Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft from University Computers

Posted by samzenpus on from the don't-trust-anyone dept.

Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."

19 of 259 comments (clear)

  1. To be honest.. by Tobias.Davis · · Score: 3, Interesting

    Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..

    1. Re:To be honest.. by Tobias.Davis · · Score: 3, Informative

      Actually I'm talking about my father, who insists that his SSN needs to be printed on his check. For myself, I'm a 27 year old that has little credit history no credit cards and only 1 dealing with a financial institute (for a vehicle loan). Yes, I'm eccentric but I have no use for the credit system in america. Any information I have on file is positive, but I don't go looking to use my SSN anywhere

    2. Re:To be honest.. by David_W · · Score: 4, Informative
      My bank tries this on me whenever I call to talk to someone they want my account number and SSN to identify me. I always refuse...

      I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.

  2. This just goes to show.... by ecammit · · Score: 5, Insightful

    This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.

  3. I always hated giving the SSN by Class+Act+Dynamo · · Score: 5, Interesting

    I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.

    --
    My other computer is a Jacquard loom.
    1. Re:I always hated giving the SSN by __aawavt7683 · · Score: 5, Informative

      Likewise. Apparently there was such an option on the applications I filed, but I never saw one. Actually, on the second, I left the SSN field blank. Chaos ensued.

      As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)

      The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...

      But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.

      Go tomorrow, get it changed; keep your confidential data confidential.

      -DrkShadow

    2. Re:I always hated giving the SSN by ComputerSlicer23 · · Score: 3, Funny
      Yeah, I irritated several people, and made a lot of people in the registrars office laugh when they asked for my name, I just gave them my SSN to save time. Everyone understood it was an implication that I was just a number at the University.

      It actually saved time. It was the next thing they were going to ask for anyways, and they wouldn't do anything to my records until I told it to them. They didn't need to know my name, and if they did, it'd be on the first screen they pulled up if they felt the need to use my first name to make me feel like a person.

      Kirby

  4. soooo by ikea5 · · Score: 5, Funny

    no mention of the grades?

  5. And that's the one you know about... by ergo98 · · Score: 5, Interesting

    The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").

    How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.

  6. The worst thing about this by Anonymous Coward · · Score: 3, Interesting

    There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.

    Stock up on canned goods, folks.

  7. I'm less worried over this.. by Tracer_Bullet82 · · Score: 3, Insightful

    than from internal threats.

    How many cases of internal theft do we know?

    As someone who once created and maintained my high school information database, I know how easy the system can be abused.

    What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
    Background checks for personnel involved should be done too.

    --


    Timang tinggi tinggi
    parang sudah asah
    alang alang mandi
    biar sampai basah
  8. wow too bad.... by djeddiej · · Score: 5, Informative

    I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.

    --
    just a web application developer and instructor in Toronto, ON Canada
  9. It wouldn't have mattered. by and+by · · Score: 5, Informative

    Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.

  10. In Australia.... by fodi · · Score: 5, Interesting

    One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...

  11. Someone follow that example. by philovivero · · Score: 4, Funny

    We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.

    My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).

    She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).

    Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.

    Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.

    --
    fifth sigma, inc.
  12. I'm a Student at GMU by grylnsmn · · Score: 5, Informative
    Here are the two emails that they've sent to students about the incident:

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology

    Subject: Illegal Intrusion into University Database

    The university server containing the information relating to Mason's ID cards was illegally entered by computer hackers. The server contained the names, photos, social security numbers and G numbers of all members of the Mason community who have identification cards.

    The intruder installed tools on the ID server that allowed other campus servers to be probed. An Information Technology Unit staff member noticed the attack while reviewing system files as part of the university's internal controls procedures, and traced it back to the ID server. The compromised ID server was disconnected from the network and is no longer accessible. The police are currently investigating the break-in. The university is subject to dozens of probes and attacks each day.

    There is no evidence that any of the data available on the Mason ID server has yet been used illegally. It appears that the hackers were looking for access to other campus systems rather than specific data. However, it is possible that the data on the server could be used for identity theft.

    Following are steps each of us should take to minimize the likelihood of ID theft from this, or any other similar incident.

    - Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g. credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

    Transunion
    1-800-680-7289
    www.transunion.com

    Equifax
    1-800-525-6285
    www.equifax.com

    Experian
    1-888-397-3742
    www.experian.com

    - Continue to check all your accounts on a regular basis for unusual activity.

    - The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at www.ftc.gov/idtheft.

    If you have further questions, please call 3-8116. The university's IT Security Coordinator Cathy Hubbs is monitoring this line and will ensure that your message is immediately forwarded to the most appropriate person.

    We understand that taking these steps is inconvenient, and regret that the server attack makes it necessary. While it seems unlikely from the evidence currently available that identity theft has occurred, it is important to take these protective actions. We will share any further information about the intrusion and its effects as soon as it becomes available.

    and

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology
    Subject: Computer Break-In Information Website Now Established

    A new website giving information regarding the illegal intrusion into
    the university's ID database server is now on line at
    http://www.gmu.edu/intrusion. The page can also be accessed through links on
    the Student and Faculty and Staff resource pages on the home page. Due
    to the large number of calls we have received on the information line,
    we are noting your questions and providing the information on this page.

    We will regularly update the page as more information becomes
    avail

  13. suspiciosity by solaraddict · · Score: 3, Interesting

    The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.

  14. US Army and identity theft by Jeff+Carr · · Score: 3, Informative
    When I was in the army 1995-1999, the pay stubs were just printed on on a normal sheets of paper, and handed out to everyone once a month.
    Some of the information freely available to anyone who cared to look at it was:
    • Your full name
    • Date of Birth
    • Social Security Number
    • Bank Name
    • Bank Account Number
    • The Amount of the Deposit
    • The Date of the Deposit
    It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.
    --
    The television will not be revolutionized.
  15. Re:Sue the bastards... by DrFalkyn · · Score: 3, Interesting

    I was one of the potential people whose information was obtained. I am not planning on taking action against the univesity nor would I do so even if finacially harmed, unless it can be proved that there was gross negligence. GMU has made a good faith effort to switch IDs from SSNs to the new 'G' numbers. If my information was used to fradulently open acounts under my name, I would estimate primary people responsible are in my estimation:

    1) The thief
    2) The creditors for their lack proper verification allowing people to open new accounts and charge thousands of dollars with a few tidbits of information

    Then, depending on the circumstances:
    - The makers of whatever software was compromised, be in Windoes, Oracle, IIS, etc.
    - The administrators of said systems for not securing their systems properly or keeping up with the latest updates