Earlier this week, former Florida governor Jeb Bush released online a cache of emails sent and received by his personal email address during his time in office. His attempt at transparency turned sour after it was realized that some emails contained personally identifiable information of Floridians, including social security numbers, names, and dates of birth.
Todd Feinman, CEO of data protection firm Identity Finder, ran an analysis of the data and determined that nearly 13,000 unique social security numbers were released. His software, which uses natural language processing to identify sensitive information through contextual clues, found that about 12,500 of those were contained in a spreadsheet embedded in a PowerPoint slide attached to an email dated October 2003.
Kristy Campbell, a spokesperson for Bush, could not confirm that number.
When Feinman and his team first inspected the heavily flagged email, they were unable to locate the data. Initially suspecting it might have been a bug in the code—they had just released a new version of their software—they eventually determined that the information was contained in so-called hidden Excel columns, obscured from view.
Bush’s email address, along with about 50 others (including aol.com and hotmail.com addresses), had been copied on that email. The spreadsheet in question, as the AP reports, concerned “tracking the number of people on a state family service waiting list.” The relevant slide is titled, “Developmental Disabilities Home and Community-Based Waiver Waitlist Data.”
“We’ve redacted the emails that were brought to our attention that contained personally identifying information,” Campbell said. Bush’s team has also removed the downloadable archive, raw data “.pst” files. (Another site, americanbridgepac.org, which hosted the data since December, took the files down Thursday.)
There are, however, social security numbers represented in a non-standard format (e.g. not XXX-XX-XXXX) still visible on copies posted to the web on jebbushemails.com. Feinman estimates that there are 100 still publicly accessible.
A May letter obtained by Fortune shows that Bush’s attorney had asked the Florida Department of State to scrub sensitive information from the archive of firstname.lastname@example.org, so that the emails could be released:
We hope these emails will be available permanently to the public, provided the records are first reviewed by state officials in accordance with with Florida Statute to ensure information exempt from public disclosure is redacted before release, including social security numbers of Florida citizens who contacted Governor Bush for assistance; personal identifying information related to victims of crime or abuse; confidential law enforcement intelligence; and other information made confidential or exempt by applicable law.
“Our site contains the public records made available by the State of Florida,” Campbell said. (Florida’s “sunshine law” opens up the records of public officials by request.)
“The Department of State is currently reviewing our process for redacting confidential information from documents given to the State Archives,” said Florida Department of State spokesperson Mark Ard.