Forgot your password?
typodupeerror
Privacy Education Your Rights Online

Cornell Computer Theft Puts 45,000 At Risk of Identity Theft 91

Posted by timothy
from the into-the-gorges-with-the-thief dept.
PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."
This discussion has been archived. No new comments can be posted.

Cornell Computer Theft Puts 45,000 At Risk of Identity Theft

Comments Filter:
  • by introspekt.i (1233118) on Wednesday June 24, 2009 @05:28PM (#28459829)
    Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.
    • by LaskoVortex (1153471) on Wednesday June 24, 2009 @05:34PM (#28459913)

      I was once emailed word file with about 300 student's names, birthdates, social security numbers, and yes, user passwords for their university accounts. It was not encrypted and it was unsolicited--she needed help "opening" it. I promptly encrypted the file, deleted the original from my pop account, and then went to her computer and changed the name to have a ".doc" suffix. She was magically able to open it after that.

      These are the people we entrust with our sensitive information.

      • These are the people we entrust with our sensitive information.

        You are only as strong as the weakest link, and they should really some really basic security training for every person in an office setting.

      • I have no idea why this is modded funny. The correct moderation for this is +1 "We feel your pain, please revoke the user's privs. Immediately"
        • by quadrox (1174915)

          While we are being completely OT, I have a question about your sig - how is that supposed to work?

          If I mod something up it is because I believe in what is being said in that post. If I did not personally believe what is being said (e.g. because I have counter arguments, my experience has been different etc.) I have absolutely no reason to mod someone up. The same is true vice versa for downmods.

          I would appreciate help on how I should prevent my own beliefs/knowledge/opinions from interfering with my moderat

          • You're not supposed to moderate so much on the topic, as the amount of information and presentation of said info.
            If they bring forward a point you don't agree with, but fully support it with evidence, logical arguments, etc, then you mod it up, or at least, don't mod it down.

            If they just say "Lunix/Winblows/CrackOS sucks cuz my homie knows a guy who's friend got a virus on it!" well...then you troll mod into oblivion.

            Comments of "I agree" don't add anything useful to the conversation, and only serve to fil

            • by quadrox (1174915)

              Thanks for your reply. What I really needed was gnapsters introduction though "The point of the moderation system is not to make sure that only "true" things get posted," - that really helped get the point accross :)

          • by gnapster (1401889)

            The point of the moderation system is not to make sure that only "true" things get posted, or that we only see what we agree with. It is to help sift through the comments for anything which is a worthwhile contribution to the discussion. From the FAQ [slashdot.org]: "The moderation system is designed to sort the gems and the crap from the steady stream of information that flows through the pipe." When all the comments are in and the moderators have finished their work, you should be able to read the thread at +3 (or so

            • by quadrox (1174915)

              Ok thanks, although I have read most of the FAQ I somehow missed that point. If that is the intention of the moderation system I will try to stick with it in the future. My only problem has been that it is very difficult to mod something "insightfull" if it is clear to me that the poster is obviously wrong - even if he supplies plenty of arguments. But if the moderation system is mostly about the, shall we say "form" of the post instead of the actual content I see the point.

              • by gnapster (1401889)
                Do take my advice with a grain of salt. The truth is that I have not been moderating for very long. But my understanding of the spirit of the thing has been that, at the end of the day, we want to see a discussion thread filled with interesting and enjoyable comments, and nothing else.
      • Re: (Score:3, Insightful)

        by tnk1 (899206)

        Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

        Obviously, to this

        • Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice.

          Try working for the state. I was sent such a spreadsheet twice myself in my current employment -- published in the campus newspaper. Salary information isn't always private; it depends who's footing the bill.

        • Re: (Score:3, Insightful)

          by stephanruby (542433)

          Why do you need a list of everyone's salary or 45,000 people's social security numbers???

          Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.

        • I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

          Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.

          Why wasn't your first thought to turn off the POP3 server and any webmail or other access people might have had?
          Sure, it's a pain, and you'll get helpdesk calls asking "Why can't I get email?" Just say, "There's a problem with the server, we're working on it." If you have an internal technical website (and you should, which should also be policy that it's the first place for people to check when they have a problem with something other than their own computer not turning on), post a quick message on it st

      • by Hadlock (143607)

        I'm curious why universities need social security numbers at all. Last time I checked (never), the SS administration wasn't the one writing student aid checks. There's no federal database of who has what degrees (except perhaps MD degrees). Until 2004 or so the University of Texas Arlington used your initials and the last 4 digits of your SSN in your email address (which is the facebook login for most anyone who joined facebook at UTA prior to 2004, for you identity thieves).

        UT Arlington (UTA) spec

        • That kind of theft couldn't have happened back when I was a student at Cornell, in the mid-late 70s. First of all, there was only one computer used for most campus activities, a mainframe that lived in a data center out by the airport, so nobody could have stolen it :-) (There were some PDP-11s and such in a few engineering departments (though not CS - it was mostly the physics people and maybe a random department in the business or ag school), and the card readers that we used to talk to the mainframe re

          • by Hadlock (143607)

            Yeah, but back in MY day, we had to walk uphill BOTH ways, from the Dorm to the Library (where the mainframe terminals were), uphill to the cafeteria (where the food was), BACK uphill to the library, and finally uphill to the cafeteria again, and even further uphill to the dorm. Why the Dorm, Library and Cafeteria were on opposite ends of the campus, on top of steep hills, I'll never know.

            And it snowed. Every day. In Texas. In August. All four years.

            AND we didn't have the internet to plagiar

          • Re: (Score:1, Informative)

            by Anonymous Coward

            Cornell still uses the Cornell student ID (printed on your ID card) for everything internal. If someone knows that, they can -- with a little social engineering -- pretty much impersonate you for any in-person campus service like manually changing your schedule or getting meals in your name (if you have a meal plan).

            I assume they need SSNs for any students they employ. Also, every college I applied to required it on the application as a unique identifier because they do not want to deal with names (your SSN

        • by mlts (1038732) *

          Sometimes I wonder if universities should just use some cryptographic hash of that material. If they had the SSN and user info, they can generate the ID, if a computer system didn't, the ID would still be useful for a primary or secondary key for that student, staff, or faculty.

          A simple mechanism would be concatting the info that doesn't change information together in a predetermined way (the first first and last name registered with the school and the SSN), perhaps adding a random password that is a share

          • voila, a workable student ID that can be generated from the user's data on the secure systems, but finding any secret info from the student ID number is virtually impossible, other than the date they started with the university.

            Until some dumbass admin who thinks "I know what I'm doing. It'll be fine." starts downloading trojanned cracks from infected-keygens.biz on the secure server....

        • by mpe (36238)
          I'm curious why universities need social security numbers at all.

          Except for their current employees. Though by the sounds of things they don't bother to remove this information from the records of past employees...
      • by mlts (1038732) *

        I'm going to actually state this is a case where selective DRM (more specifically Microsoft's IRM in pre-2008, and RMS currently) would be a good thing.

        Say this .doc file was protected with Microsoft's IRM and it got outside the company. Users who were authorized from the RM server would be able to view it, but to those who didn't have access, it would be encrypted and useless without the key. Yes, an authorized user likely could make a copy of it without the rights management encumberance, but IRM system

        • Yes, but IRM and DRM are two completely different things.

          IRM allows a company to control who gets to see their own documents.

          DRM allows a company to control what consumers have to repurchase.

          The difference being, that the company using IRM is in control of their own use of their own internal documents, while the company using DRM is attempting to control the entire public's use of files that are meant to be used by the public.

          Having said that, IRM can still be a pain for whistleblowers attempting to alert t

      • by kelnos (564113)
        I absolutely hate to say -- or even think -- this, but... this sounds like a great argument for TPM/DRM/TCPA/whatever it's called.

        Let's face it: you can't educate users about security. Many people will understand, but many will not. And it just takes a few people who don't get it to cause a problem.

        In the instance of your example, it would be useful if the person who created that original .doc file could have placed restrictions on the file such that at least 1) it can't be sent anywhere unencrypted,
    • It isn't just universities. One Sunday I'm relaxing with a smoke after having to come into class to help those behind when I get a call "Where yo at?" I'm at class, just got done. Why? "You ain't gonna believe this shit. I'm about 10 blocks north of you. You got your truck?" yep, what else would I drive? "Good. Get over here NOW"

      So I get over there to where Chuck works at and the Teleco next door has put out a ton of 1.5-3Ghz boxes out on the curb. Being a nice Sunday and I don't mind a little exercise for some free parts I helped Chuck load them up, in return for picking a couple of the nicer ones for me of course. We get them to his place, unload them and I say "let's fire them up to see if any has an OS or if they have been stripped. Now not only do these boxes still have the nice little XP Pro OEM stickers on them, but the OS is STILL installed and they didn't bother deleting squat. Accounts, CC numbers, the whole nine yards was just sitting their unencrypted on the drives. Most didn't even need a username to log on. Lucky for them we just wanted the PCs and not the data or we could have had ourselves an ID theft field day.

      So it isn't just the schools. Over the years you'd be surprised how many "throw aways" I've ended up with that had major data on them. CC numbers, bank accounts, just stupid the amount of data they leave. I'm frankly shocked that MORE data theft hasn't occurred than what we have seen. I guess a lot of the guys are like me and just want a free PC and wipe the suckers.

  • by Jimmy_B (129296) <slashdotNO@SPAMjimrandomh.org> on Wednesday June 24, 2009 @05:28PM (#28459837) Homepage
    At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book, so no one will be able to pretend they mean anything. If a scammer wants to use someone else's identity to defraud a bank, then the black market will sell them cheap and in bulk. The real problem is that creditors are allowed to issue debts without attempting to contact the person whose name they're using, and then try to collect those debts when the scammer runs off with the money.
    • Did some work for an electrical union (the office managing people's pensions and such) a couple of summers during high school.

      We'd have people's names, SSNs, partial addresses, etc.

      We needed to get mailings out to them.

      Just hop on this website, click the "yes I'm authorized to look at this information" button, and then type in a name, phone number, partial address, or ssn.

      You get a neat list of all peopel with that name/number/address/ssn (often multiple people with the same ssn LOL). You even get a cool l

    • Identifying clients should be the creditor's problem, not mine. I have little control over my own SSN, but I am supposed to now buy ID theft insurance? Seems like Trans Union, TRW, Visa and the like should be able to figure something out.
      • You need to buy ID theft insurance because TRW, Visa and so on can't figure out to keep your personal data secure. It's exactly the same as the way you have to buy, install and use a third-party anti-virus because Microsoft can't figure out how to keep its OS secure.
    • by zizinya (1584487)
      There's not much that can actually be done with an SSN and nothing more. A potential id thief needs a lot more to work with in order to acually do some real damage.
    • by mpe (36238)
      At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book,

      The point is they are "identifiers" rather than "authenticators".

      so no one will be able to pretend they mean anything.

      You underestimate the abilities of fools. Nothing is likely to stop them believing that a collection of identifiers equates to an authenticator.
  • by Anonymous Coward

    Wow.. social security numbers.. on PERSONAL COMPUTERS!!!! Outrageous. What that data is doing on anything but computers locked behind doors in a data center is beyond comprehension.

    Cornell has dropped out of the Ivy league and entered the bush league.

    hosers.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      I assure you it is news to no one involved with Cornell that the IT department (CIT) is utterly incompetent. If anyone had any doubts, the recent rollout of PeopleSoft silenced them when they could not hand out financial aid for a semester because they could not get the system to work and course pre-enrollment (which a lot of people want to start right on time to get into popular classes) failed with random COBOL errors, was taken down, and reinstated a day or so later.
  • by Anonymous Coward on Wednesday June 24, 2009 @05:41PM (#28459971)

    It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.

  • I wonder (Score:2, Interesting)

    by Anonymous Coward

    how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.

    I was on the network and saw

  • WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?
    • by ctmurray (1475885)
      My wife was in IT at a large company. For testing purposes they had a set of data for fake employees that contained enough data to provide good testing.
    • by mpe (36238)
      WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?

      It appears to quite often be the case with such "breaches" that there wasn't an especially good reason to be storing said data at all. However without data protection laws which are strongly enforced there is little incentive to store and process only data which is actually needed.
  • Sue them for that amount, x45,000.

    Then maybe they'll take this seriously.

  • by Anonymous Coward

    This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.

    Suprise Suprise.

    I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.

  • I had considered Cornell for obtaining my Bachelor's - not any longer with this.

    Even I have better security practices and I run windows machines without firewalls or AV software.

    Over four years without infection! Common fucking sense FTW.

  • by Anonymous Coward

    You'd think, the university that created the Cornell Spider -- http://www2.cit.cornell.edu/security/tools/ -- Would be more diligent to push that out on all their machines. But I work in the *real* world and know all about theory and practice.

  • I just got the email about this yesterday. It's the third time a university I've been associated with has had a major data leak (UCLA, Stanford, Cornell). The upside is that I've had free credit monitoring for the past few years!
  • So the moral of the story is if you are looking to educate yourself on security and common sense then Cornell is not where you want to go among other places. It always amazes me it seems to take a few hundred breaches before common sense sings in and simply things like encryption and basic security measures are used.
  • Maybe the solution to this is absolute liability for anyone who keeps personal information on anyone else.

  • I have no idea how far back the stolen data goes, but I was a student at Cornell in the mid-90's. I can assure you that Cornell does not have my current email address (my university address expired after I left), and they do not have my current mailing address, either - I never receive mailed solicitations for money.

    On their FAQ page, they assure everyone that they contacted everyone who had their data stolen via email or USPS. I am not saying that I was necessarily one of the victims here, but I am sure th

  • by Anonymous Coward

    Fedora has full disk encryption, any newbie can activate it.

    What is wrong with these people?

    • by mlts (1038732) *

      In reality, what is needed is FDE systems architected similar to Microsoft's BitLocker that use a TPM chip that is used to validate the boot process, then pass the encryption key to the OS. This will allow servers to boot unattended (although one can have the TPM request a PIN), but still protect the machines from unauthorized access via a live CD.

      One can add additional mechanisms to this, for example, a GPS that the TPM can use to validate that a machine is still within the same physical area, or a hardwa

  • by Anonymous Coward

    I've been reading about similar stuff happening at other places but I didn't think it would occur at Cornell. They are generally pretty good about IT/Security stuff. In any case, the email they sent out links to this FAQ:
    http://faq-june2009.cuinfo.cornell.edu

    Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person. An excerpt from the FAQ :

    5. Why was this information on a computer?

    A member of the Cornell technical staff, who is responsible for supporting our centra

    • by kelnos (564113)

      Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person.

      If the university hired that idiot IT person, then it's the university's fault. Full stop.

  • Let me understand...

    There is a government site that returns your signature, photo, complete name, DNA, fingerprint, all passwords, a 3D model of you, your sex tapes, etc., in the case you've lost them... Just put your SSN and you get back your lost identity. Is this the problem with SSNs?

    Maybe credit companies just accept that you are someone else just because you know his/her SSN and last name...

  • Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.
  • Isn't Cornell....supposed to be one of the biggest and brightest Universities to be out there...they cant afford a good admin with stronger group policies on the network?

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...