SPRINGFIELD, Ill. — The personal information of some Illinois boat owners—including their social security numbers—was accidentally published online by the Illinois Department of Natural Resources in April, and the state has been trying to track down the four entities that information to make sure it is destroyed.
The state Department of Innovation and Technology (DoIT) estimates between 16,000 and 17,000 registered boat owners were affected.
Jennifer Schultz, a spokesperson for DoIT, said the following boat owners’ information was published to the state’s Open Data Portal:
-Date of Birth
-Social Security Number
The information was available on the site from April 4–8 and April 29–May 1, 2019, a total of eight days. DoIT determined the information was downloaded by four entities. Schultz explained, “It appears the entities that downloaded the information (a total of four) do so routinely for business purposes. Except for one entity which has not been identified, the entities that completed a download of the information immediately deleted the information. The State is working to identify the other entity to request destruction of the information.”
The reason the DNR had those boat owners’ social security numbers is due to an Illinois law that requires applications for any new license to include the applicant’s social security number, for the enforcement of child support obligations. “Agencies are required to have new licensees certify on the application form that he or she is not more than 30 days delinquent in complying with a child support order,” Schultz told LakeExpo.com.
She noted not all watercraft owners were affected by the data breach, and those who were impacted were notified by a letter in mid-May, which included a list of next-steps to take. The letter also advised those parties review and monitor their existing accounts for any suspicious or unauthorized activity.
What is the state doing to ensure this doesn’t happen again? Schultz said it reviewed all policies, procedures, and requirements about how data is published to the Open Data Portal. As a result, state agencies will no longer post information to the Open Data Portal that requires a manual extraction of data, to help mitigate human error. “The Department of Innovation & Technology’s (DoIT) Chief Information Security Officer directed state agencies that any agency application must limit the use of social security numbers to situations where the collection is required to comply with federal or state regulations or for meeting specific business needs,” she said.