By SCOTT BAUER
MADISON, Wis. (AP) – Social Security and tax identification numbers of more than 110,000 people and businesses who sold property in Wisconsin last year were inadvertently included on an annual sales report publically available on the Internet for three months, the state Department of Revenue said Tuesday.
The department removed the 2011 report from its website Monday and asked appraisers, real estate agents and others who downloaded it to destroy their copy and get a new one without the sensitive information. The report is primarily used by real estate professionals and organizations to find property sales information across the state when appraising property, advising clients and negotiating prices, according to the Revenue Department.
Internal procedures for posting reports to prevent such security breaches were not followed, said Revenue Department Secretary Richard Chandler in a prepared statement.
“Reports and files are required to be reviewed prior to posting, and I have asked our legal counsel to review which steps were missed and why the personal information was not extracted,” Chandler said. “Customers need to know they can trust the agency with confidential data.”
The report had only been accessed 138 times between April 5 and Monday, said Revenue Department spokeswoman Stephanie Marquis. The risk of anyone having their identity stolen is “relatively small,” she said.
As many as 110,795 Social Security numbers and tax identification numbers were on the website in an imbedded file included in an Access file showing the sales data.
Most people who access the file are real estate professionals and probably didn’t even know the personal information was there since viewing it requiring clicking on an imbedded file, Marquis said.
“We weren’t hacked, this wasn’t malicious,” she said. No income, corporate or other tax files were affected, the department said.
Letters to those affected offering free credit monitoring for a year will be sent soon, Marquis said.
The actual number of people and businesses affected is likely to be less than the 110,795 because there may have been multiple sales by the same person, she said. Also, not everyone who made a sale last year provided their Social Security or tax identification number for the paperwork. There were 162,002 sales listed in the report.
Information about sales in the state, based on publically available records, has been posted online since 2009.
This is the third time since 2006 that the Department of Revenue has made taxpayers’ personal information public. In December 2006, the department mailed 171,000 tax booklets with recipients’ Social Security numbers printed on the label. In January 2008, up to 5,000 tax forms were mailed that included the number in the address pane.
There were no known cases of identify fraud related to those two previous breaches, the department said Tuesday.
Since those two cases, the department said it enacted a number of steps to protect against security fraud, including procedures related to physical security, paper and electronic data security, as well as employee education and training.