John G. Bravacos, Executive Secretary and Senior Agency Official for Privacy
Update on Privacy Incidents
Since August 29, 2016, the U.S. Department of Housing and Urban Development (HUD) has learned of two privacy incidents that compromised personal information of members of the public.
The first incident, discovered August 29, 2016, involved businesses uploading excess employee data in HUD's EZ/RC Locator. This online tool helps businesses determine eligibility for tax credits. The excess data included employee Social Security numbers and was stored on an unsecured webserver. Although this excess data was uploaded to the Department's webserver by private businesses, the data was not requested by the Department and was not necessary for determining whether the businesses were eligible for the tax credit. HUD immediately shut down the Locator once the disclosures of sensitive personally identifiable information were confirmed. Approximately 50,727 impacted individuals will receive notification and an offer of free credit monitoring for one year as a result of this incident.
Another incident, discovered on September 14, 2016, involved some personal information pertaining to public housing residents. While sharing community service requirement information with local public housing authorities, HUD discovered that personal information was made available through its website, www.hud.gov. The information included the individual's last name, the public housing building code, and last four of their Social Security Number for approximately 428,828 public housing residents. These residents will be notified by HUD and offered free credit monitoring services for one year.
In both instances, HUD removed access to the associated web pages and links as soon as the disclosures were confirmed. HUD also conducted further review to determine the scope of the incidents, the extent of data exposed, and likelihood of unauthorized use of the information. To date, HUD has no evidence that any of the data has been used inappropriately.
HUD deeply regrets any inconvenience caused by these incidents.