Berkeley Grads' Identity Data Stolen

yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."

Secret

[BWJones]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

Granted, this will not prevent all leaks as even the State Department, CIA and FBI have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.

Re:Secret

[stinerman]

You raise good points, but what must happen is that people need to be more careful with their personal information. Most people gladly give away their phone number to Radio Shack, Best Buy, etc. at the drop of a hat. I'll bet you ~50% of people would give their SSN to any brick and mortar retailer (but not those hackers on the internets) if asked to do so. Most of them don't know that they can refuse to give out any of their personal information (of course, the cost may be not being able to do business with that store), but probably would so they wouldn't be put-out by having to go to another store.

Convenience trumps all with security being a close second and privacy a distant third.

Why do they need the SSNs?

[lecithin]

This is a pet peeve and it is just getting worse.

Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Re:Why do they need the SSNs?

[DarkTempes]

they use it as a personal identification number (which it isn't supposed to be used as but since everyone has a unique one it makes it easy for them to do it).

they don't NEED to but they CAN and so they do.

Re:Why do they need the SSNs?

[G-funk]

Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

Re:Why do they need the SSNs?

[flyingsquid]

Why does a school need our SSNs? Why does anybody outside the government? Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Next time you apply for a license, just tell them you are John Kruptowski, 537 Cherrywood Circle, Minneapolis, Minnesota, 575-63-6216, currently applying to UC Berkeley's astrophysics program.

If you don't like that name, I got a zillion more.

Re:Why do they need the SSNs?

[ikkonoishi]

#12074974, I am shocked by your assertation that my actions are being tracked by an ID number of some kind. All places should put the effort to protect our identities that Slashdot does.

Sincerly
#12072440

Re:Why do they need the SSNs?

[forand]

Berkeley does NOT use your SSN for your student number. It does, however need your SSN to provide you with federal financial aid and work. Since virtually EVERY grad student falls into one of these catagories they need the SSN.

Re:Why do they need the SSNs?

[defy+god]

http://www.ssa.gov/history/hfaq.html

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:Why do they need the SSNs?

[antifoidulus]

AFAIK, foriegn students do receive SSN #s, but an SSN # doesn't entitle you to social security benefits. Everyone who is not on a short term visa is required to get one. I hosted a student intern from Argentina here at my school and had to help her get all this stuff.

It's easy to encrypt in Windows

[caluml]

Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.

Re:It's easy to encrypt in Windows

[Wingsy]

Just as easy if not easier in OSX. Created an encrypted disk image (AES 128 bit) where the files are to be kept and do not put the pw in the Keychain. I'd trust encryption on a Mac a zillion times more than on Windows.

Wow...

[InterruptDescriptorT]

Talk about your OpenBSD (Berkeley Social Data)...

Privacy

[Tom]

Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.

The real problem: unchangeable passwords

[pocari]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

I am too chicken to go first, though.

Biometrics

[failure-man]

With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.

Re:Identity data stolen from a private university

[Muttley]

umm, sir, Berkeley is a State University... University of California. It in fact might be one of the best public universities in the country, alongside UT Austin, UW Seattle, Georgia Tech, and that probably wraps up my knowledge of US Public Universities.

Trivia - who is the highest paid state official in California...?
The coach of the UCLA Football team.

Can you say "Irony"

[tomhudson]

SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards

Social Security Number Safety

Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

• Never carry your Social Security card or number with you. Keep it at home in a secure place.
• Only give your SSN to someone who has a specific and legitimate need for it.
• Be very careful with any forms, applications or other materials that may have your SSN on it.
• Never give your SSN to someone who phones you. You should initiate the call or meet in person.
• Never reply to email or web sites that request an SSN.

Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

Why does the notifcation have to be public?

[vrimj]

Unless they have no idea what specific data was involved why not just send these people a letter?

As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

At Least It's Not Arrogance

[mirio]

Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia, I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

I graduated in 99 so I'm not sure if any changes have been made. I would love to know.

Why all on a latop?

[WebHostingGuy]

Why was all of this on a laptop?

Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.

Re:Too much

[tuxette]

I was about to ask the same thing.

What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.

Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.

Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.

idiots

[Mr.+Underbridge]

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Something tells me the whole thing was on Excel.

There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

California Universities

[That's+Unpossible!]

Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.

That's ok.

[RandoX]

I don't use my own identity anymore anyway.

Colleges by and large don't respect privacy

[brontus3927]

When I was in college, to enter the dorms and other "sensitive" areas, you had to swipe your school ID. To purchase food on your meal plan, you had to swipe your ID. You could put money into a debit account to buy things on campus and select off campus stores (like the local gas station), and swipe your ID to use it. The ID sent unencrypted the student's SSN. Anyone with a POS card reader and access to a student ID could retrieve the SSN, and legal name (printed on the front of the ID).

If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.

Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable

Lawsuits?

[Quixote]

Seeing how lawsuit-friendly the US society is, why haven't more people sued these companies which "lose" private data?

If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.

Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.

Poor devils.

[bobbuck]

Wow. These poor guys will be branded as Berkeley alumni for life.

Los Alamos

[goombah99]

The problem is not just education. One has to create situations that engender proper handling of data. For example, if confidential data is only permitted on removable media and that media has to be a vault every night, signed in and signed out then its you have a situation where the person using the data and all of his or her collegues can tell by inspection if the person is not fulfilling their obligations. If its up to the person to always rememeber then eventually conveinence will override caution.

Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.

And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.

I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.

So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.

Whoever lost the laptop should be liable

[blueZ3]

This kind of thing just ticks me off no end. Some Berkeley bureaucrat leaves a laptop in their car, which will no doubt result in 1000s of stolen identities, lives ruined, tens-of-thousands of wasted hours? and they?re likely not even going to get a slap on the wrist. Personally, I?d make any individual who is responsible for this kind of thing financially liable for damages. I?d also try them for criminal negligence and possibly for aiding and abetting fraud. Then I?d let each person who has their identity stolen take one swing at them with an aluminum baseball bat. Currently, there?s just no accountability for this type of thing.