Personal information for roughly 480,000 people was exposed in two separate privacy incidents earlier this year involving the U.S. Department of Housing and Urban Development's website.
The two incidents occurred on Aug. 29 and Sept. 14, the department said in a statement posted to its website Monday. HUD mailed letters to affected individuals in early November apologizing for the incidents and detailing the steps the agency is taking to address them. The letters were signed by the department's executive secretary and senior agency official for privacy, Helen Goff Foster.
"In August and September of 2016, HUD learned that some of this information was temporarily made available to the public through its website," Foster wrote. "As soon as HUD learned of these incidents, all further access to it was stopped and HUD took steps to prevent future incidents."
In addition to removing access to the affected webpages, HUD said it had conducted a review to determine the scope of the incidents and what data was exposed.
The first incident involved information for 50,727 people. The information was inadvertently made public when businesses uploaded employee data in HUD's EZ/RC Locator, an online tool that determines tax credit eligibility. The data, which included Social Security Numbers, was stored on an unsecured webserver.
"Although this excess data was uploaded to the Department's webserver by private businesses, the data was not requested by the Department and was not necessary for determining whether the businesses were eligible for the tax credit," the department said in the statement.
The second incident occurred when HUD shared community service requirement information with local public housing authorities, exposing personal information for roughly 429,000 people in the process. The information included the last four digits of Social Security Numbers, last names and public housing building codes.
The agency is offering one year of free credit monitoring services through TransUnion to affected individuals. Those implicated by the data security breaches must enroll by March 31, 2017 to receive these services.
There is "no evidence that any of the data has been used inappropriately," HUD said in its public statement.
