Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

Another School Exposes Private Information 298

A user writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."
This discussion has been archived. No new comments can be posted.

Another School Exposes Private Information

Comments Filter:
  • by FatalChaos ( 911012 ) on Thursday September 15, 2005 @08:45PM (#13572358)
    Who are these ppl hiring as web admins??? Why are these files even on servers connected the net?? and hopefully first post
    • by corporatewhore ( 308338 ) on Thursday September 15, 2005 @08:46PM (#13572369)
      ...and where do I send my resume ?
      • I don't think I'd want to work at J Crew U (it's a well deserved nickname because the university largely peopled by wannabe preps who think that J Crew is the height of fashion).

        If the attitude of the students is any reflection on the attitude of the staff, I'd want to beat people there...
    • The University that I attended has all of this information online. It was accessed on the same site we used to register for classes. I can log in right now and view my overall transcript, GPA, etc. I don't think that just because it is sensitive data that it shouldn't be connected to the internet. I use online banking, investment management, etc. The issue here is the University's security, not whether or not that information should or shouldn't be online.
      • GPA, transcript, i can see. But social security number? I mean how many times are u gonna need to know ur social security number and pull out a laptop and look it up online?
        • Good point. They should separate the sensitive information into a private network where the mainframes with the grades, student information and all the billing is kept and tightly control access to it.

          But the problem here is human error. If the ex-chair or whoever that was, took the file and put it into his public folder, no security, no firewall, no isolated mainframes are going to help.

        • by cos(0) ( 455098 )
          My university [utdallas.edu] uses social security numbers as student IDs. So to view my GPA and such, I would log in with my social security number. This goes as far as writing the last 4, 6, or all digits of the SSN on exams.

          You can request a random ID to be issued to you, but by the time incoming students realize that their SSN is their campuswide ID, it's pretty much too late.
      • Clearly the issue here is incompetently designed and managed systems, not with the idea of private information available via a publicly accessible site. This is no different than online banking or trading. The problem here is not one of concept, but one of severe design issues.
    • by Adam9 ( 93947 ) on Thursday September 15, 2005 @08:52PM (#13572399) Journal
      The space where the data was hosted was in a public space. The problem was that the ex-chair put the private files in public space. Since then, the IT dept. responsible for the business dept. (not our central IT Services) has since made all of those files unavailable to unauthenticated users.
    • Three cheers for Business School's retarded cousin.
    • by kdawgud ( 915237 ) on Thursday September 15, 2005 @09:09PM (#13572507)
      I got some inside information on the real story...

      Apparantly there's this list of all the students academic info that's sent out to all the Deans each semester. One of the Deans gave it to another professor for whatever reason and that professor accidently puts it on a public drive and forgets about it for 3 years.

      Nice. Real nice.
    • by globalar ( 669767 ) on Thursday September 15, 2005 @09:14PM (#13572538) Homepage
      A lot of times it is not administrators who are directly doing this (i.e. its much bigger than one person or they have no real way of knowing). Information security is far more than simply one person's job. Everyone who has access to information - even the poor grad student who does backups on Sunday nights - should be responsible in some way for security.

      It takes a lot of work to make strong, accountable policies and carefully define simple, but narrow ways of accessing information (i.e. not just dumping the student records excel file in the share folder). For example, everyone on campus has network access which is most often directly linked to online access. If one person screws up and misuses their data access priveleges by opening up information over the network, it is very hard to tell unless you have accountability in place. And how many places do security reviews?

      When it becomes part of people's jobs to protect information, it will become a responsibilty. Right now, blaming one or two people is rarely a good solution. It's like someone who blames an outsourced medical transcripts worker in Pakistan for leaking information. Sure, it is there fault but the problem is much larger than one low-paid worker. Executive or peon, security is a group responsibility in information-rich, networked environments.
    • by awkScooby ( 741257 ) on Friday September 16, 2005 @02:31AM (#13574065)
      The problem is not web admins. The problem is with clueless end users who are careless with sensitive data. As an admin, you're faced with hundreds of gigs to terabytes of stuff on your servers. It is impossible to police it. How would you begin to go about searching for social security numbers? Think of all the ways it could be encoded, and all of the false positives you would find in conducting such a search.

      I could be wrong here. If someone knows a way to scan an entire enterprise, when you don't have admin access to a number of the systems, and you don't have a list of all of the programs which are in use (so you don't know all the proprietary data formats), I would love to hear about your solution. Oh, you probably also need to be able to search documents and databases for encrypted versions, even though you don't have the keys... Management at the university I work for asked how we could scan the enterprise to find all sensitve data after we had a similar incident.

      The person who posted the data on the website is clearly the one who is responsible for that data. That would be the retired faculty member. An admin is responsible for keeping the web server running. Was the information available on the Internet? If so, the admin was doing a their job well.

      There are some fundamental questions universities need to be asking themselves:

      • Why do faculty members have access to Social Security numbers?
      • What are you doing with Social Security numbers to begin with? Sure, you need them for employees, but why for students?
      • Why do faculty members have access to other sensitive pieces of data? If they don't need it, they shouldn't have access (principal of least privilege)

      Why doesn't the government step in in these situations? Clearly this is a FERPA violation on a huge scale. The individual who put the information on the website ultimately should be held accountable. If nothing else, action should be taken against the university. If the university gets more than a slap on the wrist, you can bet that the next person to do something dumb like this will be held accountable by the university.

      I probably shouldn't ask for that, as they'll probably decide it's the sys admin's fault...

  • by Anonymous Coward on Thursday September 15, 2005 @08:45PM (#13572362)
    Miami University, of Oxford, Ohio
    Miami, Ohio, England, where the hell is this University?
  • by NickCatal ( 865805 ) on Thursday September 15, 2005 @08:46PM (#13572368)
    they figured this out after it showed up on Google? What ever happened to auditing what you have on the web.
  • by Zouden ( 232738 ) on Thursday September 15, 2005 @08:48PM (#13572380)
    I know this is a major breach of privacy/security, but I'm curious about what kinds of malicious things one could do with this information.
    It seems to me that the only useful thing is the names/SSN combination.
    Unless you could blackmail some poorly-achieving students by threatening to tell their parents their real marks?
    • The data was from Fall of 2002. I expect a lot of them have graduated since then.
    • by Trinition ( 114758 ) on Friday September 16, 2005 @06:06AM (#13574615) Homepage

      The information released also included demographics. I've obtained the information and masked off the personally identifying information so I could show the sort of demographic information made available:

      ... Gender Dress ...
      ... Male, Khaki shorts, white T-shirt, ball cap
      ... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
      ... Male, Khaki shorts, white T-shirt, ball cap
      ... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
      ... Male, Khaki shorts, white T-shirt, ball cap
      ... Male, Khaki shorts, white T-shirt, ball cap
      ... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
      ... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
      ... Male, Khaki shorts, white T-shirt, ball cap
      ... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through

      (if you've been there, you'll understand)

  • by wahgnube ( 557787 ) <slashtrash@wahgnube.org> on Thursday September 15, 2005 @08:51PM (#13572395) Homepage Journal
    Miami University... must be in Florida.

    Oh, it's in Oxford... must be in England.

    Bzzzzzt. BUT NO! It's in Ohio!

    It must have taken a long time to come up with that combination of naming and placement.
  • by dAzED1 ( 33635 ) on Thursday September 15, 2005 @08:53PM (#13572413) Journal
    Miami University...in Oxford...Ohio.

    Met a girl from Miami that went to Oxford, and didn't like the song "Ohio." Seems a little less obscure, too. Yet, this school has 21,000 students? I mean...that's more than the real Oxford...the one that's not in Ohio, but has students from Miami...
  • by KillShill ( 877105 ) on Thursday September 15, 2005 @09:03PM (#13572469)
    the university will refund their tuition for the year.

    that's what i would expect at a minimum. on top of other punishment for letting it happen in the first place.

    this only reinforces the notion i have that there is absolutely no privacy. once your data is in someone elses hands (and all your data does in fact belong to them) you can kiss your privacy goodbye.

    there is no recourse whatsoever. you cannot even sue them or ask for damages.

    your personal data is obviously worth something to sell to third party "warehouses" but when they expose your data to the whole world, at that point it ceases to be worth anything...
    • From a customer standpoint, "give everyone a free year" sounds great.

      But that would put almost any business OUT of business.

      I have no idea what the profit margin for them is.. but even if 25% of their income is pure profit, giving out a free year means they will make zero profit for four years.

      What would be more realistic is to give back everyone a years PROFIT on their tuition. That way the schools expenses are covered, teachers get paid, ect.
    • "there is no recourse whatsoever. you cannot even sue them or ask for damages."

      Why couldn't you sue them if you can prove damages? There's no liability exemption for universities. I know the courts get some well deserved bad press but we're not in Cuba.

  • Binghamton University in NY, just announced this week that 404 student names and ss numbers, as long as other sensative data was unsecured for months, it was only after a relative of a student pointed it out was the problem fixed...just in case you guys didn't know
  • This got me thinking. Email spammers and other naughty types run web bots to scour web sites for email addresses and similar personal information. How hard could it be to write software to search one's own web server for lists of SSNs or whatever, and alert a webmaster so it can be quickly taken down? Doesn't sound like it would be particularly difficult at all. A quick search untility to parse publicly-accessable pages could save a lot of bad publicity later, as happened in this case.
  • by schwit1 ( 797399 ) on Thursday September 15, 2005 @09:04PM (#13572474)
    No school needs an SSN. For that matter just say no to giving it to anybody but the IRS and your financial institutions. Your doctor doesn't need it. The gas company doesn't need it. Cingular and Earthlink don't need it.
    • Well, the university doesn't really need YOU, either.
      • Yes, it does. No students - no money.

        A lot of universities use SSNs as student IDs which is really retarded. Why don't they just assign everyone a 14 digit number or a shorter alphanumeric code I don't know. Probably because they don't know how to do it and won't spend the money to ask somebody else who knows.

        • "A lot of universities use SSNs as student IDs which is really retarded."

          My University used to do this, but changed their policy after 2000. Their reasoning was that federal law had made it illegal to use SSNs in any form, including just part of the SSN, as identification.

          Anyway, it seems my school was ahead of the curve for once.
      • Schools may need your SSN to report taxable benefits, such as employee tuition reimbursement. My school switched to 9-digit ID numbers a few years back. Those 9-digit ID numbers will evenuatlly look like SSNs after they get out of the leading zeros (00xxxxxxx) which may take several decades. Why they didn't go with 9-character to allow alpha is beyond me. The cost of losing data resulting in a reporting incident is quite costly. Why did this faculty member have access to SSNs? Why did a RETIRED faculty memb
    • Sure, so long as you have no need of credit. Ever.

      Also, it seems, some utilities. My officemate today had a situation where the f'ing gas company required it. So you can also live without heat.

      It sucks, but it's the way it is. The best you can do is reduce how often you use it. My PPO lets you request they use a dummy number, but the beauty is it's the same format as a real SSN, so when the doctor asks for your social, you give 'em the fake.

    • I have a copy of a book called "Get Even" (published sometime in the 80s, probably out of print now). Anyway, the book has Richard Nixon's actual SSN in it, which it recommends using on forms and such which demand an SSN for no good reason. I wouldn't actually do that, as it's probably some sort of federal crime or something to impersonate a deceased former president. But I imagine using the SSN of a dead relative would probably work instead. If the issue ever gets raised at school or wherever, just cl
    • by steelfood ( 895457 ) on Thursday September 15, 2005 @09:15PM (#13572545)
      I think it has something to do with financial aid, work study, etc.
    • Actually I believe they do need it to verify loan eligibility.
    • The SSN's have to be given to your school if you want to be eligable for loans. However, it seems like the file that was left open related to just academic information like GPA and credit hours and such. What is probably the case is that the university uses student's SSNs as their university ID number, or at least they did at the time. It's fairly common practice at colleges, and only recently have legislative steps been taken to end this practice of flaunting your SSN on all your university documents.
    • From TFA: In 2002 Miami still used Social Security numbers in some cases as an identifier for students, but it abandoned that practice soon thereafter.
  • by rsheridan6 ( 600425 ) on Thursday September 15, 2005 @09:06PM (#13572489)
    Anything computer-related done by either government or schools tends to be incompetently executed and annoying, probably because when you need to deal with them, you need to deal with them - you're not a customer and if you don't like the way they do things, you can go fuck yourself. There's no reason for them to care about you, and it would be irrational for them to spend much money on giving you a better experience (well, up until the point that they get in trouble for leaking your private info on the web, that is). At least that's my theory to explain my experiences.
  • BAM! (Score:3, Funny)

    by metalligoth ( 672285 ) <metalligoth.gmail@com> on Thursday September 15, 2005 @09:15PM (#13572550)
    It's the Future of Rock & Roll!
  • by Kizzle ( 555439 ) on Thursday September 15, 2005 @09:21PM (#13572579)
    Sue the hell out of the person who discovered the security hole. That will show em.
  • by powerline22 ( 515356 ) <thecapitalizt@@@gmail...com> on Thursday September 15, 2005 @09:21PM (#13572581) Homepage
    Last year, UConn, my college, had a privacy breach where lots of SSN's were leaked. This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible.

    Last year, a student's ID was their SSN. Now, it's an ID assigned by our peoplesoft system. If i forget my ID at, oh say, the campus book store *shudder*, they can't look it up w/ my social. Like I said, good things can sometimes come out of these events.
    • Yep, Miami also switched a few years ago. We use Banner IDs from our SCT Banner system.
    • Last year, UConn, my college, had a privacy breach where lots of SSN's were leaked. This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible. Last year, a student's ID was their SSN. Now, it's an ID assigned by our peoplesoft system. If i forget my ID at, oh say, the campus book store *shudder*, they can't look it up w/ my social. Like I said, good things can sometimes come out of these event

      At UHA (uni of hartford, right near you
  • Just because it was on a webserver doesn't mean it was easy to find. Unless your a concerned student who searches for your name and the first group or two of your SSN.

    Restrict what's in your webspace!
    What I'd be concerned about is did the "now retired faculty member" know the directory where they put the file was on a public server or was the file put there and then someone did a chmod 755 on the dir, possibly after they retired by the replacement who didn't know any better. The school I'm at has school.edu
    • The server where the file was stored was meant to be public. It ended up on that server instead of the private one by mistake.
    • The part that seems absurd to me is that a single professor had access to data for every student. You can't fully control what an individual does with a file, but why on earth should he have had such broad access in the first place?
  • SchoolMAX SchoolHAX (Score:4, Informative)

    by niteskunk ( 886685 ) on Thursday September 15, 2005 @09:31PM (#13572642)
    Over the Summer, my school's district replaced their old SIS (Student Information System) with "SchoolMAX", designed by Maximus. After talking to a guidance counselor regarding schedule modifications, I noticed her log in to the new system - I noticed it required 4 credentials, one which the counselor left blank, and I made a mental note to Google the name of the system for more info on it for curiosity sake. The counselor printed me my new schedule, right from the web page. Sweet, thanks for doing the work for me - the URL was on the bottom of the sheet. I got home, hopped on the web, and keyed in the URL. The credentials required were school district, operator ID, password, and screen ID. Screen ID was what the counselor had left blank, so I was down to 3. I figured school district would be available online - a quick Google search confirmed this, and I was down to 2 fields remaining. There doesn't seem to be any real security on the site, and I predict a simple brute force or something more practical such as social engineering would enable anyone to an entire district worth of information.
    • By posting this information you have violated the Digital Millennium Copyright Act (DMCA). Please stand outside your house and the Copyright Enforcement Agents will be there to pick you up.

      Thank you
      SchoolMAX
  • by Anonymous Coward
    I understand that it is the easy thing to do but with all the compromises of data recently it seems that the inconveinience of unique numbers for different institutions would be a valid approach. Data theft is like gambling. In Vegas you can't lose what you don't bet. On the web you can't have data compromised if you don't put it on the network.
  • Get used to it (Score:4, Insightful)

    by Ogemaniac ( 841129 ) on Thursday September 15, 2005 @09:44PM (#13572704)
    In constrast to most /. types, I have pretty much given up on "privacy" in this sense. We live in a world that is becoming more and more connected and wired every day. Within that context, it becomes more and more possible for people to obtain information about one another. Perhaps we should be thinking more about how to embrace this reality rather than fruitlessly attempting to resist it. Just a thought...
  • The Question is... (Score:3, Insightful)

    by Nikkos ( 544004 ) on Thursday September 15, 2005 @09:48PM (#13572719)

    How many schools have info like this (or worse) posted on some forgotten webpage?

    Maybe the IT departments of schools should look into hiring quality people for their systems instead of leaving it up to educators with no real-life experience or student staff that rotate every semester.
  • by Chris Snook ( 872473 ) on Thursday September 15, 2005 @10:13PM (#13572846)
    A lot of universities have not-well-advertised public ftp servers that are used for transferring large files, generally with scripts that scrub things that have been around for more than a day to avoid turning into warez servers. I know of one multi-campus institution where an employee at one campus and their counterpart at another campus agreed to use this method to transfer a list of all currently enrolled students at one of the campuses. This included phone numbers, addresses, and student ID numbers, which were mostly SSNs, because that was the default and most students didn't know to ask for a different ID number. Once the transfer was complete and they discovered they could not delete files from this server, they called support, and it was gone in under 5 minutes. They'd already had it drilled into their heads how bad it would be if such a list got out, but no procedure for securely transferring very large files had been established, and they did not have the technical expertise to establish one themselves.

    I imagine this happens a lot, especially at research institutions whose scientists need to be able to receive large amounts of data from collaborators without having to set up accounts for them.
  • by GAATTC ( 870216 ) on Thursday September 15, 2005 @10:26PM (#13572925)
    For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.
  • 1974 Privacy Act (Score:3, Informative)

    by Anonymous Coward on Thursday September 15, 2005 @10:36PM (#13572980)
    You must give your SSN to Federal, State, and Local governments only when there is a law that requires it. The act also says the government agency MUST inform you at the time of collection whether giving your SSN is required or optional, cite the law that requires it, and explain what happens if you don't give it.

    If you do not see a privacy act notice on government paperwork, then don't give your SSN. It's hard to say no, and many govt workers are completely ignorant of the law, but you've got to take a stand.

    Non-government entities can ask you for your SSN for any reason or no reason, but you don't have to give it to them. If a company says they have to have it, be prepared to take your business elsewhere.

    So, is Miami of Ohio a government entity? Many universities are because they are state funded or created by an act of state law or consitution. If so, demand that privacy act notice. If not, take your money somewhere else.

    I doubt any school would deny you admission because you refuse to give your ssn. What do they do for the foreign students?

    You'll never know what you can do without giving out (your SSN) until you stop giving in.

    Things I've done without giving out my SSN: got real phone service, got satelite TV, been to the doctor/hospital, got medical insurance, got internet service, got married. Yeah sure, I wasn't able to get that extra 10% off at Pier One by signing up for a credit card. So what!
  • Comment removed based on user account deletion
    • Why does the school have the SSN's of all the students? They can't all be getting financial aid, or be employed by the school.

      Anything can happen at a school called "Miami University" located in Oxford, Ohio. Up until about 20 minutes I thought Miami University was in Florida, United States; and that Oxford was in England.

      It's no damn wonder they lost files! Google maps couldn't find a Miami University in Oxford, Ohio!

    • ID, as usual probably. My high school printed it right on your ID. My college, PSU, just changed over last year to "PSU ID" #'s.... just another fucking number to remember.
  • BT? (Score:3, Funny)

    by DeafByBeheading ( 881815 ) on Friday September 16, 2005 @12:31AM (#13573472) Journal
    Anyone got the torrent?
  • by joelsanda ( 619660 ) on Friday September 16, 2005 @12:48AM (#13573566) Homepage

    Back then we carried around sheets of paper with our information. Some used a redundancy method known as "carbon copy" - in which the user would write once and the data would be recorded in many places.

    Though I had to physically walk miles to track down professors without watches, the data was always securely stored in the back pocket of my jeans or stuffed into my backpack.

    Best of all, we relied upon social engineering security and things like locked wooden file cabinets. The security team was staffed by should-have-already-retired women who hated all people and wore too-tight pastel colored polyester blouses and shirts. But nothing got past them.

  • by solman ( 121604 ) on Saturday September 17, 2005 @12:37AM (#13582913)
    There is no evidence that anybody ever used this information for unauthorized purposes. Some professor left the grade report in an exposed directory on a web server. Instead of taking the server down and forgeting about the incident (like 9 out of 10 IT departments would have) the University sent letters to all of the potentially affected parties. I don't even believe that OH has a CA style law requiring such disclosure. I commend them for their honesty.

    The suggestion that the University should have refunded $20K to all of its 2002 students because its theoretically possible that somebody might have gotten their information is positively bizzare.

"Tell the truth and run." -- Yugoslav proverb

Working...