Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft from University Computers

Posted by samzenpus on from the don't-trust-anyone dept.

Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."

11 of 259 comments (clear)

  1. This just goes to show.... by ecammit · · Score: 5, Insightful

    This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.

  2. I always hated giving the SSN by Class+Act+Dynamo · · Score: 5, Interesting

    I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.

    --
    My other computer is a Jacquard loom.
    1. Re:I always hated giving the SSN by __aawavt7683 · · Score: 5, Informative

      Likewise. Apparently there was such an option on the applications I filed, but I never saw one. Actually, on the second, I left the SSN field blank. Chaos ensued.

      As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)

      The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...

      But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.

      Go tomorrow, get it changed; keep your confidential data confidential.

      -DrkShadow

  3. soooo by ikea5 · · Score: 5, Funny

    no mention of the grades?

  4. And that's the one you know about... by ergo98 · · Score: 5, Interesting

    The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").

    How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.

  5. wow too bad.... by djeddiej · · Score: 5, Informative

    I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.

    --
    just a web application developer and instructor in Toronto, ON Canada
  6. It wouldn't have mattered. by and+by · · Score: 5, Informative

    Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.

  7. In Australia.... by fodi · · Score: 5, Interesting

    One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...

  8. Someone follow that example. by philovivero · · Score: 4, Funny

    We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.

    My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).

    She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).

    Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.

    Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.

    --
    fifth sigma, inc.
  9. I'm a Student at GMU by grylnsmn · · Score: 5, Informative
    Here are the two emails that they've sent to students about the incident:

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology

    Subject: Illegal Intrusion into University Database

    The university server containing the information relating to Mason's ID cards was illegally entered by computer hackers. The server contained the names, photos, social security numbers and G numbers of all members of the Mason community who have identification cards.

    The intruder installed tools on the ID server that allowed other campus servers to be probed. An Information Technology Unit staff member noticed the attack while reviewing system files as part of the university's internal controls procedures, and traced it back to the ID server. The compromised ID server was disconnected from the network and is no longer accessible. The police are currently investigating the break-in. The university is subject to dozens of probes and attacks each day.

    There is no evidence that any of the data available on the Mason ID server has yet been used illegally. It appears that the hackers were looking for access to other campus systems rather than specific data. However, it is possible that the data on the server could be used for identity theft.

    Following are steps each of us should take to minimize the likelihood of ID theft from this, or any other similar incident.

    - Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g. credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

    Transunion
    1-800-680-7289
    www.transunion.com

    Equifax
    1-800-525-6285
    www.equifax.com

    Experian
    1-888-397-3742
    www.experian.com

    - Continue to check all your accounts on a regular basis for unusual activity.

    - The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at www.ftc.gov/idtheft.

    If you have further questions, please call 3-8116. The university's IT Security Coordinator Cathy Hubbs is monitoring this line and will ensure that your message is immediately forwarded to the most appropriate person.

    We understand that taking these steps is inconvenient, and regret that the server attack makes it necessary. While it seems unlikely from the evidence currently available that identity theft has occurred, it is important to take these protective actions. We will share any further information about the intrusion and its effects as soon as it becomes available.

    and

    To: Mason Community

    From: Joy Hughes, Vice President for Information Technology
    Subject: Computer Break-In Information Website Now Established

    A new website giving information regarding the illegal intrusion into
    the university's ID database server is now on line at
    http://www.gmu.edu/intrusion. The page can also be accessed through links on
    the Student and Faculty and Staff resource pages on the home page. Due
    to the large number of calls we have received on the information line,
    we are noting your questions and providing the information on this page.

    We will regularly update the page as more information becomes
    avail

  10. Re:To be honest.. by David_W · · Score: 4, Informative
    My bank tries this on me whenever I call to talk to someone they want my account number and SSN to identify me. I always refuse...

    I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.