Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft from University Computers

Posted by samzenpus on from the don't-trust-anyone dept.

Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."

9 of 259 comments (clear)

  1. wow too bad.... by djeddiej · · Score: 5, Informative

    I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.

    --
    just a web application developer and instructor in Toronto, ON Canada
  2. It wouldn't have mattered. by and+by · · Score: 5, Informative

    Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.

  3. Re:To be honest.. by Tobias.Davis · · Score: 3, Informative

    Actually I'm talking about my father, who insists that his SSN needs to be printed on his check. For myself, I'm a 27 year old that has little credit history no credit cards and only 1 dealing with a financial institute (for a vehicle loan). Yes, I'm eccentric but I have no use for the credit system in america. Any information I have on file is positive, but I don't go looking to use my SSN anywhere

  4. I'm a Student at GMU by grylnsmn · · Score: 5, Informative
    Here are the two emails that they've sent to students about the incident:

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology

    Subject: Illegal Intrusion into University Database

    The university server containing the information relating to Mason's ID cards was illegally entered by computer hackers. The server contained the names, photos, social security numbers and G numbers of all members of the Mason community who have identification cards.

    The intruder installed tools on the ID server that allowed other campus servers to be probed. An Information Technology Unit staff member noticed the attack while reviewing system files as part of the university's internal controls procedures, and traced it back to the ID server. The compromised ID server was disconnected from the network and is no longer accessible. The police are currently investigating the break-in. The university is subject to dozens of probes and attacks each day.

    There is no evidence that any of the data available on the Mason ID server has yet been used illegally. It appears that the hackers were looking for access to other campus systems rather than specific data. However, it is possible that the data on the server could be used for identity theft.

    Following are steps each of us should take to minimize the likelihood of ID theft from this, or any other similar incident.

    - Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g. credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

    Transunion
    1-800-680-7289
    www.transunion.com

    Equifax
    1-800-525-6285
    www.equifax.com

    Experian
    1-888-397-3742
    www.experian.com

    - Continue to check all your accounts on a regular basis for unusual activity.

    - The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at www.ftc.gov/idtheft.

    If you have further questions, please call 3-8116. The university's IT Security Coordinator Cathy Hubbs is monitoring this line and will ensure that your message is immediately forwarded to the most appropriate person.

    We understand that taking these steps is inconvenient, and regret that the server attack makes it necessary. While it seems unlikely from the evidence currently available that identity theft has occurred, it is important to take these protective actions. We will share any further information about the intrusion and its effects as soon as it becomes available.

    and

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology
    Subject: Computer Break-In Information Website Now Established

    A new website giving information regarding the illegal intrusion into
    the university's ID database server is now on line at
    http://www.gmu.edu/intrusion. The page can also be accessed through links on
    the Student and Faculty and Staff resource pages on the home page. Due
    to the large number of calls we have received on the information line,
    we are noting your questions and providing the information on this page.

    We will regularly update the page as more information becomes
    avail

  5. US Army and identity theft by Jeff+Carr · · Score: 3, Informative
    When I was in the army 1995-1999, the pay stubs were just printed on on a normal sheets of paper, and handed out to everyone once a month.
    Some of the information freely available to anyone who cared to look at it was:
    • Your full name
    • Date of Birth
    • Social Security Number
    • Bank Name
    • Bank Account Number
    • The Amount of the Deposit
    • The Date of the Deposit
    It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.
    --
    The television will not be revolutionized.
  6. Re:suspiciosity by dbIII · · Score: 2, Informative
    The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id
    That doesn't surprise me at at that it was found at this time - the system would be coming under more scruting than usual, so intrusions may have happened before but were only noticed at that time.
  7. Re:I always hated giving the SSN by __aawavt7683 · · Score: 5, Informative

    Likewise. Apparently there was such an option on the applications I filed, but I never saw one. Actually, on the second, I left the SSN field blank. Chaos ensued.

    As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)

    The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...

    But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.

    Go tomorrow, get it changed; keep your confidential data confidential.

    -DrkShadow

  8. Privacy Act of 1974 by spockman · · Score: 2, Informative

    Read the Privacy Act of 1974, a quick Google will find it for you. We had to use it in the Military and it basically required you to give permission and sign a form that stated what the organization was going to do with your SSAN, covered a lot of different area's.

  9. Re:To be honest.. by David_W · · Score: 4, Informative
    My bank tries this on me whenever I call to talk to someone they want my account number and SSN to identify me. I always refuse...

    I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.