Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Your Rights Online

Identity Theft from University Computers 259

Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
This discussion has been archived. No new comments can be posted.

Identity Theft from University Computers

Comments Filter:
  • To be honest.. (Score:3, Interesting)

    by Tobias.Davis ( 844594 ) <[tobias.davis] [at] [gmail.com]> on Wednesday January 12, 2005 @09:17PM (#11343998) Homepage
    Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..
    • Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..

      Is this a store, or some other company you deal with voluntarily? Drop them if they won't drop the SSN issue - find someone else to deal with. Let them know why, and give them a chance to change the policy, but dump them and stick to it...

      • Re:To be honest.. (Score:3, Informative)

        Actually I'm talking about my father, who insists that his SSN needs to be printed on his check. For myself, I'm a 27 year old that has little credit history no credit cards and only 1 dealing with a financial institute (for a vehicle loan). Yes, I'm eccentric but I have no use for the credit system in america. Any information I have on file is positive, but I don't go looking to use my SSN anywhere
        • Actually I'm talking about my father, who insists that his SSN needs to be printed on his check.

          Now I understand. There was a store in the area a few years ago that was demanding my ssn be written on any checks they took. I've no idea if they still do, I left my things on the counter and walked...

          You're right, it's crazy to print that. Unfortunately it may take a case of ID theft to get him to stop.

          Congrats on dodging the credit system, I'm working my way in that direction (a whole lot harder when you

          • There was a store in the area a few years ago that was demanding my ssn be written on any checks they took.


            That's nuts. I can see them trying to require your driver's license, as that's the form of picture ID they'd use to identify you (if they bother, and most don't), but not SSN.
              • That's nuts. I can see them trying to require your driver's license, as that's the form of picture ID they'd use to identify you (if they bother, and most don't), but not SSN.

              IANAL, but as I recall it's against the law to require a SSN as identification for things like checks. I'd check into it and report them, not that anything's likely to happen, but maybe it will. Identify theft is becoming a massive problem.

              My bank tries this on me whenever I call to talk to someone they want my account number

              • Re:To be honest.. (Score:5, Informative)

                by David_W ( 35680 ) on Thursday January 13, 2005 @09:06AM (#11347931)
                My bank tries this on me whenever I call to talk to someone they want my account number and SSN to identify me. I always refuse...

                I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.

            • Actually, Indiana driver licenses used to have the SSN on them. This time around I was asked if I still wanted it on mine and I said, "no." Some organizations do catch on.
    • Hear, hear. Stolen SSNs would not be news if there weren't many, many organizations using them as identifiers without any specific need (other than that someone was too lazy to write a serial-number generator and wants to sponge off the SSA's.)

      Clue: if your *department* does not report taxes to the government, it has no use for SSNs. They confer no significant benefit and are a heapin' helpin' of bad press waiting for just the wrong moment.
  • by ecammit ( 775253 ) on Wednesday January 12, 2005 @09:18PM (#11344005) Homepage
    This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.
    • Other than the BMV (and I can't figure out why they need your SSN), most of the places that have it are because they need to report tax information about you. You don't have to give it to anyone else. Some places will get annoyed with your request to have a special identification number, but they will accomodate you. My undergrad used to use SSNs for identification, but you could always request a different ID number at any time.
    • I agree, it's ridiculous but not surprising (sorry I won't go off on how much I loathe universities) that they use SSNs as IDs. My girlfriend's university displays her SSN right on her ID card (attends SFSU, which displaying SSNs is illegal in California, but don't ask me how they get away with it) and my dad told me that Arizona puts your SSN right on your Driver's License. How idiotic is that?
    • How about identification via fingerprint with this reader [samsclub.com]? Anyone used it and are there any good hacks with it?

    • These companies should be fined (big) if this data is stolen. If this were the case, I don't think universities and businesses would bother collecting SSNs in the first place, unless it was absolutely necessary. It would also force them to pay more attention to security.
  • by Class Act Dynamo ( 802223 ) on Wednesday January 12, 2005 @09:19PM (#11344008) Homepage
    I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.
    • by __aawavt7683 ( 72055 ) on Wednesday January 12, 2005 @10:39PM (#11344743) Journal
      Likewise. Apparently there was such an option on the applications I filed, but I never saw one. Actually, on the second, I left the SSN field blank. Chaos ensued.

      As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)

      The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...

      But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.

      Go tomorrow, get it changed; keep your confidential data confidential.

      -DrkShadow
      • The advice you give is sound. Unfortunately, I graduated last May, so the point is moot. I do hope you get modded up, though. It is good advice.
      • Yeah, I did pretty much the same thing at my school. I was, unfortunately, blessed (?) with a remarkably easy-to-remember SSN; almost anyone who hears it could probably remember it without difficulty after the first time.

        So anyway, I went to get my student ID changed after the proberbial straw broke the camel's back: I had received a letter in the mail from the university, addressed to me, with my student ID (SSN) printed on the outside of the envelope. Boy was I pissed. So, I went down to the registr
    • by ComputerSlicer23 ( 516509 ) on Wednesday January 12, 2005 @10:50PM (#11344817)
      Yeah, I irritated several people, and made a lot of people in the registrars office laugh when they asked for my name, I just gave them my SSN to save time. Everyone understood it was an implication that I was just a number at the University.

      It actually saved time. It was the next thing they were going to ask for anyways, and they wouldn't do anything to my records until I told it to them. They didn't need to know my name, and if they did, it'd be on the first screen they pulled up if they felt the need to use my first name to make me feel like a person.

      Kirby

    • the absolute worst were the profs who insisted upon posting grades up on their door, identifying the scores not by name, but by Social Security number. To make matters worse, it was the CS profs who did this the most.

    • I always hated that about college

      With good reason too. I once consulted to an unamed college and could not believe how disorganized, how poorly planed and how lax security was. But the Dean responsible was worried more about what other things and what I cost him than getting a decent set of backups. The kicker was we game him very low rates as I was between larger projects.

      Deans should not manage I/T and computer infrastructure. I/T manager needs to answer to the board/directors and have their ow

  • soooo (Score:5, Funny)

    by ikea5 ( 608732 ) on Wednesday January 12, 2005 @09:19PM (#11344011)
    no mention of the grades?
  • Suspicious? (Score:2, Interesting)

    by Dekks ( 808541 )
    It seems like bit of a convenient coincidence that this happened just before they replaced their ID numbers with something other than Social Security numbers. Someone has obviously been paying attention in their Computer Science classes.
  • by ergo98 ( 9391 ) on Wednesday January 12, 2005 @09:19PM (#11344019) Homepage Journal
    The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").

    How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.
  • by Anonymous Coward on Wednesday January 12, 2005 @09:20PM (#11344028)
    There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

    Stock up on canned goods, folks.
    • Stock up on canned goods, folks.

      And use someone else's credit card?
    • There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

      Stock up on canned goods, folks.

      Americans have one of the lowest savings rates for a developed nation. There are several studies which indicated many Americans spend more than they earn. Even worse, other than home ownership

      • They have the Boomer mentality, both personally and nationally. As in "buy now, make the damned kids pay for everything later".

        Max
        • Now there is nothing wrong with spending money on what makes you happy as long as its within reason, but how many people out there have maxed out credit cards, drive a new car, have a full entertainment package ($80+ cable bills, cell phones with every feature and service imaginable, big "going-out" entertainment budget), and shop out of boredom, all while having little or no savings?

        What's annoying is most of the country makes it hard to save on some things, for instance where I live a car is an absol

  • by Tracer_Bullet82 ( 766262 ) on Wednesday January 12, 2005 @09:21PM (#11344039)
    than from internal threats.

    How many cases of internal theft do we know?

    As someone who once created and maintained my high school information database, I know how easy the system can be abused.

    What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
    Background checks for personnel involved should be done too.
    • In the US, there are laws and regulations that exist to protect student privacy. These regulations are known as "FERPA". Although these FERPA laws seem to apply only to your "academic record", your academic record includes things like keeping the fact that you even attended a school (as being a student with an academic institution is defined as being part of your academic record).

      Of course, no laws prevent an academic instituion from doing dumb things like not using quality security strategies or outsou
  • wow too bad.... (Score:5, Informative)

    by djeddiej ( 825677 ) * on Wednesday January 12, 2005 @09:21PM (#11344041) Homepage
    I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.
  • by and by ( 598383 ) on Wednesday January 12, 2005 @09:22PM (#11344051)
    Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.
    • they could have had another, privilidged, db for that information though. one that only people who need to have access would have access to.

      but that would have assumed them to have a clue, or having cared..
    • I just scratched my SSN off my ID card with a razorblade. If anyone at my college really needs my SSN they can just ask. It still bothers me though that they use my SSN to track my records.
  • In Australia.... (Score:5, Interesting)

    by fodi ( 452415 ) on Wednesday January 12, 2005 @09:22PM (#11344063)
    One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...
    • Here (the U.S.A.) we have a similar law. The Social Security Administration is the only agency / organization which is unconditionally allowed to use the SSN for identification purposes. Even other parts of the government can't if the citizen doesn't let them. That's why the IRS (Internal Revenue Service) allows you to fill out a form and get a Taxpayer Identification number (which you'd then use for financial aid).

      Private parties and organizations don't have the right to demand your SSN. Nonetheless,
      • Thats stupid, Its like saying you don't have to agree to Microsofts Eulas when clearly if you want to get anything done in a business world you have to.
          • Thats stupid, Its like saying you don't have to agree to Microsofts Eulas when clearly if you want to get anything done in a business world you have to.

          Exactly, the government doesn't even enforce the law so it's become entrenched and abused. Only now are companies starting to realize that it's not only illegal but a Bad Idea(tm) to use SSNs to identify everyone. It's sad that someone had the foresight to see this would be a problem (thus the law was created in the first place) but it took it actuall

    • ... Whereas, in the UK nobody uses the NI number (the local equivalent of the Social Security Number) since huge numbers of people have multiple numbers due to government incompetence and individual fraud.
  • What OS was their server running????
    • Depending on what department, it can vary greatly. In our ECE department, we have a Solaris server (cpe01.gmu.edu). The main server for the school is an old Alpha (named osf1.gmu.edu). However, from what I've heard around campus, this one was probably a Windows server that didn't have all of the patches applied. Many of the different offices operate as a Windows only shop.
  • PLEASE tell me this place is well known for it's high grade IT majors. That would be hillarious and really make my night.

    Alternatively just say they had a fully patched windows machine, both works fine.
    • Re:IT majors (Score:2, Insightful)

      by Opticalsky ( 785289 )
      Actually George Mason University is one of the few that have Ph.D programs in Information Technology, but it goes further such as they have "Information Technology with Concentration in Information Security."

      Kind of ironic that they would have a graduate program there for information security and they just got hacked.

      I think it might be an inside job though.
      • FYI (Score:2, Insightful)

        by Nixoloco ( 675549 )
        The machine that was hacked was in the PhotoID Office and it was a Windows machine. Based on the bahaviour it was exhibiting, that is- it was scanning other machines to infect, it may have only been a worm and this whole story has been somewhat sensationalized. It may have been oblivious to the fact that data existed on the machine.
        The fact that the machine may have been unpatched reflects poorly on University Administration (ITU) but not on the CS or IT programs.

        Disclaimer: I work and go to school at GM
  • by philovivero ( 321158 ) on Wednesday January 12, 2005 @09:26PM (#11344109) Homepage Journal
    We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.

    My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).

    She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).

    Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.

    Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.
  • I'm a Student at GMU (Score:5, Informative)

    by grylnsmn ( 460178 ) on Wednesday January 12, 2005 @09:30PM (#11344148)
    Here are the two emails that they've sent to students about the incident:

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology

    Subject: Illegal Intrusion into University Database

    The university server containing the information relating to Mason's ID cards was illegally entered by computer hackers. The server contained the names, photos, social security numbers and G numbers of all members of the Mason community who have identification cards.

    The intruder installed tools on the ID server that allowed other campus servers to be probed. An Information Technology Unit staff member noticed the attack while reviewing system files as part of the university's internal controls procedures, and traced it back to the ID server. The compromised ID server was disconnected from the network and is no longer accessible. The police are currently investigating the break-in. The university is subject to dozens of probes and attacks each day.

    There is no evidence that any of the data available on the Mason ID server has yet been used illegally. It appears that the hackers were looking for access to other campus systems rather than specific data. However, it is possible that the data on the server could be used for identity theft.

    Following are steps each of us should take to minimize the likelihood of ID theft from this, or any other similar incident.

    - Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g. credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

    Transunion
    1-800-680-7289
    www.transunion.com

    Equifax
    1-800-525-6285
    www.equifax.com

    Experian
    1-888-397-3742
    www.experian.com

    - Continue to check all your accounts on a regular basis for unusual activity.

    - The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at www.ftc.gov/idtheft.

    If you have further questions, please call 3-8116. The university's IT Security Coordinator Cathy Hubbs is monitoring this line and will ensure that your message is immediately forwarded to the most appropriate person.

    We understand that taking these steps is inconvenient, and regret that the server attack makes it necessary. While it seems unlikely from the evidence currently available that identity theft has occurred, it is important to take these protective actions. We will share any further information about the intrusion and its effects as soon as it becomes available.

    and

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology
    Subject: Computer Break-In Information Website Now Established

    A new website giving information regarding the illegal intrusion into
    the university's ID database server is now on line at
    http://www.gmu.edu/intrusion. The page can also be accessed through links on
    the Student and Faculty and Staff resource pages on the home page. Due
    to the large number of calls we have received on the information line,
    we are noting your questions and providing the information on this page.

    We will regularly update the page as more information becomes
    avail

    • The SSN upgrade process should point to places and people to start investigating.

      Timing like that could be more than coincidental.

      By the same token, it could be a coincidence that only one student in the Computer Security Fundamentals 101 course was passed by a hoary professor.
    • "Computer hackers"? Sounds a hell of a lot like "common thieves" to me. I believe the police call it "breaking and entering", as they were indeed physically on the premise? Or did I read that wrong?

      Were this a network-based crime, I'd think the police wouldn't be on it - but the FBI.
  • suspiciosity (Score:3, Interesting)

    by solaraddict ( 846558 ) on Wednesday January 12, 2005 @09:36PM (#11344210)
    The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.
    • Re:suspiciosity (Score:3, Informative)

      by dbIII ( 701233 )
      The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id
      That doesn't surprise me at at that it was found at this time - the system would be coming under more scruting than usual, so intrusions may have happened before but were only noticed at that time.
  • So what legal recourse do the students have? As far as I'm concerned, the organization is liable, and the students should launch a class action lawsuit, if nothing else, but for lost productivity time, which is what companies usually seek when they go after hackers. The school is no better than the people that hacked them if they couldn't safeguard this personal and highly sensitive information.

    You'll also notice that the asshole of a VP didn't even apologize for the situation. Just that he regrets it. Mak
    • I really can't see what that would solve, except to force the university to spend a huge amount of money defending itself from legal attack with money that could be better spent on improving/fixing the situation. The knee jerk reaction to every situation in this country is to just sue people left and right and it really kinda sucks. As much as I feel for the students that have to deal with this, if any do sue the university, I really hope they lose even more time and some money in the process.
    • I think the problem is that there is a general belief that SSN is a secure identifer. Back when I was in college (god, almost 10 years ago), in my first "IT job" (ok, so I was lab consultant), one of our bosses showed us how easily it was to access public information. From a name and city, he was able to retrieve the student's full address, SSN, and even retrieve the student's parent's property tax information. The demonstration did not involve hacking or unauthorized intrustion to another system. This was
      • I think the problem is that there is a general belief that SSN is a secure identifer.

        In effect it's government assigned name. Most of the problem is idiots treating it as though it is a "secret".
    • I was one of the potential people whose information was obtained. I am not planning on taking action against the univesity nor would I do so even if finacially harmed, unless it can be proved that there was gross negligence. GMU has made a good faith effort to switch IDs from SSNs to the new 'G' numbers. If my information was used to fradulently open acounts under my name, I would estimate primary people responsible are in my estimation:

      1) The thief
      2) The creditors for their lack proper verification al
    • by MLopat ( 848735 )
      Not sure why you guys are so opposed to the idea of sueing the school. They're not even being apologetic. The bare minimum I would expect would be a formal apology.

      Where would the money come from? From the school of course. This would just raise tuition you say? Well sure, but why would you want to goto a schoo like this after an incident of this magnitude. I wouldn't trust them. And there are other options. Its not like we're talking about Waterloo or MIT here.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Wednesday January 12, 2005 @09:47PM (#11344315)
    Universities are notorious for not having good network and server security (hard to hire the required large staff to oversee so much data). I now work in the computer security field, and when I look back at my university experience I see lots of very frightening things -- besides just the extent of the records the university keeps, they also tend to print things like your birth date on records. Having your date of birth intercepted is bad news, and it is really disturbing to see it printed in so many places, especially along side your SSN / SIN.

    On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).

    The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.
  • by Jeff Carr ( 684298 ) <slashdot DOT com AT jeffcarr DOT info> on Wednesday January 12, 2005 @09:50PM (#11344338) Homepage
    When I was in the army 1995-1999, the pay stubs were just printed on on a normal sheets of paper, and handed out to everyone once a month.
    Some of the information freely available to anyone who cared to look at it was:
    • Your full name
    • Date of Birth
    • Social Security Number
    • Bank Name
    • Bank Account Number
    • The Amount of the Deposit
    • The Date of the Deposit
    It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.
  • This exact same thing happened at the University of California - San Diego about 8 months ago or so. I got a letter shortly afterward, informing me of the break-in and urging me to put a freeze on those accessing my credit report and to review my credit report for fradulent activity. What a pain.
  • Even using alternative identification numbers will only limit identity theft rather than eliminating it. I think law enforcement and prosecution is the answer.

    After all, it's an information society: abusing personal information harms the fabric of this society, as well as the specific individuals and organizations involved.
    • Na, prosecution and enforcement are too expensive and labor-intensive. I'd personally sooner expect biometric IDs, chips in our arms, and various other fascist monitoring tools. Seriously. That's the trend, at least.
  • by Hangtime ( 19526 ) on Wednesday January 12, 2005 @10:13PM (#11344535) Homepage
    This was no coincidence. Someone saw this coming change and decided to cash-in while they still could.
  • Look to see if one of the students may have been the thief, first. Doubly so for a student that works for the University. It's not too far fetched that a student caught wind of such a change and was given the idea to commit this crime.
  • by iamacat ( 583406 ) on Wednesday January 12, 2005 @11:34PM (#11345123)
    I bet they have been "in the process or replacing the system" since last century. They just didn't do any serious work on that until they got busted. Same as US Airways over christmas and countless companies with Y2K bug until 1999. Everyone with decision making power should take a serious pay cut and students should get tuition discounts to offset the cost of dealing with identity theft.

    If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.
    • I worked for AT&T Wireless when they were breaking off from AT&T proper. One of things that needed to be done was to replace all of the AT&T employee ID numbers with new AWS employee ID numbers.

      It. Took. For. Ever.

      All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.

      I'm betting a university setup is even worse.
  • My guess would be that it's too much of a coincidence that while they're making systematic changes around SSNs, suddenly, they have a mssive SSN breach. Probably someone working on that project or originated therefrom.
  • I've been myself the victim of an identity theft, so I know what I'm talking about. But I still believe that when people get angry about organisations using SSN's, and they get stolen, the problem is really the other way round. It's not the issue that someone knows my social security number, the problem lies in the fact that shops, companies, organisations, etc. consider the fact that you know your SSN as a proof of identity.

    I don't care whoever knows my SSN, I do care that a cellphone shop gives a subscrip

    • I agree. If I had mod points, I would have mod you up. Having a unique ID is not the problem. The problem is not having a good authentication mechanism, even though such mecanisms are well-known for quite a while. Digital signatures, Zero-Knowledge proofs, anyone? Every person should have a smartcard that can do a ZKP protocol over phone lines.
  • Many students don't realize this but as a student you do not have to give any university your SSN unless you are accepting financial aid from the university. Many universities make this quite clear to their staff on their internal Q&A websites. IIRC the Unv of Illinois was one such university that I found that data on. Also, IIRC, I believe the reasoning behind this can be found in FERPA. I could be mistaken but I believe that's the reason. I know I happened to come across it a couple years ago whil
  • ... can be made thus:- How about this for a simple hash id generation algorithm?

    echo 'Christopher Sawtell 21:30 15-Feb-1943 St. Pancras, London, England' | md5sum | cut -f1 -d' '
    Which for me gives:
    17f11db57259bdbdf45ed234f1b122ed
    Alternativly there is the sha1sum which gives a few more digits:
    ac8379e71974cca81580d29913d806b0e952f593

    Now then /.ers. Anybody else get the same hashes?
    We want at least a million tests. Don't be shy. This is actually a worth while experiment which doesn't involve total

  • ...when I was an independent, I did a little consulting for a state university which shall remain nameless on computerizing their class sign-up system and allowing folks to set their course schedule for the term via the university's web site. They used the student's SSN and real name for the entire transaction, transmitted in the clear. I pointed out that this was terribly unsafe and could quite easily be used to steal the identities of every student who used the system, but suffice to say they weren't th
  • Um, many states use your SS# for your driver's license and/or state issued ID card. Only recently has Missouri allowed you to use an alternate number...

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...