Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft from University Computers

Posted by samzenpus on from the don't-trust-anyone dept.

Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."

18 of 259 comments (clear)

  1. To be honest.. by Tobias.Davis · · Score: 3, Interesting

    Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..

  2. I always hated giving the SSN by Class+Act+Dynamo · · Score: 5, Interesting

    I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.

    --
    My other computer is a Jacquard loom.
    1. Re:I always hated giving the SSN by mattstorer · · Score: 2, Interesting
      Yeah, I did pretty much the same thing at my school. I was, unfortunately, blessed (?) with a remarkably easy-to-remember SSN; almost anyone who hears it could probably remember it without difficulty after the first time.

      So anyway, I went to get my student ID changed after the proberbial straw broke the camel's back: I had received a letter in the mail from the university, addressed to me, with my student ID (SSN) printed on the outside of the envelope. Boy was I pissed. So, I went down to the registrar's office to get my ID changed, which they were happy to do.

      A few thoughts:
      • first, at my old school, if you lived on campus you could order pizza from local pizza shops and pay for it using your student meal plan. you just had to provide to the 16-year-old on the other end of the phone your name, address, and SSN. Now, if this isn't one of the biggest loopholes for identity theft, I don't know what is. I mean, how the hell do I know the kid taking my order isn't going to misuse my information? What checks and balances are in place to ensure my information stays private in the pizza joint?
      • second, and not quite so bad, is that everyone in the school knows damn well student IDs are SSNs. even after I got my ID changed from my SSN to an internal ID, if I ever went to the health center, or had to sign forms of any sort, or order pizza, or whatever, I would be asked for my SSN. I'd ask them, "you mean my student ID?" and they'd reply, "your SSN." early on, if the questioner was a school official, I'd give them my SSN trusting they know what they're talking about, but found that they in fact didn't, they really meant my student ID. grrr...
      • but here's the weird part. about 6 months after I changed my ID from my SSN to an internal ID, I got a notice in the mail that I had to start paying my student loans, as I'd left school. I thought, "WTF? I haven't left!" so I looked into it. Turns out, there's a whole network of linkages between your student loans and your student ID - at least, at my alma mater - so when I changed my ID, I had a fair amount of extra work to do to continue to receive my loans. Just FYI, you'll probably want to inquire about this at your school's financial aid office if you decide to switch your ID - which I strongly encourage you to do, even if it is a pain.
      -matt
  3. Suspicious? by Dekks · · Score: 2, Interesting

    It seems like bit of a convenient coincidence that this happened just before they replaced their ID numbers with something other than Social Security numbers. Someone has obviously been paying attention in their Computer Science classes.

  4. And that's the one you know about... by ergo98 · · Score: 5, Interesting

    The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").

    How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.

  5. The worst thing about this by Anonymous Coward · · Score: 3, Interesting

    There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

    Stock up on canned goods, folks.

    1. Re:The worst thing about this by dasunt · · Score: 2, Interesting

      There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

      Stock up on canned goods, folks.

      Americans have one of the lowest savings rates for a developed nation. There are several studies which indicated many Americans spend more than they earn. Even worse, other than home ownership, many goods and services that Americans buy do almost nothing to help their financial health.

      Now there is nothing wrong with spending money on what makes you happy as long as its within reason, but how many people out there have maxed out credit cards, drive a new car, have a full entertainment package ($80+ cable bills, cell phones with every feature and service imaginable, big "going-out" entertainment budget), and shop out of boredom, all while having little or no savings?

      This "buy now, pay later, I don't have to plan for my future" is what I'm worried about. A little ID theft here and there won't kill us.

  6. In Australia.... by fodi · · Score: 5, Interesting

    One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...

  7. Inquiring minds want to know... by davezirk · · Score: 2, Interesting

    What OS was their server running????

  8. suspiciosity by solaraddict · · Score: 3, Interesting

    The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.

  9. Re:This just goes to show.... by Peyna · · Score: 2, Interesting

    Other than the BMV (and I can't figure out why they need your SSN), most of the places that have it are because they need to report tax information about you. You don't have to give it to anyone else. Some places will get annoyed with your request to have a special identification number, but they will accomodate you. My undergrad used to use SSNs for identification, but you could always request a different ID number at any time.

    --
    What?
  10. Universities are security risk by bigberk · · Score: 2, Interesting

    Universities are notorious for not having good network and server security (hard to hire the required large staff to oversee so much data). I now work in the computer security field, and when I look back at my university experience I see lots of very frightening things -- besides just the extent of the records the university keeps, they also tend to print things like your birth date on records. Having your date of birth intercepted is bad news, and it is really disturbing to see it printed in so many places, especially along side your SSN / SIN.

    On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).

    The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.

  11. Re:Sue the bastards... by DanteLysin · · Score: 2, Interesting

    I think the problem is that there is a general belief that SSN is a secure identifer. Back when I was in college (god, almost 10 years ago), in my first "IT job" (ok, so I was lab consultant), one of our bosses showed us how easily it was to access public information. From a name and city, he was able to retrieve the student's full address, SSN, and even retrieve the student's parent's property tax information. The demonstration did not involve hacking or unauthorized intrustion to another system. This was 10 years ago, when there was a lot less more "online" information about you.

    Assuming SSN is secure is like using a .rhosts file on your root user account.

  12. Re:Sue the bastards... by DrFalkyn · · Score: 3, Interesting

    I was one of the potential people whose information was obtained. I am not planning on taking action against the univesity nor would I do so even if finacially harmed, unless it can be proved that there was gross negligence. GMU has made a good faith effort to switch IDs from SSNs to the new 'G' numbers. If my information was used to fradulently open acounts under my name, I would estimate primary people responsible are in my estimation:

    1) The thief
    2) The creditors for their lack proper verification allowing people to open new accounts and charge thousands of dollars with a few tidbits of information

    Then, depending on the circumstances:
    - The makers of whatever software was compromised, be in Windoes, Oracle, IIS, etc.
    - The administrators of said systems for not securing their systems properly or keeping up with the latest updates

  13. Oldest excuse on the books by iamacat · · Score: 2, Interesting

    I bet they have been "in the process or replacing the system" since last century. They just didn't do any serious work on that until they got busted. Same as US Airways over christmas and countless companies with Y2K bug until 1999. Everyone with decision making power should take a serious pay cut and students should get tuition discounts to offset the cost of dealing with identity theft.

    If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.

  14. Re:Sue the bastards... by MLopat · · Score: 2, Interesting

    Not sure why you guys are so opposed to the idea of sueing the school. They're not even being apologetic. The bare minimum I would expect would be a formal apology.

    Where would the money come from? From the school of course. This would just raise tuition you say? Well sure, but why would you want to goto a schoo like this after an incident of this magnitude. I wouldn't trust them. And there are other options. Its not like we're talking about Waterloo or MIT here.

  15. Bit more complicated than that by Aexia · · Score: 2, Interesting

    I worked for AT&T Wireless when they were breaking off from AT&T proper. One of things that needed to be done was to replace all of the AT&T employee ID numbers with new AWS employee ID numbers.

    It. Took. For. Ever.

    All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.

    I'm betting a university setup is even worse.

  16. Re:Social Security Number by Anita+Coney · · Score: 2, Interesting

    Actually, it's a problem with both. When the SSN was first conceived is was specifically NOT supposed to be any sort of ID system. Obviously that changed.

    Some states have solved the problem. In Texas, for example, people can "lock" their credit information. With it locked no one can get credit reports which makes it impossible to get credit, even if the person has the SSN, drivers license, birth certificate, etc.

    Of course the credit companies are fighting these laws because they like the idea of fast and easy credit.

    --
    If someone says he and his monkey have nothing to hide, they almost certainly do.