Donors to charities, staff at nonprofits, and scholarship recipients should be wary about sharing their Social Security numbers (SSNs) with tax-exempt organizations whose returns become part of the public record, says a new study published by a data loss prevention company.
The New York-based company Identity Finder says a review of millions of IRS 990 forms contained more than 170,000 unique SSNs, putting individuals at increased risk for identity fraud.
Tax forms for charities and nonprofits are public record and 990 forms are marked “Open to Public Inspection.” And although the practice of including SSNs on these public tax documents is decreasing, Identity Finder found that between 2001 and 2006, 18 percent of all nonprofits included at least one SSN on a 990. Thousands of the SSNs belonged to high school and college scholarship recipients, board members, and employees. In 2001, 16 percent of 990s contained at least one SSN. By 2006, the percentage decreased to 6.8.
In all, Identity Finder found that 132,362 nonprofits published a total of 472,866 SSNs on tax returns – 171,005 were unique. The organizations included community foundations, free-food distribution programs, volunteer organizations, scholarship organizations, universities and colleges, and alumni associations. Some organizations published no identifying information at all, but others published SSNs along with names, addresses, and detailed transaction information.
Based on the U.S. Government Accountability Office definition of data breaches—an organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information—76,799 organizations had a data breach on their 990 forms, according to the Identity Finder report. Identity Finder was mid-way into the study when the first breach notification law came into effect, so it’s not clear whether any of these exposures constitute data breaches under state or federal law, the report states.
In its study, Identity Finder did not contact any of the owners of exposed SSNs to see if they had been victims of identity theft in the last few years, but “there’s a lot of things that can happen when you have someone’s name, address, and Social Security number,” Identity Finder CEO Todd Feinman said by phone on Monday. “With Social Security numbers and the full name that are in these reports, someone that wanted to commit identity fraud could use that information to open up a credit card, open up mortgages, and claim tax return refunds.”