The actual report text identifies the uploaded database as "NUMIDENT".
A quick shufti turned up https://aad.archives.gov/aad/series-description.jsp?s=5057 which states that "NUMIDENT" includes things like "mother's maiden name". Other sources imply that the signatures from SSN application forms (form SS-5) are stored here.
That 65% figure in the press release has an interesting origin. It seemed oddly specific to me, so I had a look.
In the actual report main text, it says that the risk is between 35% and 65%, but does not explain the calculation, if any, that results in those numbers.
It's not until one reaches Appendix A that one finds that this really means that it has been assigned a value of 3 on a scale of 1 to 5, meaning "medium risk", and the value 3 is arbitrarily assigned that percentage range, originating with the U.S.A. FDA's Office of Information Security, where "low risk" (2) is similarly 10% to 35% and "very low risk" (1) is less than 10%.
SSNs where never meant to be secret. It's an ID not a password. You can thank banks and credit card companies for treating them like a verification system.
> As outlined in the report, DOGE staffers moved a live copy of Americans’ personal information to a cloud server despite an internal risk assessment from the Social Security Administration (SSA), which determined the impact could be “catastrophic” without the proper safeguards.
Paraphrasing the article, the issue is that they operate without oversight or accountability so there's no way of knowing (this is arguably the story, not that PII may be leaked). The SSA's own security team is not allowed to review their work.
The headline of a news article is a way to draw the reader in. The subhead in this case was "A report from Senate Democrats says DOGE moved sensitive information to a cloud server despite the risk of 'catastrophic' impacts," with the lede (the first paragraph of the article) mentioning the lack of oversight. I can change the title if you'd prefer, but I believe that goes against HN guidelines.
Sure. Crappy headline. I was going to post the NYT one ("Democratic Report Says Disorder at DOGE Jeopardized Americans’ Data: Members of a Senate panel described a haphazard working and living environment that involved transferring sensitive information to servers 'without any verified security controls'") but it was paywalled. Less bait I suppose but it's still pretty damning.
What is the point of this kind of reply? To try to diminish the impression of the severity? To distract? To just make reading the contents slightly worse for everyone?
It's so clearly not the point of the db in the article that there is no chance anyone reads this and thinks it is the same thing the article is referencing. Is this just really low quality trolling?
For people who don't read TFA:
> In addition to SSNs, the database reportedly includes Americans’ place and date of birth, work permit status, and parents’ names
This is quite a bit more information than just a number.
The actual report text identifies the uploaded database as "NUMIDENT".
A quick shufti turned up https://aad.archives.gov/aad/series-description.jsp?s=5057 which states that "NUMIDENT" includes things like "mother's maiden name". Other sources imply that the signatures from SSN application forms (form SS-5) are stored here.
Normal methods of access to this database seem to include "NOVU" (https://catalog.data.gov/dataset/numident-online-verificatio...).
That 65% figure in the press release has an interesting origin. It seemed oddly specific to me, so I had a look.
In the actual report main text, it says that the risk is between 35% and 65%, but does not explain the calculation, if any, that results in those numbers.
It's not until one reaches Appendix A that one finds that this really means that it has been assigned a value of 3 on a scale of 1 to 5, meaning "medium risk", and the value 3 is arbitrarily assigned that percentage range, originating with the U.S.A. FDA's Office of Information Security, where "low risk" (2) is similarly 10% to 35% and "very low risk" (1) is less than 10%.
Actual article: https://www.hsgac.senate.gov/media/dems/peters-report-finds-...
Which was submitted directly and flagged: https://news.ycombinator.com/item?id=45377439
I assume everybody's SSN has been leaked at one time or another by now.
Which means we no longer need to store and handle them securely, right? Can I have yours?
You can probably look it up online if you really want to, since it was already leaked.
Mine was leaked several times. At least once by the government itself. See https://iapp.org/news/a/21-5-million-breached-in-second-opm-... for example.
SSNs where never meant to be secret. It's an ID not a password. You can thank banks and credit card companies for treating them like a verification system.
[flagged]
Right. And why is that ?
Might be. Did it happen or not?
> As outlined in the report, DOGE staffers moved a live copy of Americans’ personal information to a cloud server despite an internal risk assessment from the Social Security Administration (SSA), which determined the impact could be “catastrophic” without the proper safeguards.
Paraphrasing the article, the issue is that they operate without oversight or accountability so there's no way of knowing (this is arguably the story, not that PII may be leaked). The SSA's own security team is not allowed to review their work.
That sounds like a separate concern than the one implied by the headline.
The headline of a news article is a way to draw the reader in. The subhead in this case was "A report from Senate Democrats says DOGE moved sensitive information to a cloud server despite the risk of 'catastrophic' impacts," with the lede (the first paragraph of the article) mentioning the lack of oversight. I can change the title if you'd prefer, but I believe that goes against HN guidelines.
> The headline of a news article is a way to draw the reader in.
Yes, I think that’s where the “bait” characterization comes from.
Sure. Crappy headline. I was going to post the NYT one ("Democratic Report Says Disorder at DOGE Jeopardized Americans’ Data: Members of a Senate panel described a haphazard working and living environment that involved transferring sensitive information to servers 'without any verified security controls'") but it was paywalled. Less bait I suppose but it's still pretty damning.
I have stored every americans ssn in a text file, you can too!
seq -w 0 999999999 | sed -E 's/^([0-9]{3})([0-9]{2})([0-9]{4})$/\1 \2 \3/' | awk '{ area=$1+0; group=$2; serial=$3 if (area==0 || area==666 || area>=900) next if (group=="00" || serial=="0000") next printf "%03d-%02s-%04s\n", area, group, serial }'
What is the point of this kind of reply? To try to diminish the impression of the severity? To distract? To just make reading the contents slightly worse for everyone?
It's so clearly not the point of the db in the article that there is no chance anyone reads this and thinks it is the same thing the article is referencing. Is this just really low quality trolling?
I'm sure they are talking about a database that only contains the numbers and no other identifying information directly linked to those numbers.