A recently published Government Publishing Office (GPO) report has exposed that the federal government accidentally leaked the social security numbers of around 2,000 visitors to the White House in December 2020. This security breach occurred when the government published records associated with Nancy Pelosi’s January 6 Committee late in 2022.
The GPO attributes the leak to a combination of rushed procedures, confusion, changing publication requests, strained resources, and a large volume of supporting materials from the Select Committee.
Whoops….did we do that? Again? https://t.co/azY1AXO8uh
— MajorDad🇺🇸 (@O4MajorDad) April 1, 2023
The National Archives and Records Administration (NARA) provided the January 6 Committee with White House visitor logs dating from December 2020 to January 2021, following a directive from the Biden Administration. The committee was disbanded before the new GOP-majority Congress in December 2022 and sent its final report and supporting materials to the GPO for online publication.
On January 4, 2023, a public news outlet discovered that the information provided by the Select Committee included the social security numbers of nearly 2,000 visitors. The GPO quickly removed the document and replaced it with a redacted version supplied by NARA.
Several factors contributed to the disclosure of sensitive information, including the Select Committee changing its request within two weeks of the publication deadline, which put pressure on the publishing office. The sheer volume of supporting materials made it difficult for the publishing office to have an automated process for ingesting, processing, and publishing to GovInfo. The transition from the 117th to the 118th Congress also caused confusion and left the publishing office without active committee oversight.
The GPO has suggested several improvements to oversight, including developing a process to notify customers to review their information before publication more overtly, requiring written confirmation that sensitive information has been sanitized before submission, and granting congressional oversight the power to take down published material before customer approval.
The data breach report comes as Congress is dealing with another situation involving the hacking of the D.C. Health Benefit Exchange Authority data system, which has resulted in at least three investigations and a federal civil lawsuit against the District of Columbia government. In addition, the personal information of at least 17 current or former members of Congress was exposed in the hack.
Many affected by the breach attended a Christmas party at the White House. The information was collected to vet visitors to the highly protected complex. While administrations usually release lists of visitor names without sensitive personal data, the Trump White House declined to make its list of visitors available. The unredacted social security numbers were published for about a month before a more limited version was released in February.