Slashdot Mirror
Identity Theft from University Computers
Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..
I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.
My other computer is a Jacquard loom.
The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").
How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.
There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.
Stock up on canned goods, folks.
One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...
The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.
I was one of the potential people whose information was obtained. I am not planning on taking action against the univesity nor would I do so even if finacially harmed, unless it can be proved that there was gross negligence. GMU has made a good faith effort to switch IDs from SSNs to the new 'G' numbers. If my information was used to fradulently open acounts under my name, I would estimate primary people responsible are in my estimation:
1) The thief
2) The creditors for their lack proper verification allowing people to open new accounts and charge thousands of dollars with a few tidbits of information
Then, depending on the circumstances:
- The makers of whatever software was compromised, be in Windoes, Oracle, IIS, etc.
- The administrators of said systems for not securing their systems properly or keeping up with the latest updates