Home > Identity Theft > The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective

Comments 2 Comments

Scott Walker has earned a national reputation for his hack-and-slash approach to government spending. Working hand-in-glove with both Houses of the GOP-controlled legislature, the Wisconsin Governor gutted the collective bargaining rights of public sector unions.

While tight with the purse strings when it comes to public employees and a self-proclaimed advocate for small business (though very well-funded by big business), apparently the Walker administration does support full employment for at least one group of workers who clearly don’t rely upon collective bargaining: identity thieves.

Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.

There are some very disturbing trends here. First, the Walker administration doesn’t seem to have any concept of what it’s talking about when it comes to identity theft. Walker’s appointee, Revenue Secretary Rick Chandler, clearly missed the boat when he said in a prepared statement: “We know the individuals who downloaded this file are using it for their own business purposes and have no malicious intent…”

[Credit Check Tool: Monitor your credit score and activity for free with Credit.com]

Free Credit Check & MonitoringActually, Mr. Chandler, you know nothing. Sure, the report’s intended audience was real estate appraisers and realtors. However, the curious thing about the Internet is that once something is posted on a free public site, it’s out there for the entire world to see, and it may never be reeled back in. This means that one of those 138 people who downloaded this online “oops” could easily have been an identity thief, or may have accidentally or intentionally handed the document off to an identity thief, and there is absolutely no way for you or anyone else to know. You see, even assuming all 138 people who accessed the information were legitimate, who’s to vouch for the security of the systems or networks they used? Once it’s out… it’s out.

The second disturbing thing about this data breach is that it demonstrates the government of the Great State of Wisconsin is continuing its grand tradition of negligence when it comes to protecting the personal identifying information of its citizenry. This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.

Three of those breaches involved the Revenue Department. In 2006, a private contractor working for the department mailed 171,000 tax booklets with taxpayers’ Social Security numbers printed right on the front. That’s a goof significant enough to make an identity thief fall to his knees and praise the Lord. While the state managed to intercept 54,500 of the botched booklets at post offices, that mishap still cost taxpayers $500,000 to cover one year’s worth of credit monitoring services for victims of the breach.

[Related Article: Hello Citizens United, Goodbye CFPB: Consequences of the Wisconsin Recall]

Apparently, the department still didn’t learn its lesson. In January 2008, it mailed 5,000 tax forms with taxpayers’ Social Security numbers clearly visible through the envelope windows. Department executives tried to weasel their way out of responsibility by blaming the breach on the machine that folded the forms, instead of taking a hard look at the humans who ran the folding machine, or the humans in charge of reviewing the work of the humans who ran the machine that folded the forms. (And you thought that disasters only came in threes?) That same month, the Wisconsin Department of Health and Family Services had a FUBAR of its own, when a private contractor mailed 260,000 booklets to Medicaid recipients in the state with their Social Security numbers printed right on the front.

One reason this happened is that unlike its neighbors, Wisconsin still uses Social Security numbers as Medicaid ID numbers. Wisconsin Rep. Marlin Schneider, known by the catchy nickname “Snarlin’ Marlin,” called that practice “stupid.” I couldn’t have said it better.

So, for those keeping score, here’s how to tell that the identity theft problem in Wisconsin isn’t getting any better.

The previous breaches either involved third-party vendors for the state, or a relatively small number of Social Security numbers leaked by the state itself. But this latest debacle was a whopper: Over 100,000 Social Security numbers have been potentially exposed to any fellow, well-intentioned or not, with a laptop or a smart phone. And it was committed by the Walker administration itself, not by some third-party operator in Plano, Texas.

Even after hundreds of thousands of innocent “Cheeseheads” have been exposed to identity theft and all manner of financial crimes; even after the state has spent (or will spend) more than $1 million on credit monitoring for victims (which doesn’t really help anyway, since all the thieves have to do is wait a year plus one day to begin their wild spending sprees using the purloined Socials); Scott Walker’s appointee had the audacity to imply that he believes the people of Wisconsin are safe.

[Related Article: 5 Stupid Things You’re Doing to Ruin Your Credit]

I have a few suggestions for Mr. Walker that might help to make things right. Firing Secretary Chandler would be a good place to start. (I think you can do that immediately Governor, as I don’t believe he is a member of the Civil Service.) He very clearly doesn’t appreciate the importance of data security, or even how it works, and though I’m sure he’s a nice guy, this is a weakness the citizens of Wisconsin cannot afford in that position. It would send an unequivocal message to the rest of Wisconsin’s department heads that taxpayers’ private data is of paramount importance, and must remain private. These data breaches must end.

Second, like most states, Wisconsin clearly needs tighter rules and procedures regarding protections for citizens’ personally identifiable information (PII).

Governor, you have become a political icon for “right thinking” Americans, but when it comes to data security, your administration has to think smart and do what is right. Data like citizens’ names, addresses, birthdates and Social Security numbers, functions like keys to the locks of the economy, opening doors to bank accounts, credit cards, car loans, mortgages, personal loans and all sorts of medical and criminal exposure. Sending that data through the mail, effectively embossed on the front of envelopes, or releasing it into cyberspace for all the world to see is like giving a drunk the keys to your Chevy and wishing them a safe trip home.

Finally, sir, I have a proposition.  Because Wisconsin agencies have demonstrated a disturbing penchant for “billboarding” the PII of your citizenry several times over the past few years, it seems that it’s time for you to get some help. There are plenty of companies out there that can help you evaluate the integrity of the Wisconsin Department of Revenue’s security protocols and help you develop and implement a data breach preparedness and response program. Full disclosure, I own a company that does this kind of work and I’d be willing to give you two weeks of consulting for free just to get you moving on this. However, even if you choose to decline my offer, I urge you to retain a qualified organization to thoroughly investigate the security systems and protocols in place throughout your government agencies. The citizens of Wisconsin deserve no less.

[Featured Products: Research and compare Identity theft protection plans at Credit.com]

This is an Op/Ed contribution to Credit.com and does not necessarily reflect the views of the company.

Image: Jason Riedy, via Flickr

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • Mike

    Nice hit piece. Do you care more about your lefty cause or security? You are a hack.

  • Bob

    Who do you blame when this same thing happened in 2006 and 2008 in the state of Wisconsin under the leadership of Jim Doyle. You seem to be pointing the finger at the Governor directly for these incompetent action. Does that include Doyle too? Or was it someone else back then? Just asking. By the way, the reason I’m following this story is because I was one of the 110,795 people that received this notice from the state yesterday.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team