Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Identity Theft from University Computers

Posted by samzenpus on Wed Jan 12, 2005 09:15 PM
from the don't-trust-anyone dept.
Security
Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Identity Theft from University Computers 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • To be honest.. (Score:3, Interesting)

    by Tobias.Davis (844594) <tobias.davis@g3.14159mail.com minus pi> on Wednesday January 12 2005, @09:17PM (#11343998) Homepage
    Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..
    • Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..

      Is this a store, or some other company you deal with voluntarily? Drop them if they won't drop the SSN issue - find someone else to deal with. Let them know why, and give them a chance to change the policy, but dump them and stick to it...

      • Actually I'm talking about my father, who insists that his SSN needs to be printed on his check. For myself, I'm a 27 year old that has little credit history no credit cards and only 1 dealing with a financial institute (for a vehicle loan). Yes, I'm eccentric but I have no use for the credit system in america. Any information I have on file is positive, but I don't go looking to use my SSN anywhere
        • Actually I'm talking about my father, who insists that his SSN needs to be printed on his check.

          Now I understand. There was a store in the area a few years ago that was demanding my ssn be written on any checks they took. I've no idea if they still do, I left my things on the counter and walked...

          You're right, it's crazy to print that. Unfortunately it may take a case of ID theft to get him to stop.

          Congrats on dodging the credit system, I'm working my way in that direction (a whole lot harder when you

              • Re:To be honest.. (Score:5, Informative)

                by David_W (35680) on Thursday January 13 2005, @09:06AM (#11347931)
                My bank tries this on me whenever I call to talk to someone they want my account number and SSN to identify me. I always refuse...

                I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.

  • This just goes to show.... (Score:5, Insightful)

    by ecammit (775253) on Wednesday January 12 2005, @09:18PM (#11344005) Homepage
    This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.
    • Other than the BMV (and I can't figure out why they need your SSN), most of the places that have it are because they need to report tax information about you. You don't have to give it to anyone else. Some places will get annoyed with your request to have a special identification number, but they will accomodate you. My undergrad used to use SSNs for identification, but you could always request a different ID number at any time.
    • I agree, it's ridiculous but not surprising (sorry I won't go off on how much I loathe universities) that they use SSNs as IDs. My girlfriend's university displays her SSN right on her ID card (attends SFSU, which displaying SSNs is illegal in California, but don't ask me how they get away with it) and my dad told me that Arizona puts your SSN right on your Driver's License. How idiotic is that?

  • I always hated giving the SSN (Score:5, Interesting)

    by Class Act Dynamo (802223) on Wednesday January 12 2005, @09:19PM (#11344008) Homepage
    I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.

    • Re:I always hated giving the SSN (Score:5, Informative)

      by DrkShadow (72055) on Wednesday January 12 2005, @10:39PM (#11344743) Homepage
      Likewise. Apparently there was such an option on the applications I filed, but I never saw one. Actually, on the second, I left the SSN field blank. Chaos ensued.

      As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)

      The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...

      But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.

      Go tomorrow, get it changed; keep your confidential data confidential.

      -DrkShadow

    • Re:I always hated giving the SSN (Score:4, Funny)

      by ComputerSlicer23 (516509) on Wednesday January 12 2005, @10:50PM (#11344817)
      Yeah, I irritated several people, and made a lot of people in the registrars office laugh when they asked for my name, I just gave them my SSN to save time. Everyone understood it was an implication that I was just a number at the University.

      It actually saved time. It was the next thing they were going to ask for anyways, and they wouldn't do anything to my records until I told it to them. They didn't need to know my name, and if they did, it'd be on the first screen they pulled up if they felt the need to use my first name to make me feel like a person.

      Kirby

  • soooo (Score:5, Funny)

    by ikea5 (608732) on Wednesday January 12 2005, @09:19PM (#11344011)
    no mention of the grades?

  • Suspicious? (Score:2, Interesting)

    by Dekks (808541)
    It seems like bit of a convenient coincidence that this happened just before they replaced their ID numbers with something other than Social Security numbers. Someone has obviously been paying attention in their Computer Science classes.

  • And that's the one you know about... (Score:5, Interesting)

    by ergo98 (9391) on Wednesday January 12 2005, @09:19PM (#11344019) Homepage Journal
    The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").

    How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.

  • The worst thing about this (Score:3, Interesting)

    by Anonymous Coward on Wednesday January 12 2005, @09:20PM (#11344028)
    There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

    Stock up on canned goods, folks.
    • Stock up on canned goods, folks.

      And use someone else's credit card?

    • There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

      Stock up on canned goods, folks.

      Americans have one of the lowest savings rates for a developed nation. There are several studies which indicated many Americans spend more than they earn. Even worse, other than home ownership

  • I'm less worried over this.. (Score:3, Insightful)

    by Tracer_Bullet82 (766262) on Wednesday January 12 2005, @09:21PM (#11344039)
    than from internal threats.

    How many cases of internal theft do we know?

    As someone who once created and maintained my high school information database, I know how easy the system can be abused.

    What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
    Background checks for personnel involved should be done too.
    • In the US, there are laws and regulations that exist to protect student privacy. These regulations are known as "FERPA". Although these FERPA laws seem to apply only to your "academic record", your academic record includes things like keeping the fact that you even attended a school (as being a student with an academic institution is defined as being part of your academic record).

      Of course, no laws prevent an academic instituion from doing dumb things like not using quality security strategies or outsou

  • wow too bad.... (Score:5, Informative)

    by djeddiej (825677) * on Wednesday January 12 2005, @09:21PM (#11344041) Homepage
    I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.

  • It wouldn't have mattered. (Score:5, Informative)

    by and by (598383) on Wednesday January 12 2005, @09:22PM (#11344051)
    Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.
    • they could have had another, privilidged, db for that information though. one that only people who need to have access would have access to.

      but that would have assumed them to have a clue, or having cared..

  • In Australia.... (Score:5, Interesting)

    by fodi (452415) on Wednesday January 12 2005, @09:22PM (#11344063)
    One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...
    • Here (the U.S.A.) we have a similar law. The Social Security Administration is the only agency / organization which is unconditionally allowed to use the SSN for identification purposes. Even other parts of the government can't if the citizen doesn't let them. That's why the IRS (Internal Revenue Service) allows you to fill out a form and get a Taxpayer Identification number (which you'd then use for financial aid).

      Private parties and organizations don't have the right to demand your SSN. Nonetheless,
  • What OS was their server running????
    • Depending on what department, it can vary greatly. In our ECE department, we have a Solaris server (cpe01.gmu.edu). The main server for the school is an old Alpha (named osf1.gmu.edu). However, from what I've heard around campus, this one was probably a Windows server that didn't have all of the patches applied. Many of the different offices operate as a Windows only shop.
  • PLEASE tell me this place is well known for it's high grade IT majors. That would be hillarious and really make my night.

    Alternatively just say they had a fully patched windows machine, both works fine.
    • Actually George Mason University is one of the few that have Ph.D programs in Information Technology, but it goes further such as they have "Information Technology with Concentration in Information Security."

      Kind of ironic that they would have a graduate program there for information security and they just got hacked.

      I think it might be an inside job though.

  • Someone follow that example. (Score:5, Funny)

    by philovivero (321158) on Wednesday January 12 2005, @09:26PM (#11344109) Homepage Journal
    We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.

    My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).

    She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).

    Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.

    Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.

  • I'm a Student at GMU (Score:5, Informative)

    by grylnsmn (460178) on Wednesday January 12 2005, @09:30PM (#11344148)
    Here are the two emails that they've sent to students about the incident:

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology

    Subject: Illegal Intrusion into University Database

    The university server containing the information relating to Mason's ID cards was illegally entered by computer hackers. The server contained the names, photos, social security numbers and G numbers of all members of the Mason community who have identification cards.

    The intruder installed tools on the ID server that allowed other campus servers to be probed. An Information Technology Unit staff member noticed the attack while reviewing system files as part of the university's internal controls procedures, and traced it back to the ID server. The compromised ID server was disconnected from the network and is no longer accessible. The police are currently investigating the break-in. The university is subject to dozens of probes and attacks each day.

    There is no evidence that any of the data available on the Mason ID server has yet been used illegally. It appears that the hackers were looking for access to other campus systems rather than specific data. However, it is possible that the data on the server could be used for identity theft.

    Following are steps each of us should take to minimize the likelihood of ID theft from this, or any other similar incident.

    - Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g. credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

    Transunion
    1-800-680-7289
    www.transunion.com

    Equifax
    1-800-525-6285
    www.equifax.com

    Experian
    1-888-397-3742
    www.experian.com

    - Continue to check all your accounts on a regular basis for unusual activity.

    - The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at www.ftc.gov/idtheft.

    If you have further questions, please call 3-8116. The university's IT Security Coordinator Cathy Hubbs is monitoring this line and will ensure that your message is immediately forwarded to the most appropriate person.

    We understand that taking these steps is inconvenient, and regret that the server attack makes it necessary. While it seems unlikely from the evidence currently available that identity theft has occurred, it is important to take these protective actions. We will share any further information about the intrusion and its effects as soon as it becomes available.

    and

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology
    Subject: Computer Break-In Information Website Now Established

    A new website giving information regarding the illegal intrusion into
    the university's ID database server is now on line at
    http://www.gmu.edu/intrusion. The page can also be accessed through links on
    the Student and Faculty and Staff resource pages on the home page. Due
    to the large number of calls we have received on the information line,
    we are noting your questions and providing the information on this page.

    We will regularly update the page as more information becomes
    avail

    • The SSN upgrade process should point to places and people to start investigating.

      Timing like that could be more than coincidental.

      By the same token, it could be a coincidence that only one student in the Computer Security Fundamentals 101 course was passed by a hoary professor.

  • suspiciosity (Score:3, Interesting)

    by solaraddict (846558) on Wednesday January 12 2005, @09:36PM (#11344210)
    The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.
    • The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id
      That doesn't surprise me at at that it was found at this time - the system would be coming under more scruting than usual, so intrusions may have happened before but were only noticed at that time.
  • So what legal recourse do the students have? As far as I'm concerned, the organization is liable, and the students should launch a class action lawsuit, if nothing else, but for lost productivity time, which is what companies usually seek when they go after hackers. The school is no better than the people that hacked them if they couldn't safeguard this personal and highly sensitive information.

    You'll also notice that the asshole of a VP didn't even apologize for the situation. Just that he regrets it. Mak
    • I was one of the potential people whose information was obtained. I am not planning on taking action against the univesity nor would I do so even if finacially harmed, unless it can be proved that there was gross negligence. GMU has made a good faith effort to switch IDs from SSNs to the new 'G' numbers. If my information was used to fradulently open acounts under my name, I would estimate primary people responsible are in my estimation:

      1) The thief
      2) The creditors for their lack proper verification al

  • Universities are security risk (Score:3, Interesting)

    by bigberk (547360) <bigberk@users.pc9.org> on Wednesday January 12 2005, @09:47PM (#11344315)
    Universities are notorious for not having good network and server security (hard to hire the required large staff to oversee so much data). I now work in the computer security field, and when I look back at my university experience I see lots of very frightening things -- besides just the extent of the records the university keeps, they also tend to print things like your birth date on records. Having your date of birth intercepted is bad news, and it is really disturbing to see it printed in so many places, especially along side your SSN / SIN.

    On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).

    The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.

  • US Army and identity theft (Score:3, Informative)

    by Jeff Carr (684298) <slashdot.com@jeff c a r r .info> on Wednesday January 12 2005, @09:50PM (#11344338) Homepage
    When I was in the army 1995-1999, the pay stubs were just printed on on a normal sheets of paper, and handed out to everyone once a month.
    Some of the information freely available to anyone who cared to look at it was:
    • Your full name
    • Date of Birth
    • Social Security Number
    • Bank Name
    • Bank Account Number
    • The Amount of the Deposit
    • The Date of the Deposit
    It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.
  • This exact same thing happened at the University of California - San Diego about 8 months ago or so. I got a letter shortly afterward, informing me of the break-in and urging me to put a freeze on those accessing my credit report and to review my credit report for fradulent activity. What a pain.
  • Even using alternative identification numbers will only limit identity theft rather than eliminating it. I think law enforcement and prosecution is the answer.

    After all, it's an information society: abusing personal information harms the fabric of this society, as well as the specific individuals and organizations involved.

  • No such thing as "Just missed it" (Score:3)

    by Hangtime (19526) on Wednesday January 12 2005, @10:13PM (#11344535) Homepage
    This was no coincidence. Someone saw this coming change and decided to cash-in while they still could.

  • Oldest excuse on the books (Score:3, Interesting)

    by iamacat (583406) on Wednesday January 12 2005, @11:34PM (#11345123)
    I bet they have been "in the process or replacing the system" since last century. They just didn't do any serious work on that until they got busted. Same as US Airways over christmas and countless companies with Y2K bug until 1999. Everyone with decision making power should take a serious pay cut and students should get tuition discounts to offset the cost of dealing with identity theft.

    If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.
    • I worked for AT&T Wireless when they were breaking off from AT&T proper. One of things that needed to be done was to replace all of the AT&T employee ID numbers with new AWS employee ID numbers.

      It. Took. For. Ever.

      All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.

      I'm betting a university setup is even worse.
    • With a SSN and a forged birth certificate or forged drivers license you could can credit cards/loans/etc.

        • Actually, it's a problem with both. When the SSN was first conceived is was specifically NOT supposed to be any sort of ID system. Obviously that changed.

          Some states have solved the problem. In Texas, for example, people can "lock" their credit information. With it locked no one can get credit reports which makes it impossible to get credit, even if the person has the SSN, drivers license, birth certificate, etc.

          Of course the credit companies are fighting these laws because they like the idea of fast
    • You obviously don't live in the USA. With someones name and SS# you can create a fake identity that appears to anyone and everyone to be the other person since they have all the right numbers. You could perhaps get a Drivers License, access Finacial Records, take out credit, etc. A lot of vendors have a 2nd level password if they use your SSN for Identity but there are still a lot that if you got the number they don't bother to verify anything else. It's also the number the IRS uses to track you for tax pur
    • You can burn the low-level guys all you want, but upper management should have had security audits done and weeded them out before an actual breach.

      We don't know if mandates from above caused things to get forced into production without proper measures because of unrealistic deadlines or pathetic budgets, either.

      Perhaps if the school as a whole had to carry information security liability insurance they'd be forced by an insurance carrier to be compliant with some security standards.

    • I'm a fire fighter, and we are constantly cutting dead and fucked up people out of cars, the worst ones are the idiots who don't wear seatbelts.

      Don't know if you've seen this [dailynebraskan.com].

      The sequel [journalstar.com] is a kicker.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.