Slashdot Mirror

← Back to Stories (view on slashdot.org)

U of C Student Information Compromised

Posted by Zonk on from the watch-your-permissions-kids dept.

fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."

10 of 143 comments (clear)

  1. seen it before, will probably see it again. by lecithin · · Score: 5, Interesting

    About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:

    HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.

    Each entry (about 50) had students names and social security numbers.

    I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.

    I then contacted one of the students. The page was 'secured' in 1 day.

    I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.

    --
    It could be worse, it could be Monday.
    1. Re:seen it before, will probably see it again. by ednopantz · · Score: 2, Interesting

      The U of C uses 6 digit student ids for routine stuff. No doubt SSNs are somewhere, but the UCID number seems to be the most commonly used id, so it isn't a case of the Univeristy using SSNs willy nilly.

      But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.

    2. Re:seen it before, will probably see it again. by wallykeyster · · Score: 2, Interesting
      Okay. Let me try to spell it out for you.

      You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

      Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

      My point was that just because your school uses a less obvious student ID does not mean that all of your data is safe. Your post made it sound like this ID gives you complete anonymity, with your name being the most sensitive information available to someone who learns your ID. I agreed that a seemingly random ID number is better because it has no obvious data in it (unlike an SSN). Yet, the reality is that employees trust student workers more than they should when the same student has worked with them for several years. I am the IT director at a university and I've known of too many offices where a student was entrusted (in violation of policy) with an employee's SIS username and password.

  2. For once, by imcclell · · Score: 0, Interesting

    an internet problem that can't be blamed on IE

  3. SSNs as Student ID Numbers by EnronHaliburton2004 · · Score: 4, Interesting

    I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

    About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.

    --
    94% of Repubs and 21% of Dems voted to renew the Patriot Act
  4. Alumni reaction by JJ · · Score: 4, Interesting

    As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.

    --
    So long and thanks for all the fish . . . !!!
  5. Re:Add it to the list by a_greer2005 · · Score: 5, Interesting
    It is hard to take security seriously when NO ONE around you does. Here at schiil i have to give my SSN for everything, and every document I recive from the school has my ssn on it, I have repeatedly complained but no one gives a rats ass, i point out situations like this and it falls on deaf ears.

    the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.

    the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...

  6. Ignorance is Strength by Doc+Ruby · · Score: 1, Interesting

    These SSN "leaks" will all be fixed by Bush. He'll replace the SSNs with an actual universal ID#, used throughout the American Hegemony, and destroy Social Security itself. Everyone knows socialism is dead, so Social Security is no security at all, right? Instead, we'll have Capital Security, in an "ownership society", where anyone's identity can be bought for a price, and security is just another profitable industry.

    --

    --
    make install -not war

  7. Re:Add it to the list by yali · · Score: 2, Interesting

    If you call the cops and say "somebody has stolen my social security number," do you really think you'll get the same reaction as if you say somebody has stolen your car?

    In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting infringed upon, and the big institutions are the infringers.)

    In other words, universities and corporations do not intrinsically "lose" anything when somebody breaches their system and "steals" people's SSNs. They only lose if they get caught and if there is some sort of penalty (like a really expensive lawsuit). Until the legal system starts whacking them in a way that hurts, this problem is going to keep coming up.

  8. if you are expecting... by smartsaga · · Score: 2, Interesting

    your info to be secure in this country... you are nuts. PERIOD

    Why?

    The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!

    Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.

    It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has a all the freaking resources needed to protect people's privacy... and it does protect it, HALF ASS. Is HALF ASS enought? obviously not. Your SSN are belong to us... get it?

    P.S. I don't even need to RTFA... I just know it is always the same crap. Have a good one.

    --
    ===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said