that weird. I work for a government agency and come across a depressing amount of amateurish and incompetent work by government employees, both here and elsewhere.

  • The_Sharkey

    If you use Facebook or Gmail and shop on the internet, much more dangerous information about you is already floating around the intertubes.

  • Zelda Bronstein

    Re BANG’s annual publication of Bay Area public employee salaries: if you check out the linked list, you will notice that Berkeley is missing. I asked City of Berkeley staff about the omission and was told that BANG never asked for the data, a claim I find unpersuasive.

  • Biker 94703

    How’s that? The City sent BANG data they didn’t explicitly request?

    I suspect BANG just deleted all Berkeley data and are now waiting for a new data feed.

  • Biker 94703

    According to their twitter feed, BANG did indeed ask for data:

    Public Salaries @PublicSalaries 2 Apr
    Berkeley Council Member K Worthington says he’ll take up our #pra request @ meeting tonight and work to #freethedata by urging tranparency

  • Zelda Bronstein

    The linked BANG list is for 2011. I assume that the data the City recently sent was for 2012.

  • Biker 94703

    You don’t work in IT do you? It doesn’t matter if it was email, ftp, sftp, scp, afs, nfs, or even dropbox. Man-in-the-middle attacks are really rare for this type of thing — its all about compromising the end-user’s system.

  • Truth Sayer

    Thus far, I have yet to see how city representatives can say that they have fulfilled their fiduciary obligation to the people they represent. First, they are still hiding the facts. As, it was a “public records request”, rior to sending out any information regarding employees, at a minimum the supervisor/manager should have reviewed the information before disclosed. And, why didn’t it go through the legal department? I think difunctional is the word…..

  • Guest

    In which case the method of transmission would be moot, this allying guest’s concerns re: the security of e-mailing this information.

  • Biker 94703

    Rare, not non-existent. While the odds are that data will be stolen from the destination, the pattern ###-##-#### is obvious in a stream of bytes. (Other) guest is correct that emailing SSNs is a lousy idea. If you had to choose, transferring them over an ssl-encrypted connection (eg: https) is less lousy.

    I suspect in this case that data was exported from a database into an excel document, poorly sanitized, and the spreadsheet emailed to the destination. (Note the quote about “removing a column”.)

    A secure(r) implementation would have the SSN data stored in a separate table, inaccessible except by very privileged database views. My guess is that the SSN was stored both as a data field and as a primary key so when two tables were joined, the SSN values appeared in two places. But the issue isn’t that the city employee failed to delete the column – it is that the SSN data was ever available to the employee in the first place.

  • PragmaticProgressive

    This sounds plausible and points to a greater risk in third systems. Daniel should order a security audit.

  • PragmaticProgressive

    Will the “whole new approach” undergo a security audit by a qualified third party?

  • Brad Johnson

    This is actually a really big deal. We pay people at the City to *not* disclose personal information to some random party. Lots of people work at BANG.

    Your point is like say it’s totally cool you were robbed because, so far as you know right now, the thief took low value items.

    Biker is right. This points to way more profound problems. Very few people should be able to get unencrypted SSNs from the database. I’ll bet dollars to donuts they’re sitting there in plain text. And this is most certainly not simply limited to government. Private companies are this careless all the time.

  • guest


  • Japhy Writer

    If the SSN is used as a primary key, that’s just asking for trouble.