Slashdot Mirror

← Back to Stories (view on slashdot.org)

U of C Student Information Compromised

Posted by Zonk on from the watch-your-permissions-kids dept.

fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."

20 of 143 comments (clear)

  1. seen it before, will probably see it again. by lecithin · · Score: 5, Interesting

    About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:

    HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.

    Each entry (about 50) had students names and social security numbers.

    I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.

    I then contacted one of the students. The page was 'secured' in 1 day.

    I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.

    --
    It could be worse, it could be Monday.
    1. Re:seen it before, will probably see it again. by DrinkingIllini · · Score: 2, Informative

      The University of Illinois, and many other universities I suspect, issues everyone a Unique Identification Number which basically takes the place of the SSN for all university business. Makes a hell of a lot more sense if you ask me.

    2. Re:seen it before, will probably see it again. by richdun · · Score: 2, Funny

      Sad thing is, after four years of Collage, the student found that randomly assembling bits of paper and pictures and such to create works of art doesn't really pay that much.

      But seriously, my college just last year switched from plastering SSNs on IDs and such, IDs used for meals, building entry, even registration at student government meetings, to a university-only number. This doesn't surprise me one bit, and really it could have happened at a lot of colleges a long time ago.

    3. Re:seen it before, will probably see it again. by ednopantz · · Score: 2, Interesting

      The U of C uses 6 digit student ids for routine stuff. No doubt SSNs are somewhere, but the UCID number seems to be the most commonly used id, so it isn't a case of the Univeristy using SSNs willy nilly.

      But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.

    4. Re:seen it before, will probably see it again. by wallykeyster · · Score: 2, Interesting
      Okay. Let me try to spell it out for you.

      You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

      Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or nothing, unlike systems that use the SSN as the ID.

      My point was that just because your school uses a less obvious student ID does not mean that all of your data is safe. Your post made it sound like this ID gives you complete anonymity, with your name being the most sensitive information available to someone who learns your ID. I agreed that a seemingly random ID number is better because it has no obvious data in it (unlike an SSN). Yet, the reality is that employees trust student workers more than they should when the same student has worked with them for several years. I am the IT director at a university and I've known of too many offices where a student was entrusted (in violation of policy) with an employee's SIS username and password.

  2. Adding Insult to Injury by booyah · · Score: 2, Funny

    Now their webserver seems awfully slow and unresponsive...

    Sysadmins are reporting a MASSIVE distributed denial of service attack... then they head over to /. to see how the rest of the world is going.... aw shit!

    --
    #include sig.h
  3. SSNs as Student ID Numbers by EnronHaliburton2004 · · Score: 4, Interesting

    I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

    About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.

    --
    94% of Repubs and 21% of Dems voted to renew the Patriot Act
  4. Re:Add it to the list by Saven+Marek · · Score: 3, Insightful

    > Seriously, doesn't anyone take privacy seriously

    The sites dont take it seriously because the students dont take it seriously.

    if privacy info was treated like money or like cars or like anything else people attach "worth" to then the blocks would have been patched 10 years ago and never allowed to leak!

    but people dont care about privacy breaks. u could have a telemarketer phone 100,000 people and say "hi is your name xxxxx and social security number yyyyyyy? if so then we have a deal for you!!!" but nobody would care.

    but if you had a telemarketer phone and say "hi I have your car here with me would you like a deal" well I bet law enforcement would close them down in days.

    but its not going to happens because people in general dont care when their private details let out. like if people get emailed by a company to their own name and address, they accept it. they get viruses they accept it. they get telemarketer custom phonecalls and they accept it.

    too used to it happening to care now are people.

  5. Alumni reaction by JJ · · Score: 4, Interesting

    As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.

    --
    So long and thanks for all the fish . . . !!!
    1. Re:Alumni reaction by aliebrah · · Score: 2, Insightful

      I'm an alumnus of UChicago as well, I've posted a blog entry about how I think this event has been handled.

  6. Re:Add it to the list by a_greer2005 · · Score: 5, Interesting
    It is hard to take security seriously when NO ONE around you does. Here at schiil i have to give my SSN for everything, and every document I recive from the school has my ssn on it, I have repeatedly complained but no one gives a rats ass, i point out situations like this and it falls on deaf ears.

    the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.

    the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...

  7. Hey, you know what... by Goronmon · · Score: 2, Funny

    At least they don't use your SSN as your ID number and print it on everyone's ID card like my school does =|

  8. Google Search!! by TubeSteak · · Score: 3, Informative
    Uni & Colleges are notorious for their insecure networks.
    They practically bleed information.

    http://www.google.com/search?q=site:edu

    You can dig up SSN's, passwords, and various other juicy tidbits.

    College mailing lists are also nice treasure trove. They tend to be publicly archived, but the people mailing stuff out don't seem to be aware of the fact.

    They're also a good read just for the intra-office drama.

    --
    [Fuck Beta]
    o0t!
  9. Focus is on the wrong problem. by Distan · · Score: 4, Insightful

    It seems like most of the focus is on how universites and companies aren't doing enough to secure this data, and that somehow if they try hard enough identity theft will go away.

    That is completely the wrong problem to solve.

    The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.

    Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.

    One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.

  10. Same thing for Purdue University by geders · · Score: 2, Informative

    http://www.itap.purdue.edu/newsroom/news.cfm?newsI D=436

    Only affected about 11,360 current and former employees...joy. They have switched over to a new numbering system, but only a few of the computer systems can handle the new numbers. They tell us to not use the new numbers just yet. Hehe...looks like by the _end_ of 2006 they'll have switched over...

  11. Re:Add it to the list by yali · · Score: 2, Interesting

    If you call the cops and say "somebody has stolen my social security number," do you really think you'll get the same reaction as if you say somebody has stolen your car?

    In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting infringed upon, and the big institutions are the infringers.)

    In other words, universities and corporations do not intrinsically "lose" anything when somebody breaches their system and "steals" people's SSNs. They only lose if they get caught and if there is some sort of penalty (like a really expensive lawsuit). Until the legal system starts whacking them in a way that hurts, this problem is going to keep coming up.

  12. Just a quick FYI by skwang · · Score: 2, Informative
    As a UC student I just want to let slashdotters know that the university does not use our SSN as our student ID.

    That doesn't excuse the networking staff from allowing this breech to occur, but I thought I would set the record straight.

  13. if you are expecting... by smartsaga · · Score: 2, Interesting

    your info to be secure in this country... you are nuts. PERIOD

    Why?

    The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!

    Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.

    It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has a all the freaking resources needed to protect people's privacy... and it does protect it, HALF ASS. Is HALF ASS enought? obviously not. Your SSN are belong to us... get it?

    P.S. I don't even need to RTFA... I just know it is always the same crap. Have a good one.

    --
    ===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said
  14. It happened at Purdue University just last week! by Anonymous Coward · · Score: 2, Informative

    They dubbed it affectionately the "data incident." From a few computers, hackers were able to glean 11,000 (eleven thousand!) staff records, including names, social security numbers, pants sizes, and favorite flavors of ice cream. (OK, so maybe I'm making the last two up.)

    Yes, I'm one of the disgruntled staff who must watch his credit for the rest of my life, and I'm pissed off.

  15. Technical solution by 44BSD · · Score: 2, Funny
    ~badass$ echo > /etc/motd && chmod 444 /etc/motd

    Hello, fellow Maroonian.

    This server is connected to the big bad internet.

    University policy prohibits the storage of sensitive data upon it.

    Employees who violate policy will be fired. Students who violate policy will be expelled.

    Have a Nice Day.
    ^D