An employee at the Revenue Department's regional office in Brainerd sent a package by certified mail on May 16 to the department's headquarters in St. Paul. It's never been found. Revenue officials say the lost package contained three checks totaling $2,400 and a computer backup tape. On that tape are Social Security numbers and other information for 2,400 individuals, and identifying information for 48,000 businesses.
Revenue Commissioner Dan Salomone called the situation "a nightmare." But Salomone says even if someone stole the tape, it would be difficult for anyone to access the personal data.
"We are confident that even if there are any bad actors involved here and they get ahold of that tape, they're not going to be able to read it," he said.
Revenue officials say someone would need about $50,000 worth of specialized equipment and software, and a secret code, to access the data. The department sent letters to the individual taxpayers whose data was on the tape, and will notify businesses next.
This is a nightmare for me that this happened.State Revenue Commissioner Dan Salamone
Salomone says the data comes from cases involving tax debt the Brainerd office was working on. He says Minnesotans who have been paying their taxes for years probably wouldn't be included on the tape.
"Taxpayers generally don't need to be concerned about this unless they receive a letter from us or a phone call from us," according to Salomone.
Both the Revenue Department and the U.S. Postal Service are investigating the matter. Salomone can't explain why it took a month for the Brainerd office to notify St. Paul about the missing package. He also says department employees generally use FedEx or UPS to send packages with personal data to the main office, and he's not sure why certified mail was used in this case.
The U.S. Postal Service Web site recommends registered mail or other more secure services for sending valuables and irreplaceable items, instead of certified mail.
Postal inspector Adam Behnen says the post office continues to try to find the package.
"There's no indication of a theft at all," according to Behnen. "As a matter of fact, that Baxter contract post office has been in business with us for 12 years, never a record of loss. Our St. Cloud facility and our St. Paul facility, the history of losses is very low. Usually the parcels are recovered."
The Post Office has no record of the package, other than the receipt from the Baxter Post Office. Revenue officials say they're testing technology that would connect regional offices to St. Paul servers, and eliminate the need to transfer tapes by mail.
State Rep. Jim Davnie says state government needs better procedures to protect citizens' information. The Minneapolis DFLer has taken a leading role on information security issues. He says the missing package raises concerns, particularly when combined with the recent incident of three laptops with private data stolen from the offices of state Auditor Pat Anderson.
"Nobody seems to be watching the store on I.T. security within Minnesota. And I'm thinking what we need is we need some legislative oversight of state agencies on I.T. security issues," Davnie said.
The Revenue Department has seen two other recent data thefts, which have yet to result in misuse of the information. Davnie says the department should offer credit monitoring services to affected taxpayers, something the federal Veterans Affairs Department did after the data of more than 17 million veterans was stolen. Commissioner Salomone says his agency is considering that.
Identity theft expert Evan Hendricks says Minnesota's situation is not unique. Hendricks, the publisher of Privacy Times, says he's hearing plenty of anecdotal evidence of potentially compromised private data at state governments across the country.
"Unfortunately, consumers and taxpayers cannot be confident that many of our government agencies and businesses are putting enough care into handling our data. This last year has been the year of the data breach, where our personal information is leaking out all over the place, because laptops are lost, or magnetic disks full of our data turn up missing, or hackers are hacking into their systems," he said.
The state DFL Party called the missing data "a public embarrassment," and blamed Gov. Pawlenty for not giving state government enough funding to protect private data.
Pawlenty spokesman Brian McClung says the DFL attack is "ridiculous." He says there's no evidence of any theft or improper use. Pawlenty signed a law this year allowing Minnesotans to put a security freeze on their credit reports, a measure which may be increasingly useful.