Non-profit tax forms posted by IRS expose 630,000 SSNs
An estimated 630,000 social security numbers (SSNs) on non-profit organizations’ tax returns— Form 990s—have been posted online by charities and the IRS since 2001, leaving unprotected consumers at risk of becoming identity theft victims, say the result of a research by Identity Finder.
Unlike personal tax returns on Form 1040, Form 990s are public documents. Because the IRS does not redact personal information on the original forms, sensitive data belonging to scholarship recipients, donors, trustees and employees remains in the public domain. In some cases, names, full addresses and detailed transaction information accompany SSNs.
In addition, the organizations’ accountants who identified themselves by using their SSN, rather than their Preparer Tax Identification Number (PTIN), were also exposed.
The most common offenders include:
- Advocacy organizations
- Alumni associations
- Community and scholarship foundations
- Private trusts
Identity Finder’s research team was able to discover the information by searching with its Sensitive Data Manager solution more than 3.8 million 990 forms between 2001 and the first half of 2013.
Although the alarming amount of available personal data is still a big problem, Identity Finder learned that progress is being made to protect data on newer forms: The percentage of organizations that published at least one SSN has decreased from 16.6 percent in 2001 to under one percent in 2013.
However, the total number of SSNs exposed continues to increase year after year, and the IRS’ Office of Privacy and Information Protection has declined to delete existing SSNs from the public documents.
The problem of exposed sensitive data on 990 forms is not getting better, but it is getting worse at a diminishing rate. There were more than 11,000 unprotected SSNs on 990 forms last year and 630,000 social security numbers still remain available for identity thieves.
Non-profit organizations who learn they have published SSNs should warn those affected that their names and SSNs are part of a document on public record and that they may be at increased risk of identity fraud. Further, the IRS should take all available steps to eliminate SSNs from these public documents.
To view the full report, read suggestions to organizations and consumers and to use Identity Finder’s EIN search tool to find out whether your organization has exposed SSNs online, go here.