Slashdot Mirror
Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
That was a theft of mostly technical motor vehicle data from a study, and so it wasn't very damaging to the participants. Although I wouldn't want my car model / color etc. publicly available.
This seems to be a case when the privacy of the information could have been maintained despite the breach of security if they had been using a "translucent database". Peter Wayner wrote a good book about this, and as far as I know coigned the term.
It naturally requires some thought to do right but it seems like it could have worked in this case.
The laws are already there. Too bad they are not enforced.
In Soviet Russia, I ruled you
Oddly enough, the large University I work for has been discussing making two or three seperate networks inside the univesrity to keep something like this from happening. Presently, the Hospital has their own private network interconnected to our network via a firewall. We have been toying with the idea of making a private network for sensitive university machines an faculty networks. Thus then leaving the students and other network users on a more normal public network, behind the border firewall of course. The discussion of data security has come more than once and now I'm just waiting for that email saying, 'it's on'. And the acronymns will fly.... VLAN, VPN et al. yay!
On the contrary, most major universities have the staff, software, equipment, and knowhow to maintain tight control over the network, it's that their hands are tied by professors who demand complete access to whatever they want in the name of accademic freedom and by the students who are paying $X thousands dollars for the experience, and by god, are going to use their $P2PSOFT.
My 27,000 student body university weathers most of the worms better than most large businesses, despite having little control over the computers on the network. And we keep our key servers safe. Assuming a lack of zero day exploits (as is true in this case), there's no reason an important server is any less safe in an accademic environment than a corporate one. Someone was asleep at the wheel, and you'll find that anywhere.
http://ist-socrates.berkeley.edu:7015/protected. data.html
Hope you find it to be as educational on this subject as I did
Chris Williams clw7500nc@gmail.com
They should have cleaned the data and removed the SSN. When we pass information outside the company we remove any reference to the SSN and replace it with a zero padded sequence to the same length as the SSN. If they ever need to know who the individual is they can give us this sequence number and we can look them up. Our plans are to remove any possible reference to the SSN in the database and replace them with a good old fashion sequence number (IE Customer number). Only payroll will have a table that links the sequence number to the SSN (a must when filing taxes).
My Sig indicates the end of the comment I posted.
Stop giving everyone your social security number.
Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.
NTITE
-You can cry, but you'll still die. There'll be no tears in the end.
Can you provide a reference that it is illegal?
Seriously, this is not a troll....I see this statement often and I want to know if it's an urban myth or not.
I was working on this project, and I'll tell you I was extremeley disheartened to learn people would try and sabotage this project. It is for a really good cause (if you believe in unions that is, I don't, but it was still for a good cause) and I hope the project isn't jeapordized beyond repair because of this. For those who might have guessed, the system that was hacked was a Windows 2000 Pro box running SQL Server and a statistics program called STATA. The box was only up and running while retrieving data and was turned off the rest of the time while I was on the project. There were very strict rules about letting the box onto the network since it wasn't a Berkeley box, but then they took the box and put on their own security software which supposedly made the data safe. I can give you the name of the IT guy in charge if you want. Many of you are listing reasons for not having the SSN's on the database, and that they should have been kept at the state level and then the state give us unique identifier numbers. In actuality, the state does not provide that service, and only provides the data from several databases. We ourselves then created unique identifiers because we needed very specific samples from different populations of California. This identifier was made with a combination of people's relations, their ethnicity, and their social security number. You'd be surprised how many people in California have the same name. Also, although maybe not the best reason in some programmer's opinion - it was easier to separate people by their SSN because STATA didn't present a way to compare strings in a useful enough manner so as to use a combination of name and zipcode. And if you are wondering why we had names and addresses and phone numbers, it is because we called and mailed these people ourselves. Our first mailing - worked a 22 hour day, and tried about four different assembly lines! The state didn't help at all - and in the current time when we have idiot Republicans like Arnold (I can't spell his last name) who thinks fixing a state budget crisis involves cutting the budget of an already failing program and driving MORE people into poverty, I don't think you can expect them to help us tell them how and why they are wrong. I'm no longer on the project (got shipped overseas) but the people working on it are rock solid individuals, and personally, as a former IT guy myself, I blame the morons who worked IT at the division this project is taking place. I understand Berkeley is huge, but for a University that supposedly is "computers" - they have a lot of people with absolutely no clue.
I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans.
BTW, it is not illegal in the US to "release" social security numbers and financial information. There are quite a few companies that make a nice profit from selling this information on a daily basis. I doubt that if it is legal in the US that it would be illegal in other countries like India (except perhaps Germany).
Speak truth to power.
Actually, it is illegal in some jurisdictions to remove that tag if you're not the ultimate consumer. I believe it is mostly California that has lead this effort (These tags usually reference Califonia statutes). Read the damn thing before you spout off next time.
No, I really do think it's nearly the perfect example of the dangers of righteousness.
The Grand Experiment in this case was apparently perceived as vastly more "important" than the individual privacy and even *lives* of actual living people. This is quite typical of people who are out to "save the world". It's a form of "the ends justify the means" thinking. I call bullshit.
BTW, in case it wasn't obvious: this isn't a liberal vs. conservative thing. Anti-abortionists have the same damn problem.
This is all assuming, of course, that the parent of my original comment wasn't itself flamebait :-).
Anybody have a reference that'll prove it's illegal to use a SSN as an ID number?
How 'bout a reference that proves that it isn't? SSN FAQ.
I'm at a University that requires me to produce my SSN pretty much constantly. It's my student ID number, generally the number used to post exam scores online so as to "hide the identity" of the student receiving each grade.
If they're a public school, then they probably can't do this. But every school I've been to has had a procedure where one could change their student ID to a randomly generated one. It's not very publicized, and you usually have to go far up the chain of "let me talk to your manager" before you even get someone who knows about it, but it's usually possible.
SS is a tax ID. It is also referred to as an EIN number (though Tax ID and EIN are generally referred to for businesses) but they are one and the same....in fact businesses typically start with 23-#######...if you notice, this is the same length as a personal SS number of ###-##-####. :D
Though if your credit is crappy, being able to switch - without the crap leaking over - would be a great thing. Now what you want to do is get yourself classified as a non-profit organization - then you really reap benefits
I mod down so you can mod up. Your welcome.
The university I went to allowed you to request an alternate number be used as your student identification number. It was the same length as a SSN.
Well, if you are in the United States it is against FERPA to use SSNs (or parts thereof) to post grades.
I suggest immediately asking all your professors to cease and desist their actions. If they refuse bring it to the heads of their departments. If your requests are again ignored I suggest filing a complaint against them as shown below...
See the document posted below with regards to this (pasted because it's in DOC format -- formatted after paste to avoid whitespace filter):
===
Dr. Evangelos J. Gizis
Interim President
Hunter College of the City University of New York
695 Park Avenue
New York, New York 10021
Complaint No.
Family Educational Rights and Privacy Act
Dear Dr. Gizis:
This is to advise you of the finding in the complaint filed with this Office by [Student] who alleged that Hunter College of the City University of New York (College) violated his rights under the Family Educational Rights and Privacy Act (FERPA). Specifically, the Student alleged that Mr. Cullen Schaffer, a computer science professor, posted his exam and final grade on a web page along with the last four digits of his social security number.
This Office advised you of the allegation by letter dated August 21, 2000, and you responded on behalf of the College by letter dated September 25, 2000. You state in your letter that many College professors do post grades by the last four digits of a student's social security number. You state that "no student names are listed" and that this "enables students to easily identify their own grades, yet remain unable to identify any other student's identities." You also state that the College does "not consider this practice to be in violation of FERPA or any other applicable laws."
FERPA protects privacy interests of parents in their children's "education records," and generally prohibits the disclosure of personally identifiable information from education records without the consent of the parent. The term "education records" is broadly defined as all records, files, documents and other materials which:
contain information directly related to a student; and are maintained by the educational agency or institution or by a person acting for such agency or institution.
20 U.S.C. 1232g(a)(4)(A); 34 CFR 99.3 "Education records." When a student reaches the age of 18 or attends an institution of postsecondary education, the student is considered an "eligible student" under FERPA and all of the rights afforded by FERPA transfer from the parents to the student.
Under FERPA an eligible student must provide his or her prior written consent before an educational agency or institution discloses personally identifiable information from his or her education records. 20 U.S.C. 1232g(b); 34 CFR 99.30. Section 99.3 of the regulations defines the "Personally identifiable information" as information that includes but is not limited to:
(a) the student's name;
(b) the name of the student's parent or other family member;
(c) the address of the student or the student's family;
(d) a personal identifier, such as the student's social security number or student number;
(e) a list of personal characteristics that would make the student's identity easily traceable; or
(f) other information that would make the student's identity easily traceable.
34 CFR 99.3 "Personally identifiable information." (Emphasis added.) A student's social security number is, by definition, "personally identifiable information" under FERPA, and may not be disclosed without consent in any form.
FERPA provides that educational agencies and institutions may not disclose personally identifiable, non-directory information from education records unless a parent or eligible student has provided a signed and dated written consent in accordance
By law, the only places that can receive your SSN are government offices, employers, banks and landlords. Anyone else can't deny you any of their services based on you not giving them your SSN. I think banks and landlords are the ones that are most limited in what they can use the number for. Government and employers use the number for taxes and for government to turn you into a number (for medical benefits, social security payments, and so on). No one else has the right to ask for it.
Oh people will bitch and moan about not getting it from you. But who the hell at CompUSA needs your SSN?
And if a non-government or non-employer needs to verify that you are who you say you are, they can ask for your driver's license number. But the SSN is off limits to everyone else.
At least this is what my employer told me when I got hired (us government). They instructed me to safeguard my SSN as best I can, which includes not giving it to people that legally don't have a right to it. As they put it, 99% of the identity theft issues are from people giving their SSNs to folks or organizations that don't actually need it. And then those organizations don't know what a secure system is. To be honest, I'd rather have my SSN and other personal info stored on a DoD, DoJ, or whatever agency system, than on the computers at Joe Blow's Car Sales.