LAS VEGAS (KLAS) — A department within the Clark County District Attorney’s Office mistakenly released nearly 400 Social Security numbers and other identifiable information, opening up questions about its data policy.
The office’s Family Support department emailed out a non-password protected and unencrypted Excel document containing 383 full nine-digit Social Security numbers and last names, records obtained by the I-Team show. The data spans agency collections from late 2018 to September 2020.
Matthew Winchell, of Las Vegas, was mistakenly emailed the Excel spreadsheet in September, a week after he had followed up with the agency about a new source of income to pay child support.
“I’ve been doing IT for 28 years,” Winchell said. “I’m not only astounded about the fact that I received that file and what is in it, I’m more heavily concerned about why, in any workflow in the known universe, is that information in a file the way it is, unprotected.”
After receiving the email, Winchell received a reply from a family support specialist who wrote, “It was an error accidentally sent it to you was meant for my supervisor my apologies. You can delete it please.”
A spokesperson for the office said the incident was reported to the state, and letters were issued to each person whose Social Security numbers were affected. A copy of the letter refers to the incident as human error and advises those whose information was released to monitor their accounts and credit report.
“As a result of this incident, the protocols within DAFS were modified to no longer include individual Social Security numbers in reports exchanged between employees and supervisors,” the spokesperson said, adding the office is now using a different identifier system.
“There is absolutely no logical explanation that I, as an IT guy, will ever accept as to why that information is in the format that it is in,” Winchell said.
The Social Security Administration’s website warns Americans to keep their Social Security numbers concealed, warning a bad actor obtaining a number and other identifiable information can be used to “open bank or credit card accounts, file taxes, or make new purchases in your name.”
There was no evidence Monday of any fraud connected to this incident.
“Our office takes confidentiality and the safeguarding of information seriously,” Clark County District Attorney Steve Wolfson said in a statement. “This was not a widespread release of information, but rather, an email inadvertently sent to an individual person. As soon as we were aware of the mistake made by one of our employees, the management at DAFS immediately addressed the issue, reported the breach and made changes to their procedures to ensure this would not happen again.”
The spokesperson could not say for how long the department was exchanging sensitive information without password protection or encryption.