Frequently Asked Questions
HUD routinely collects personally-identifiable information (or PII) about people who receive housing assistance or other benefits from HUD. PII is information which can be used to distinguish or trace an individual's identity, such as their name or social security number. In August and September of 2016, HUD learned that some of this information was temporarily available to the public through its website. As soon as HUD learned of these incidents, all further access to it was stopped, and HUD took steps to prevent future incidents.
What happened?
- In late August and early September, HUD was alerted to two separate privacy incidents involving PII stored in Excel spreadsheets without adequate security measures.
- The first incident was reported to HUD on August 29, 2016. It involved PII collected by HUD's Empowerment Zone/Renewal Community Locator online tool (EZ/RC locator)
- The second incident was reported to HUD on September 14, 2016. It involved PII pertaining to residents in public housing and the fulfillment of Community Service Self Sufficiency (CSSR) requirements.
August 29, 2016 Incident Involving EZ/RC Locator
What is the EZ/RC Locator?
- Introduced in 1993, the Empowerment Zone (EZ), Enterprise Community (EC), and Renewal Community (RC) Initiatives sought to reduce unemployment and generate economic growth through the designation of Federal tax incentives and award of grants to distressed communities. Local, Tribal, and State governments interested in participating in this program were required to present comprehensive plans that included the following principles:
- Strategic Visions for Change
- Community-Based Partnerships
- Economic Opportunities
- Sustainable Community Development
- Communities selected to participate in this program embraced these principles and led projects that promoted economic development in their distressed communities. Tax incentives for employers to hire EZ, EC and RC residents were among the federal benefits available to designated communities. HUD developed the EZ/RC Locator to assist employers in determining whether employees' addresses were in the designated geographic areas for purposes of claiming tax incentives.
HUD Response
- On August 29, 2016, HUD was notified that PII including social security numbers (SSN) was accessible on a www.hud.gov website. The PII had been identified via an internet "Google" search.
- HUD subsequently determined that the information was contained in Excel files inadvertently collected through the EZ/RC locator system, and improperly stored on a web-server.
- Upon confirmation of the incident, public access to the directory of files was removed and the upload feature disabled.
- HUD did not request, and did not need this extraneous information. Until reported, HUD was not aware that this information had been erroneously uploaded to the server.
- Further review revealed that, despite the EZ/RC locator instructions that requested uploading of address only, approximately 20% of third-party employers and tax preparers using the Locator had uploaded spreadsheets containing unnecessary PII, including names, social security numbers, and date of birth.
- HUD has undertaken a review of external websites to identify any additional instances of unsecured PII stored or available. To date, these efforts have not identified any additional incidents. This work is ongoing.
PII Disclosed
- The spreadsheets uploaded into the EZ/RC Locator varied in the number of individuals and the type of PII included. Most commonly, the files contained name, full or truncated social security numbers, and address. In some cases, addition PII was included, for example: date of birth, income, and demographic information.
How many people were impacted?
- 50,727
How long was the PII available?
- The files uploaded to the server through the EZ/RC system dated by to 2014. Access to view or upload files through EZ/RC locator was disabled on August 31, 2016.
September 14, 2016 Incident Involving CSSR information
What is CSSR?
- CSSR is the Community Service and Self Sufficiency requirement for public housing residents. Basically, public housing residents between the ages of 18 and 62 are required to perform a certain amount of public service each month and Public Housing Authorities (PHAS) are required to report compliance or non-applicability of their residents in the above age group. An OIG audit found that HUD was not monitoring the requirement sufficiently and HUD responded by developing reports to share with PHAs to assist them in fulfilling this requirement.
HUD Response
- On September 14, 2016 HUD received notice of an incident involving unsecured Excel files containing PII available at a public-facing website on www.hud.gov.
- The Excel files were posted as part of HUD's CSSR reporting initiative.
- Links to the identified file were disabled, and HUD began a review of the incident.
- The website information was supplied to points of contact at all PHAs so that each PHA could cull information related to its residents. This also allowed any PHA point of contact to review information related to residents outside of the PHA's area.
- HUD has undertaken a review of external websites to identify any additional instances of unsecured PII stored or available. To date, these efforts have not identified any additional incidents. This work is ongoing.
PII Disclosed
- HUD's CSSR reporting included resident last name, last four digits of the resident's social security number, and building code identifiers.
How long was the PII available?
- HUD made these postings five separate times beginning in August 2015.
- After this incident was reported, HUD confirmed that the information could no longer be accessed online on September 22, 2016.
How many people were impacted?
- 428,828
How do I know if these incidents impacted me?
- HUD is providing direct notice by mail to all individuals impacted by this incident. Those individuals will be offered no-cost credit monitoring services for 1 year.
- If you are impacted by this incident, you will receive a notice letter link in the mail. Please note: HUD will NOT contact you by telephone or email to request information.
- Welcome
- Leadership
- Principles
- Policies, Procedures, and Guidelines
- Systems of Records Notices
- Privacy Impact Assessments
- Computer Matching Agreements
- Annual Reports
- Training
- Privacy Act Requests
- FAQs
- Resources