Another School Exposes Private Information

DutchSter writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."

Who are they hiring?

[FatalChaos]

Who are these ppl hiring as web admins??? Why are these files even on servers connected the net?? and hopefully first post

Re:Who are they hiring?

[corporatewhore]

...and where do I send my resume ?

Re:Who are they hiring?

[eosp]

I agree completely, but we should go further. I think there should be more human intervention. For a Lexis-Nexis type database, have the database stored offline (this prevents viruses too) and simply have humans retrieve the needed data. Sure, it's slower, but it's more secure and fewer threats of viruses.

Re:Who are they hiring?

[1000101]

The University that I attended has all of this information online. It was accessed on the same site we used to register for classes. I can log in right now and view my overall transcript, GPA, etc. I don't think that just because it is sensitive data that it shouldn't be connected to the internet. I use online banking, investment management, etc. The issue here is the University's security, not whether or not that information should or shouldn't be online.

Re:Who are they hiring?

[Adam9]

The space where the data was hosted was in a public space. The problem was that the ex-chair put the private files in public space. Since then, the IT dept. responsible for the business dept. (not our central IT Services) has since made all of those files unavailable to unauthenticated users.

Re:Who are they hiring?

[FatalChaos]

GPA, transcript, i can see. But social security number? I mean how many times are u gonna need to know ur social security number and pull out a laptop and look it up online?

Re:Who are they hiring?

[kdawgud]

I got some inside information on the real story...

Apparantly there's this list of all the students academic info that's sent out to all the Deans each semester. One of the Deans gave it to another professor for whatever reason and that professor accidently puts it on a public drive and forgets about it for 3 years.

Nice. Real nice.

Re:Who are they hiring?

If you click the link and go to muohio.edu and click the information link you will see the following line.

"Our campus in Oxford, Ohio, is one of the most beautiful in America."

Next question!

Re:Who are they hiring?

[globalar]

A lot of times it is not administrators who are directly doing this (i.e. its much bigger than one person or they have no real way of knowing). Information security is far more than simply one person's job. Everyone who has access to information - even the poor grad student who does backups on Sunday nights - should be responsible in some way for security.

It takes a lot of work to make strong, accountable policies and carefully define simple, but narrow ways of accessing information (i.e. not just dumping the student records excel file in the share folder). For example, everyone on campus has network access which is most often directly linked to online access. If one person screws up and misuses their data access priveleges by opening up information over the network, it is very hard to tell unless you have accountability in place. And how many places do security reviews?

When it becomes part of people's jobs to protect information, it will become a responsibilty. Right now, blaming one or two people is rarely a good solution. It's like someone who blames an outsourced medical transcripts worker in Pakistan for leaking information. Sure, it is there fault but the problem is much larger than one low-paid worker. Executive or peon, security is a group responsibility in information-rich, networked environments.

Re:Who are they hiring?

[drgonzo59]

Good point. They should separate the sensitive information into a private network where the mainframes with the grades, student information and all the billing is kept and tightly control access to it.

But the problem here is human error. If the ex-chair or whoever that was, took the file and put it into his public folder, no security, no firewall, no isolated mainframes are going to help.

Re:Who are they hiring?

[kanwisch]

Being in the higher ed realm myself, I can categorically state that pay sucks in nearly all institutions. You get what you pay for in tax dollars (IMLO), so every time you bitch about wasteful gov't, some technical guru leaves b/c there are no raises for the next biennium. What does that say about me......?

And this kind of information is frequently on the 'Net (though normally protected). That's called service. You like to see your accounts online right? So do students amazingly.

Re:Who are they hiring?

[bladesjester]

I don't think I'd want to work at J Crew U (it's a well deserved nickname because the university largely peopled by wannabe preps who think that J Crew is the height of fashion).

If the attitude of the students is any reflection on the attitude of the staff, I'd want to beat people there...

Re:Who are they hiring?

Excellent. With your attitude, I don't think anybody wants to work with you.

Re:Who are they hiring?

[StarvingSE]

Where I went to school, they had us use our SSN as our student ID. All professors wanted our ID's on exams, homework assignments, basically anything official. Our soc numbers were everywhere.

It was only after massive student uproar that the administration allowed us to apply for a seperate ID number, and it was only voluntary. New students still had their ID numbers default to their SSN.

I just want to know when everyone thought it was such a great idea to use the SSN as the ultimate piece of identification. It was created to track people for tax purposes and for social security benefits. It makes me sick that the only thing people really need is a damn number to wreak all kinds of havock on someones personal life.

Re:Who are they hiring?

[MightyMartian]

Clearly the issue here is incompetently designed and managed systems, not with the idea of private information available via a publicly accessible site. This is no different than online banking or trading. The problem here is not one of concept, but one of severe design issues.

Re:Who are they hiring?

[cos(0)]

My university uses social security numbers as student IDs. So to view my GPA and such, I would log in with my social security number. This goes as far as writing the last 4, 6, or all digits of the SSN on exams.

You can request a random ID to be issued to you, but by the time incoming students realize that their SSN is their campuswide ID, it's pretty much too late.

Re:Who are they hiring?

The problem was that the ex-chair put the private files in public space.

Dvorak suggested people do that in one of his columns.

Re:Who are they hiring?

[awkScooby]

The problem is not web admins. The problem is with clueless end users who are careless with sensitive data. As an admin, you're faced with hundreds of gigs to terabytes of stuff on your servers. It is impossible to police it. How would you begin to go about searching for social security numbers? Think of all the ways it could be encoded, and all of the false positives you would find in conducting such a search.

I could be wrong here. If someone knows a way to scan an entire enterprise, when you don't have admin access to a number of the systems, and you don't have a list of all of the programs which are in use (so you don't know all the proprietary data formats), I would love to hear about your solution. Oh, you probably also need to be able to search documents and databases for encrypted versions, even though you don't have the keys... Management at the university I work for asked how we could scan the enterprise to find all sensitve data after we had a similar incident.

The person who posted the data on the website is clearly the one who is responsible for that data. That would be the retired faculty member. An admin is responsible for keeping the web server running. Was the information available on the Internet? If so, the admin was doing a their job well.

There are some fundamental questions universities need to be asking themselves:

• Why do faculty members have access to Social Security numbers?
• What are you doing with Social Security numbers to begin with? Sure, you need them for employees, but why for students?
• Why do faculty members have access to other sensitive pieces of data? If they don't need it, they shouldn't have access (principal of least privilege)

Why doesn't the government step in in these situations? Clearly this is a FERPA violation on a huge scale. The individual who put the information on the website ultimately should be held accountable. If nothing else, action should be taken against the university. If the university gets more than a slap on the wrist, you can bet that the next person to do something dumb like this will be held accountable by the university.

I probably shouldn't ask for that, as they'll probably decide it's the sys admin's fault...

Re:Who are they hiring?

you should have seen what information my colocation center had on their server, it was a readable mrtg script with the root password to their sql server, which contains all their router passwords and client history, i still have a backup even though they discovered it several months ago, but it was online for a few years.

Re:Who are they hiring?

[DutchSter]

* Why do faculty members have access to Social Security numbers?
* What are you doing with Social Security numbers to begin with? Sure, you need them for employees, but why for students?
* Why do faculty members have access to other sensitive pieces of data? If they don't need it, they shouldn't have access (principal of least privilege)

Trying to keep my submission short, I didn't include my commentary on these items, but as an alum from 2003, I can explain a little bit of this...

At the time, the school was using SSNs. Although students had "Banner IDs" since about a year before, all the internal systems were still keyed on SSNs, the Banner ID was a simple lookup table. Right after I graduated in May of 2003, they did a full conversion and everyone had to get new IDs, which previously, had been encoded with SSNs. After the conversion, it was the other way around, where the Banner ID was the key for everything, and there was a lookup table to go the other way. That lookup table, by the way, was only available to a small number of offices that actually needed it, such as the Student Aid office. Even the Registrar couldn't look you up by social anymore.

None of this answers to me, however, why a faculty member of the Business School needed or was given access to the entire University. At work, I can pull up the performance reports and salary information for the team I supervise, and, with deapartment head approval, anyone in the department. I cannot, however, pull up anything related to what someone in Marketing does. I only took two classes in the Business school, and both were in 2000. As such, the Business School had no need or right to know anything about me in 2002 other than the fact that I was an active student.

It's a good thing I hadn't sent in my "Deans Fund for Excellence" donation yet. I know what I'll be returning in that postage paid envelope now.

Re:Who are they hiring?

[lowrydr310]

I posted this to slashdot before, but I'll post it again. Anyone who was at Carnegie Mellon around 1999/2000 should remember an incident related to this. Some genious professor sent an email to all students in his class containing a list of their student IDs and corresponding grades for a recent exam. Those student ID numbers were the same numbers used for purchasing meals on the student meal plan, so some genius decided to call and order pizza from the local pizza joint (baked plastic on cardboard, otherwise known as Pizza Outlet), billing it to someone's student account using a random student ID number from the professor's list that was mailed out. He did this for a month or two until he was eventually caught by an employee at the pizza joint who actually asked to see his student ID that contained the number he used to order.

The problem here wasn't the use of a SSN for student IDs - any number could have been used. The problem is the professor shouldn't have emailed a list containing everyone's student ID number and grade and the pizza shop should have checked the ID of the person when the delivered the food.

By the way, I believe the professor was from the school of Humanities and Social Sciences (H&SS, otherwise known to Engineers and CS types as H and Less Stress).

Re:Who are they hiring?

[Alex+P+Keaton+in+da]

Wow- J Crew U. To be honest, you sound jealous. I went to Ohio University (in Athens) for two years before transferring to Case Western (in Cleveland) Ohio has very good public universities. Anyhow, I spent a lot of time at Miami visiting high school friends that went there. It is a good school. It also was voted by Playboy a few years in a row as having the best looking coeds in the country.
Sure there are people that hate a school like that. But it is very good academically.
I wonder if the situation is different, legally, regarding the lost info because Miami is a Public school as opposed to private. And one more thing- Miami is named after the Miami River valley in Ohio. The original settlers of Florida were from Ohio, and gave Florida cities a lot of Ohio names, such as Miami. A useless, but interesting factoid. (Dayton Ohio, Daytona Fla etc.)
And yes, a lot of guys hate Miami of Ohio because the chicks are hot, and none of us enjoy rejection from hot chicks. Some people get bitter about that. Others just go to the bars at 2am when we look good to the hot chicks. Because yes, beer goggles come in women's sizes.

Re:Who are they hiring?

No, that was H and Best Dressed.

Re:Who are they hiring?

[StarvingSE]

My professors did the same thing, but at least they only posted the last 4 digits of our numbers.

Re:Who are they hiring?

[ejort79]

yeah Muck Fiami

Re:Who are they hiring?

[minton]

Assuming that this information was stored in an area specific to that professor (and I know that it is a big assumption), I would also ask why the files and directories of a retired professor are still around. Were his IDs removed after he retired, as well?

Re:Who are they hiring?

[bladesjester]

No, I just dislike people who try to act better than everyone else and try to make themselves feel better by dragging other people down. Miami is filled, by and large, with a bunch of spoiled little rich kids who think that they are $deity's gift to the world.

It's a school that wants very badly to be an ivy leauge school but all it can manage is the fake attitude.

As far as rejection goes, it's not something that I am used to. Quite the opposite, actually. Let's just say that I rarely had to buy myself drinks.

Re:Who are they hiring?

One: OU and Miami are rivals. Does that have something to do with your dislike of Miami?
Two: Rich kids at Miami? So. You have proved your jealousy my friend. Everyone hates rich people. Until of course, they become wealthy themselves.

Re:Who are they hiring?

[Prophet+of+Nixon]

Er, isn't that everywhere already anyway? Virginia Tech (not the sharpest place, granted, but generally alright) used social security numbers as student IDs for many years. And your student ID was printed everywhere, even on dining receipts. Nobody ever seemed to put the two together until about two years ago. I remember identifying my roommates before the school year started by matching their social security numbers, since the 'student ids' were frequently the only matching column in various published university record sets.

Re:Who are they hiring?

[TheoMurpse]

I just keep coming back to one question -- why don't they just store hashes of the SSNs on all networked computers? Have the computers with the SSNs stored (for use with FAFSA and other financial aid purposes) on computers which require physical access, and place them in the financial aid office. They're the only ones who need access to SSNs anyway.

Re:Who are they hiring?

[Shopko]

I didn't think it was legal to use SSN as IDs anymore... My university also used our SSN as an ID but I seem to recall them changing that policy as I was leaving because of a new federal law. IANAL so I could be way off here. :)

Re:Who are they hiring?

[bladesjester]

One: I had that opinion of them before I went to OU. I dislike people who think that they are better than everyone else. I'd perfer that people shelve the attitude and act like decent people instead of playing the "I'm better than you" game.

Two: "spoiled" was the key word. I'm not jealous of the money. In fact, I have several friends whose parents are *extremely* well off, and we are very good friends because they didn't let the money go to their heads. They were content to be decent people and not make a show out of what they had. Again, it comes down to the "I'm better than you" attitude.

Re:Who are they hiring?

I am a student there. We have a system of identification called Banner ID's. This is basically is a number that is assigned to you when you first begin at the university. It is used for pretty much everything. However, SSN's are still used in the databases - that is what I find troubling. For example, when applying for a parking pass they can you look up by name, Banner ID, or SSN. I don't see why SSN can't be eliminated from that list. Make memorizing the banner ID mandatory for freshman, and there would never be a problem. If SSN's are needed for financial aid, etc, keep them in ONE secure place.

It's Everywhere

Miami University, of Oxford, Ohio

Miami, Ohio, England, where the hell is this University?

Re:It's Everywhere

[Mattwolf7]

Oxford, Ohio

http://www.muohio.edu/

Re:It's Everywhere

[Dachannien]

Just a bit northwest of Cincinnati.

Re:It's Everywhere

Quote from a shirt sold on campus -
"Miami was a university when Florida still belonged to Spain"
Still, with as utterly worthless as the administrators and IT department are around here, its no surprise.

Re:It's Everywhere

where the hell is this University?

And more important, is one of the students called Carmen San Diego?

Re:It's Everywhere

[JohnPerkins]

It's just down the road from the Los Angeles Angels of Anaheim.

Re:It's Everywhere

It's about 12 miles northwest of me, and a great little town to ride a motorcycle through, especially the first weeks the schools back in session after summer. Lots of hotties.

How much you wanna bet...

[NickCatal]

they figured this out after it showed up on Google? What ever happened to auditing what you have on the web.

Perhaps when you have lost everything to fraud

companies/schools/etc will realise how important private data is, perhaps making people collecting such information legally responsible for protecting it, jail+fines (settlements are not allowed) might make them think twice before treating such private information lightly

Private information

[Zouden]

I know this is a major breach of privacy/security, but I'm curious about what kinds of malicious things one could do with this information.
It seems to me that the only useful thing is the names/SSN combination.
Unless you could blackmail some poorly-achieving students by threatening to tell their parents their real marks?

Re:Private information

[Adam9]

The data was from Fall of 2002. I expect a lot of them have graduated since then.

Re:Private information

[Afecks]

The data was from Fall of 2002. I expect a lot of them have graduated since then.

Sure now they might have, but it was available from 2002-2005.

Re:Private information

[emac]

Not if they were really poorly achieving!

Re:Private information

1) Find straight A student
2) Take out $20,000 loan in their name.
3) ? ? ?
4) PROFIT!

Re:Private information

[mattwarden]

Why must something malicious be possible for release of private information to be bad? I don't want my grades released to anyone without my consent (and minus crap like this, they can't be), and my GPA is very respectable.

I go to MU, and Fall 2002 was my first semester, so I guess if you're interested, take a shot with Google.

Re:Private information

[Seumas]

All that matters is whoever was responsible for this be imprisoned for 11 months in Juvenile Detention.

Trust us, we know what we're doing

[weighn]

...a concept so simple even Congress gets it. Too bad tech doesn't.
Data breach law

Miami University, of Oxford, Ohio

[wahgnube]

Miami University... must be in Florida.

Oh, it's in Oxford... must be in England.

Bzzzzzt. BUT NO! It's in Ohio!

It must have taken a long time to come up with that combination of naming and placement.

Re:Miami University, of Oxford, Ohio

[Adam9]

We were here first :P

Re:Miami University, of Oxford, Ohio

[sib888]

So you guys blew an 80 year head start?

Re:Miami University, of Oxford, Ohio

[mattwarden]

Um, what? Just because you've never heard of us, doesn't mean we're not more respected than the other Miamis (and most schools in general). I don't have the numbers (although I'm sure someone else will quote them), but we're in the 60's as far as rank in the US, and the low twenties as far as rank among only public schools (i.e., schools in our general price range).

(Not that I care, because I don't necessarily agree with those rankings.)

Plus, we just last year had a large strike of Miami Staff, which our student body largely ignored as they rode by in their BMWs; that was one of the last steps that was keeping us from competing with the Ivy Leagues. Expect our rank to increase.

Re:Miami University, of Oxford, Ohio

rank in what? what exactly are you measuring? the average income of students?

lets see some actual statistics, as in number of patents, journal publications, prominence of professors & researchers, etc.

not some bullshit pulled out of some rag sold on a newsstand.

comparing Miami to an Ivy League is... quite hilarious, I must say.

Re:Miami University, of Oxford, Ohio

[mattwarden]

comparing Miami to an Ivy League is... quite hilarious, I must say.

That part was a joke. Humor is one of the things some people learn in college, if not beforehand.

All eyes towards the mighty CIS degree

[michaeltoe]

Three cheers for Business School's retarded cousin.

Re:All eyes towards the mighty CIS degree

[glimmy]

Its still better than a degree in communications

Re:All eyes towards the mighty CIS degree

Troll.

I have a CIS degree, and I certainly don't make personal information available through web servers without the necessary authentication mechanisms. If SSNs are required in the application, they will not be made available through the frontend.

Pop your collar!

Muck Fiami!

is this a fark post?

[dAzED1]

Miami University...in Oxford...Ohio.

Met a girl from Miami that went to Oxford, and didn't like the song "Ohio." Seems a little less obscure, too. Yet, this school has 21,000 students? I mean...that's more than the real Oxford...the one that's not in Ohio, but has students from Miami...

Re:is this a fark post?

Reading the submitter's summary of the story made my head explode. It was choppy and contained repeat information. Slashdot "editors", wake up.

Oh right, you're too busy counting your shares of penny stock from your parent company to see if you can afford to go to McDonalds for lunch next week.

Re:is this a fark post?

ahh, you sound like you are proud of your ignorance

let me be the first to say (at least in this thread) that you are a fucking idiot

people like you should be killed for the greater cause

Re:is this a fark post?

lol you are mad (and violently threatening at that) becuase he didn't praise your shitty obscure upper class white male preppy school?

hold my hand, things will be alrite

Re:is this a fark post?

lol you are mad (and violently threatening at that) becuase he didn't praise your shitty obscure preppy school?

hold my hand, things will be alrite. dont cry

now that they've had their data exposed...

[KillShill]

the university will refund their tuition for the year.

that's what i would expect at a minimum. on top of other punishment for letting it happen in the first place.

this only reinforces the notion i have that there is absolutely no privacy. once your data is in someone elses hands (and all your data does in fact belong to them) you can kiss your privacy goodbye.

there is no recourse whatsoever. you cannot even sue them or ask for damages.

your personal data is obviously worth something to sell to third party "warehouses" but when they expose your data to the whole world, at that point it ceases to be worth anything...

Re:now that they've had their data exposed...

[iansmith]

From a customer standpoint, "give everyone a free year" sounds great.

But that would put almost any business OUT of business.

I have no idea what the profit margin for them is.. but even if 25% of their income is pure profit, giving out a free year means they will make zero profit for four years.

What would be more realistic is to give back everyone a years PROFIT on their tuition. That way the schools expenses are covered, teachers get paid, ect.

Re:now that they've had their data exposed...

[Pakaran2]

I thought that universities, being tax-exempt, aren't legally allowed to make a profit in the first place (or, rather, to distribute it to owners).

Re:now that they've had their data exposed...

[Ironsides]

om a customer standpoint, "give everyone a free year" sounds great. But that would put almost any business OUT of business. I have no idea what the profit margin for them is.. but even if 25% of their income is pure profit, giving out a free year means they will make zero profit for four years. What would be more realistic is to give back everyone a years PROFIT on their tuition. That way the schools expenses are covered, teachers get paid, ect.

Most (if not all) universities and colleges take a loss every year. It is made up by donations/grants/contributions/other from Alumni, parents, businesses and rich individuals (either while alive, in their will or in memmorial of someone else).

To find out who generally has given $$$ look at the names of the schools buildings.

Re:now that they've had their data exposed...

[bobbuck]

"there is no recourse whatsoever. you cannot even sue them or ask for damages."

Why couldn't you sue them if you can prove damages? There's no liability exemption for universities. I know the courts get some well deserved bad press but we're not in Cuba.

Re:now that they've had their data exposed...

[rob_squared]

I'm sure my university is poor. After all, my president only made $500,000,000 as an annual salery.

Oh, and they're increasing tuition as well.

Re:now that they've had their data exposed...

[Ironsides]

I'm sure my university is poor. After all, my president only made $500,000,000 as an annual salery. Oh, and they're increasing tuition as well.

You're off by a couple of zeros. His salary is $500,000. Not, $500,000,000.

As for that beeing "a lot", consider that the presidents main job is to raise money for a university. The more successful he is at it, the better off the college is. Best way I can say is to look at how well he has been doing as a fund raiser for the school. Your university still needs money from donations to help keep costs down, otherwise you'd see your tuition going up much more. (Try finding a list/total of what he's raised in the past year, your school should have one.)

That said, a %42 increase over 4 years is a lot.

As for your tuition increase? It's only 4.9%. Thats not much, most schools have a yearly increase that is higher. At 29,000 students that $500k comes out to $17.25 per student. It's not a big chunk of your tuition either.

Re:now that they've had their data exposed...

[RollingThunder]

You may want to sign up for remdial math and english, considering your salary figure was off by a factor of 1000, and salary has no "e" in it.

Re:now that they've had their data exposed...

[RollingThunder]

And naturally, I fall prey to the rule that any posting picking on anothers spelling contains a spelling error or typo. I meant "remedial".

Re:now that they've had their data exposed...

[Shano]

Many universities (such as my own) do have liability exemptions in the contract you undoubtedly signed without reading when you started.

There is, of course, no legal backing to this, and you're entitled to sue if you want. The university, on the other hand, have no legal requirement to retain you as a student, and can revoke any qualifications if they so wish.

Whether they would actually do this is questionable, and probably depends on how much of a fuss you make.

Re:now that they've had their data exposed...

[ifwm]

What damages? What can someone do with grades?

As far as SSN's, be serious. I can get those, you can get those, hell, anyone who wants them can get them easily enough.

This is much ado about nothing.

Re:now that they've had their data exposed...

Whoops, thanks for catching that one.

Another Security issue

[declan69]

Binghamton University in NY, just announced this week that 404 student names and ss numbers, as long as other sensative data was unsecured for months, it was only after a relative of a student pointed it out was the problem fixed...just in case you guys didn't know

Re:Another Security issue

[Frogbert]

It was later found out to be a misspelt url that was causing the problem.

Easily solved with software

[Andrew+Lenahan]

This got me thinking. Email spammers and other naughty types run web bots to scour web sites for email addresses and similar personal information. How hard could it be to write software to search one's own web server for lists of SSNs or whatever, and alert a webmaster so it can be quickly taken down? Doesn't sound like it would be particularly difficult at all. A quick search untility to parse publicly-accessable pages could save a lot of bad publicity later, as happened in this case.

Re:Easily solved with software

Probably not.

In most cases, we would not be dealing with actual text files, but with database queries that are inadequately protected against unauthorized access.

Scanning for SSNs in plaintext files would only help complete fucking morons (and I'm not saying there aren't some of those). Properly securing your database, authenticating access, etc, requires, well, the sort of skill and knowledge you'd expect any web or DB admin should have.

Automated scans can help with security, but they're no substitute for competence.

Re:Easily solved with software

[kesuki]

A quick search untility

I think you meant a 'Web' Robot.

http://www.robotstxt.org/wc/faq.html

programmed correctly you can even assign the robot a login/pass to default to when asked :) and make sure the robot can search even those pages for info that shouldn't be available on the web that easily.

Just say 'No' to giving schools the SSN

[schwit1]

No school needs an SSN. For that matter just say no to giving it to anybody but the IRS and your financial institutions. Your doctor doesn't need it. The gas company doesn't need it. Cingular and Earthlink don't need it.

Re:Just say 'No' to giving schools the SSN

[alienw]

Well, the university doesn't really need YOU, either.

Re:Just say 'No' to giving schools the SSN

[Mr.+Underbridge]

Sure, so long as you have no need of credit. Ever.

Also, it seems, some utilities. My officemate today had a situation where the f'ing gas company required it. So you can also live without heat.

It sucks, but it's the way it is. The best you can do is reduce how often you use it. My PPO lets you request they use a dummy number, but the beauty is it's the same format as a real SSN, so when the doctor asks for your social, you give 'em the fake.

Re:Just say 'No' to giving schools the SSN

[Andrew+Lenahan]

I have a copy of a book called "Get Even" (published sometime in the 80s, probably out of print now). Anyway, the book has Richard Nixon's actual SSN in it, which it recommends using on forms and such which demand an SSN for no good reason. I wouldn't actually do that, as it's probably some sort of federal crime or something to impersonate a deceased former president. But I imagine using the SSN of a dead relative would probably work instead. If the issue ever gets raised at school or wherever, just claim their database must be corrupt and offer to help them upgrade to FoxPro 2.6.

Re:Just say 'No' to giving schools the SSN

[steelfood]

I think it has something to do with financial aid, work study, etc.

Re:Just say 'No' to giving schools the SSN

[Pakaran2]

Actually I believe they do need it to verify loan eligibility.

Re:Just say 'No' to giving schools the SSN

[MagicDude]

The SSN's have to be given to your school if you want to be eligable for loans. However, it seems like the file that was left open related to just academic information like GPA and credit hours and such. What is probably the case is that the university uses student's SSNs as their university ID number, or at least they did at the time. It's fairly common practice at colleges, and only recently have legislative steps been taken to end this practice of flaunting your SSN on all your university documents. In my freshman year of college (2000-01), my student ID was my SSN and my ID card had my SSN printed on it, but during that year New York passed some legislation making it so that universities had to assign independent student ID numbers to students that were not related to SSNs, so for the 01-02 year everbody was given a new ID number and card. So back to this case, the reason the SSNs were leaked was probably that all the student's had their ID number next to their name in the file which was their SSN, and it wasn't necessarily a leak of financial information.

Re:Just say 'No' to giving schools the SSN

[E8086]

They need it for something while your applying(could be for loans), but you can(and should) request a student ID number for use everywhere your SSN would be used, registering for classes, meal plan, some other stuff.

Re:Just say 'No' to giving schools the SSN

[beaverbrother]

I believe this is for financial aid.

Re:Just say 'No' to giving schools the SSN

Have you ever *tried* to enroll without your SSN?

About 20 years back, when I was enrolling in college, I was asked for my SSN. I pointed out that under California law, it was illegal to require the SSN for this purpose.

I was told, "Fine - you don't have to give it. But if you don't, we won't enroll you."

Things are a bit different now. The last time I got a new card at my local library, they noted they were in the process of removing all unnecessary information from the records, including SSN.

Then again, they may simply have been reacting against the Patriot Act.

My current job at my department (I'm work for the state) is putting together a database of all the database we have, so we know what we have, what sort of personal and confidential is on it, who authorized it, who gets that information, how they get it, how often...

These things may be slow, but they're definitely changing, in part thanks to HICVA and California's mandatory notification laws.

Re:Just say 'No' to giving schools the SSN

[Third+Normal+Form]

Schools need the SSN to report financial aid info to the IRS (I think on form 1098T). If you aren't getting any kind of financial aid, then yes, the school should have no need for the SSN. Also, any kind of employee relationship (staff, work study, etc.) where they pay you and issue a W-2 obviously requires an SSN.

There are some current products from a very well known higher ed software company that still key everything on the SSN for the HR module.

Re:Just say 'No' to giving schools the SSN

[RGTAsheron]

Two questions for you. Whats a PPO and which one are you using?

Re:Just say 'No' to giving schools the SSN

[mattwarden]

From TFA: In 2002 Miami still used Social Security numbers in some cases as an identifier for students, but it abandoned that practice soon thereafter.

Re:Just say 'No' to giving schools the SSN

[rob_squared]

Yep, same at Northeastern. I went from freshman to graduation without them getting anything done about it. And with those scantron sheets, you had to put the SSN right on the paper otherwise they wouldn't grade it and you'd get a 0.

Re:Just say 'No' to giving schools the SSN

[Liam+Slider]

Yes, we should use the SSN the way it was originally intended to be used. It was never intended to be used as a form of ID. Not only that, but when it was instituted the people of the United States were assured it would never be such. And yet today....the SSN has basically been made into a form of ID, required by many unrelated government agencies...as well as private parties. It's governmental feature creep, and a damn good example of why governments should be kept weak, subservient, and on a short leash.

Re:Just say 'No' to giving schools the SSN

[drgonzo59]

Yes, it does. No students - no money.

A lot of universities use SSNs as student IDs which is really retarded. Why don't they just assign everyone a 14 digit number or a shorter alphanumeric code I don't know. Probably because they don't know how to do it and won't spend the money to ask somebody else who knows.

Re:Just say 'No' to giving schools the SSN

[jcr]

My officemate today had a situation where the f'ing gas company required it.

Umm.. Demanded, not required. If you refuse to give it, they can't deny you service. They'll just demand an asinine deposit before they turn your gas on.

-jcr

Re:Just say 'No' to giving schools the SSN

[that+_evil+_gleek]

True, but it's missused. I just found a list of grades from 1995 that were clearly using SSN's as student ID's.
No name or address, but still it shouldn't be there, still even. I imagine there's some stuff that one can do with
just valid ssn's, and why is it still there 10 years later?
It's a big name school, I won't the link, but it was very, very, easy to find. I just googled for "xxx-yy-", use first 3 numbers of school's zip for xxx, and yy is arb, and it was on the first page of hits.

Re:Just say 'No' to giving schools the SSN

[msblack]

Schools may need your SSN to report taxable benefits, such as employee tuition reimbursement. My school switched to 9-digit ID numbers a few years back. Those 9-digit ID numbers will evenuatlly look like SSNs after they get out of the leading zeros (00xxxxxxx) which may take several decades. Why they didn't go with 9-character to allow alpha is beyond me. The cost of losing data resulting in a reporting incident is quite costly. Why did this faculty member have access to SSNs? Why did a RETIRED faculty member have access to any confidential information. Only the admissions office "needs" that.

Re:Just say 'No' to giving schools the SSN

[DavidD_CA]

Yeah tried that. When I applied for financial aid through FAFSA's website, I made a typo and entered the wrong SSN (the field is like a PW and all you see are *****s with no confirmation).

As a result, my school made me FAX them a copy of my actual social security card. I tried to bitch, but to no avail. It was either fax it to them or not get any financial aid.

Re:Just say 'No' to giving schools the SSN

[Eivind]

The problem is deeper. The problem is assuming that a number associated with you and given to dozens, if not hundreds of different institutions during your life is a secret, and thus for example consider knowledge of the SSN a way of authenthicating people.

Re:Just say 'No' to giving schools the SSN

[Mr.+Underbridge]

Two questions for you. Whats a PPO and which one are you using?

Preferred Provider Organization. It's a type of health care insurance, and is usually a bit better than an HMO.

Re:Just say 'No' to giving schools the SSN

[PhiltheeG]

SSN is required for financial aid.

SSN is also strongly requested (read: required) by federal and state entities for reporting to get funding, etc... See:

• IPEDS
• Ohio Board of Regents Higher Education Information

Also many legacy systems have been in place for years (decades) keyed by SSN via decisions made in the 1970's, 1980's etc. when ID theft wasn't as prevalent nor easy as it is today. Also many colleges are getting their budgets cut either directly or indirectly by state and federal government and usually the first to go is administrative support. Actually, the college I work for gave me three weeks notice yesterday on my contract because of recent Ohio legislation. Yay...

Re:Just say 'No' to giving schools the SSN

[Mr.+Underbridge]

Unless you're my officemate, you seem to be incorrect. They would not connect him without a SSN, and he asked about myriad ways of avoiding that.

Re:Just say 'No' to giving schools the SSN

[midicase]

Well, the university doesn't really need YOU, either.

I was just contemplating something related to this. Most universities allow the staff to get better parking than the students. The only business model I think of where the workers get better parking than the customers.

Maybe if University staff was not treated like royalty, then they could get heads back into their jobs.

Re:Just say 'No' to giving schools the SSN

[ifwm]

"A lot of universities use SSNs as student IDs which is really retarded."

My University used to do this, but changed their policy after 2000. Their reasoning was that federal law had made it illegal to use SSNs in any form, including just part of the SSN, as identification.

Anyway, it seems my school was ahead of the curve for once.

Re:Just say 'No' to giving schools the SSN

[josh_miller]

Unfortunately they do - for checking credit and so forth.

Re:Just say 'No' to giving schools the SSN

[steelfood]

This is true too. SSN's are guaranteed to be unique (though international students tend to invalidate this), and schools take the easy way out. Actually, SSN's are almost ideal for keeping track of students. If someone transfers to another school, the new school would need to be able to request information from the old school. Using anything other than the SSN would be unreliable (duplicate names and DOB, addresses change, etc.). And if the SSN is going to be the unique ID, which is true in many places, then all the other information would be superfluous for the purposes for record keeping.

As for the data lasting for so long, well, if you ever need to go through the hiring process 20 years from now, there's a chance you'll still need to submit your transcript. Schools tend to and should keep student records for many years. After all, once the student records are gone, there's little way of proving that you'd actually graduated from the school if you've also lost your diploma. That said, it's rare that with 20 years of experience, a potential employer would ask for proof of having gone to college, but it has happened.

Securing the information is a separate issue. I'm of the opinion that schools should treat student information as being classified. Student records are all on a completely separate network through separate computers, accessible only on a need-to-know basis. What's visible on the public network is the temporary ID that students are given (for things like ID validation and class registration). The downside to this would be that there would have to be some form of medium used to transfer student data like grades from one network to the other and then to verify that the data is the same. But, it's so much easier to just have one database that anyone and everyone can potentially access from anywhere.

Re:Just say 'No' to giving schools the SSN

[Just+Some+Guy]

Your doctor doesn't need it.

...as long as you're paying cash and aren't being treated for any illness requiring health department notification. If you've got the measles, though, or paying with any insurance remotely connected to the government, then be prepared to cough up those digits (even if you're not currently choking on ladyfingers).

Re:Just say 'No' to giving schools the SSN

[JimBobJoe]

Actually, the college I work for gave me three weeks notice yesterday on my contract because of recent Ohio legislation.

Which legislation was that?

Re:Just say 'No' to giving schools the SSN

[jcr]

They would not connect him without a SSN, and he asked about myriad ways of avoiding that.

Your officemate was apparently talking to a brain-dead clerk. Try calling their corporate counsel instead. Drop hints about religious discrimination charges, and you'll be amazed how reasonable they suddenly become.

-jcr

Re:Just say 'No' to giving schools the SSN

[bbtom]

I've never had to give my university (or my college: the University of London comprises many different colleges) my National Insurance number (our Social Security Numbers). The only people who've had access to that during my time at college have been (a) the local county government and (b) the Student Loan Company. Basically, the local government use it to assess how much loan they are going to give me and the SLC, which is a privately-run company who give students interest-free loans from the government, who actually drop the money in to my account.

Most universities in Britain do offer what are called hardship payments or hardship loans. These are grants/loans (I've seen them from between £100 and £3,500) which are available for students who need to pay for unexpected financial needs - ie. emergency healthcare, death of family, other disasters, etc. In the case of a hardship grant, then social security details might be useful.

Explanation

[Mr.+Underbridge]

You can joke, but Miami were a group of native Americans indigenous to the midwest, including Ohio. A river in the area is also named after the tribe, and has been for hundreds of years.

The city in Florida sprung up at the end of the 1800s, and adopted the name because they thought it meant something vaguely pleasant regarding water.

So if anybody's ignorant, it's actually the clowns in Florida.

Re:Explanation

[mikes.song]

I think it was a clown from the Miami area in Ohio who liked the name so much that when he founded the town in FLA, he named it Miami.

Re:Explanation

[kalidasa]

No doubt the town was named Oxford for the same reason that the town (now city) that had then just become home to Harvard was named Cambridge - to highlight the fact that it was a university town.

Re:Explanation

[Guido+von+Guido]

Bingo. I don't believe there was a town there before Miami was founded.

Re:Explanation

[mattwarden]

The town was supposedly modeled after Oxford, England at the time.

Re:Explanation

[mrwalker]

My understanding (I went to HS in Oxford and attended Miami, including the year in question) was that the city planner for Miami, FL was from Hamilton, OH (20 mins away from Oxford, OH) and named it after Miami University. Whatever, who cares.

Re:Explanation

[Viceice]

So if anybody's ignorant, it's actually the clowns in Florida.

Eh! Quit insulting clowns.

Signed,

President,
Florida Society for Prevention of Cruelty to Clowns

(It's a joke, Laugh!)

Re:Explanation

[ifwm]

"So if anybody's ignorant, it's actually the clowns in Florida."

See, I would think making unnecessary remarks that disparage people is ignorant. YOU did that therefore...

That fits with my experience

[rsheridan6]

Anything computer-related done by either government or schools tends to be incompetently executed and annoying, probably because when you need to deal with them, you need to deal with them - you're not a customer and if you don't like the way they do things, you can go fuck yourself. There's no reason for them to care about you, and it would be irrational for them to spend much money on giving you a better experience (well, up until the point that they get in trouble for leaking your private info on the web, that is). At least that's my theory to explain my experiences.

Web Administrator

[clockwise_music]

Whoever setup the web server should be held responsible and embarassed in front of his parents. The parents of the students should also vote on whatever method they think is most appropriate.

Re:Web Administrator

I go to Miami and I actually talked to one of my professors about this yesterday. Turns out a retired (more like retarded) professor had these files for an as yet unexplained reason other than 'research'. That professor then put them in a folder accessable to everyone. Ergo, it is NOT the sys admin's fault, but the fault of some idiot professor.

I got a plan

Why don't they just use Windows? There would be no problems concerning information disclosure if they wouldn't meddle with open source crap.

TFA from a MU Grad who Just got Notice

[mikes.song]

I'm a grad from MU's CSA program, and I'm not very happy right now.

I blame the MIS students!!! Biz-kids think they can run a computer...

And yeah, the docs included my ssn...

I'm glad Bush passed that Bankruptcy reform

What happens when everyones id is stolen. Really fuck the econ, aye, you know, if you can't trust anyone id...

TFA

****

Dear Miami graduate student,

Miami University notified all members of the University community today that a report containing the names, grades, and social security numbers of all students who were enrolled at Miami in Fall 2002 was inadvertently placed in a file accessible through the Internet. At this point we have no evidence of illegal use of this information, but we are concerned and deeply regret that because of this action private and confidential student information was exposed.

You will find below the press release we have sent out that will give you more information about this incident.

I want to repeat that this affects only students attending Miami in Fall 2002. There is no threat to current students who were not on campus in Fall 2002. If you were on campus in Fall 2002, you will receive by early next week from Reid Christenberry, vice president for information technology, an email message providing you with a toll-free phone number, which will be staffed by trained investigators who are experienced in dealing with privacy issues. Later you will receive similar, written notification from Miami with the toll-free phone number and additional information about actions you can take if you are concerned about possible identity theft.

If you were on campus in Fall 2002 and do not receive an email early next week, please let us know by emailing us at mailto:privacyhelp@muohio.edu>privacyhelp@muohio.e du

Again, we deeply regret that this information was made accessible. We will keep you informed of the actions we are taking to protect current students and alumni.

Richard Nault
Vice President for Student Affairs


14 September 2005
MIAMI NOTIFYING STUDENTS, ALUMNI OF PRIVACY BREACH

OXFORD, Ohio - Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included data on the 21,762 students enrolled on all Miami campuses in fall 2002. No other students were affected. Officials say the information was in an isolated area of the university's network, in a file assigned to a now-retired faculty member, and thus avoided detection until this week when an alumna told Miami she had discovered the file after entering her name in a search engine.

"Nevertheless, private and confidential information was exposed, and we deeply regret the incident. We have removed the file and are writing the students and alumni to apologize. We also are taking steps to rectify the problem and to avoid a similar instance in the future," said J. Reid Christenberry, Miami's vice president for information technology.

The university is writing a letter to all those affected, many of whom have now graduated, directing them to a toll-free number that will be staffed by trained investigators who are experienced in dealing with privacy issues. Miami has established a web page, www.muohio.edu/privacyhelp, with additional information. Individuals who want to contact the university about the situation can use a special email address, privacyhelp@muohio.edu, or call Miami at (513) 529-0438.

"We are doing all we can to reach those whose information was included and to guide them through actions to reduce risk," said Christenberry. The report was a standard grade

Re:TFA from a MU Grad who Just got Notice

[shancock]

Before you start blaming every CS student maybe you should read the full explanation on their site, which among other things says:

"On Monday, September 12, 2005, Miami University became aware that a grade report from the Fall 2002 semester had been unwittingly placed by a now-retired faculty member into a file that was accessible via the Internet.

Note the 'retired faculty member'. Not a student or a hacker.

This seems like a common problem, how does one protect again appending sensitive information from a protected document into an ordinary text or non-sensitive file? Is there a technology out there that can mark the data so it can not be copied into another file even though it is accessible to some. Apparently the 'now retired faculty member' had access to the file. Probably used cut and paste to imbed it into a file he/she could access from home/laptop etc. We had lots of problems like this at government locations I worked at

I understand your anger but this does not seem to be a malicious act, it appears to be an honest screw up and is not like the stupidity of Citibank sending their files via un-encrypted tapes by UPS.

The school seems to be handling this OK.

Re:TFA from a MU Grad who Just got Notice

[mikes.song]

You say, "Note the 'retired faculty member'. Not a student or a hacker."

Is that retired as in the way that former FEMA director Michael Brown is now retired? I don't think he retired. I think he was fired. And, if I had to guess, when the person at Miami was holding all those SSN's, I hope he was on the pay roll. Retired today? What about yesterday?

I'm a CSA grad, and I dig that department. It's in the school of engineering and applied sciences.

My jab was at the management in information dept, inside the business school. They are the ones responsible for this. That's a different dept, different building, and a different school than the school of engineering. A building that I only took one class in. My jab was aimed at the slashdot post like this the one that says More Students Prefer Interdisciplinary to CS. Those students should not be hired to do technical work. Those professors should not be given computers to host sensitive info on. I think if you are dealing with peoples SSN's on live-and-networked computers, then it should be should be an engineer, not a business, professional that is handling the info. If you want someone to do serious work with computers, then don't hire someone from the business department.

Re:TFA from a MU Grad who Just got Notice

[mattwarden]

I blame the MIS students!!! Biz-kids think they can run a computer...

And yeah, the docs included my ssn...

I'm glad Bush passed that Bankruptcy reform

What happens when everyones id is stolen. Really fuck the econ, aye, you know, if you can't trust anyone id...

Dude, you're an alumnus from here at Miami who was in the CSA department?

I knew I should have been a Waste Management major instead of SAN.

Anyway, from TFA, it wasn't "Biz Kidzzzzz" who exposed the data, but a now-retired professor in the Business Department. The incompetence resides in Miami's IT for letting people who shouldn't be expected to be overly technical have that much ability to expose critical information.

Re:TFA from a MU Grad who Just got Notice

[mattwarden]

Is that retired as in the way that former FEMA director Michael Brown is now retired? I don't think he retired. I think he was fired. And, if I had to guess, when the person at Miami was holding all those SSN's, I hope he was on the pay roll. Retired today? What about yesterday?

RTFA. He has been retired for a while.

Re:TFA from a MU Grad who Just got Notice

[shancock]

Yes, I found the expression 'recently retired' very funny. I immediately assumed that whomever it was was fired. Maybe this was not the first time but that this incident was revealed as a result of past indescretions? Who knows. It is spin speak.

I think that with schools placing so much in adjunct faculty, cut backs and general lack of financial support from our governments, we can expect many non-professionals doing tasks that they did not have to do in the past.

I think this is a systemic breakdown within our Universities and schools in general. So I agree with you that students should not be hired to do technical work. I just don't think the blame for this should be on their heads.

Re:TFA from a MU Grad who Just got Notice

[patternjuggler]

I understand your anger but this does not seem to be a malicious act, it appears to be an honest screw up

I have no problem with harsh punishments for honest screwups, if the consequences of the screwups are great. If the consequences are really great (like massive loss of life and/or extraordinary dollar loss) then I support throwing people in jail or even capital punishment even when the people intended no wrong (of course, if they did intend harm then the punishment should be much more extreme). In the case of potential losses, it gets a little gray- but I still want to create very strong incentives for others not to repeat those mistakes.

Re:TFA from a MU Grad who Just got Notice

[mikes.song]

Anyway, from TFA, it wasn't "Biz Kidzzzzz" who exposed the data, but a now-retired professor in the Business Department.

That was slang to a point. It's a juvenile act to be so irresponsible with important data. The problem seems to be a big one.

The incompetence resides in Miami's IT for letting people who shouldn't be expected to be overly technical have that much ability to expose critical information.

You may not realize it, but every student and professor has many ways they can post data to the Internet. You must be a first year SAN student if you haven't figured out that you get a public web drive on your 'M' dirve. It's the one labeled 'www,' incase you have trouble finding it. This link will set it up for you. You also have the Unixgen server that you can use. So, are you saying that, at a university, where everyone get access to powerful tools, that professors should be restricted from using them?

Q: You know what we call first year SAN or CSA students?
A: Pre-business Majors!

Good luck on your degree.

Re:TFA from a MU Grad who Just got Notice

[JBHarris]

Yes, this technology exists.

When they use it to secure the newest 50-cent song, that DRM is horrible stuff.

When they use it to protect your SSN, it is the greatest thing in years.

But since we all use Linux here on slashdot, getting efficient DRM in place to force this type of security is rediculously difficult.

Re:TFA from a MU Grad who Just got Notice

[Iaughter]

This seems like a common problem, how does one protect again appending sensitive information from a protected document into an ordinary text or non-sensitive file? Is there a technology out there that can mark the data so it can not be copied into another file even though it is accessible to some. Apparently the 'now retired faculty member' had access to the file. Probably used cut and paste to imbed it into a file he/she could access from home/laptop etc. We had lots of problems like this at government locations I worked at

"Marking data so it can not be copied into another file" is the wrong way to think about this issue. That's a microsoft approach.

The problem was that the format was a text file and that the only way the faculty member had access to the data was by being emailed to him/her from the dean.

A data modeling/analysis program or custom web interface that allows authorized people (where the correct people are authorized) is the solution to this problem. This professor didn't want a text file of every student's information. S/he probably wanted something like a comparison of GPA's between different campus organized by majors, or something like that.

The problem wasn't that there wasn't enough meta-data and a required file reader restricting a user to what they can do with their data, but rather that a Dean wanted a person to have access to certain data and the only way to give it was to send a text file over.

The need for true-to-life authorization & useful data analysis tools are what caused this problem.

Re:TFA from a MU Grad who Just got Notice

[mattwarden]

I'm a senior, thanks. My GPA is such that I can guarantee that it is at least as high as yours was, if we want to compare sticks. And you kind of just proved my point by describing how easy it is to post private information. So, what was your point?

hahah

[urbster1]

PWND!!!

web admins or any kind of admins in schools

usually the tech people working for universities really really don't know what they're doing. at least this is so in my university (somewhere in the midwest).
they're so clueless, it's scary..
the way they fix things is to restart and hope the problem won't appear again. It's not windows servers what I'm talking about.
also, on windows production server, they had icq, msn and all kind of crap installed including adware.
accounts that access lots of your information are not too carefully guarded and almost anybody working there could get your social security, bank accounts, bank guarantee letter (for I20 letters), grades, even password for their web interface...
scary stuff

Re:web admins or any kind of admins in schools

Why don't you mention the U?

Yeah, well what were the permissions on that file?

[Assassin+bug]

...and how was it being used? Was the file being used by admissions? Did anyone with access to the file have write permission? And does this mean that anyone in that class of students could have easily changed their records? Yes, this is a breach of privacy, but it might have also been an oportunity for some unethical clod.

BAM!

[metalligoth]

It's the Future of Rock & Roll!

Re:BAM!

[mikes.song]

One of the best stations in the country...

Give it a listen.

The staion go bought out, so they only 'cast on the web, but it rocks!

WOXY

Oxford, Cincinnati, Dayton, the world...

The Future of Rock & Roll!

I go to school there....

I am a sophomore at Miami (and yes we were a university before Florida was a state). Frankly it doesn't come as a surprise, IT around here is nothing to brag about. Although making /. that's what really got me...

A campus wide email was sent out...looking a bit like this:
"Dear Miami student,

Miami University is notifying all members of the University community today that a report containing the names, grades, and social security numbers of all students who were enrolled at Miami in Fall 2002 was inadvertently placed in a file accessible through the Internet. At this point we have no evidence of illegal use of this information, but we are concerned and deeply regret that because of this action private and confidential student information was exposed.

You will find below the press release we are sending out that will give you more information about this incident.

I want to repeat that this affects only students attending Miami in Fall 2002. There is no threat to current students who were not on campus in Fall 2002. If you were on campus in Fall 2002, you will receive by early next week from Reid Christenberry, vice president for information technology, an email message providing you with a toll-free phone number, which will be staffed by trained investigators who are experienced in dealing with privacy issues. Later you will receive similar, written notification from Miami with the toll-free phone number and additional information about actions you can take if you are concerned about possible identity theft.

Again, we deeply regret that this information was made accessible. We will keep you informed of the actions we are taking to protect current students and alumni.

Richard Nault
Vice President for Student Affairs"

Re:I go to school there....

[mattwarden]

I and at least one other person also submitted the story to /. It's a huge breach of privacy (almost 22,000 students!), and I'm not surprised at all to see that many people submitted the story.

Re:I go to school there....

[sweep71]

IT around here is nothing to brag about
Neither are the students.

Why is this not the fault of the professional who posted this information? Do you not want to go that direction because he is was an academic and therefore unaccountable for his stupidity? Do you blame Ford for all the drunk driving accidents out there because they provided the vehicle? Technology is now a part of an academics professional life whether they like it or not. It is time for them to understand how to use it. Stop squawking for admins to babysit supposedly intelligent people who have the capability to understand technology but are too lazy or arrogant to do so.

Re:I go to school there....

Neither are the students.

Wholehearteldy agreed.

And you're right, it is the fault of the supposed "professionals"...my statement was mostly referring to other experiences I've had.

And then they got the vote!

[MichaelPenne]

Ba dum dum:-).

My SSN is stolen - I can't party anymore!

[drgonzo59]

If you knew MU Oxford, you wouldn't ask that question. That place is a joke - a party school, and I am sure that extends to their IT. By the way, they are credited to have started a lot of fraternities and sororities in this country. Just that should answer your question.

It is basically one of those colleges that wants to look like an Ivy League school but it is just a one big glorified party, where rich parents can send their spoiled kids to study business and literature.

By the way, I still don't get their name. It is not in the freakin' Miami and certainly not anywhere near (geographically and academically) U of Oxford, England.

Re:My SSN is stolen - I can't party anymore!

[Locke03]

It's named after the Miami tribe of Native Americans who used to live in the area. I go there, and yeah it's a joke. I'm just there because it's somewhere close while I decide where I want to really go. Wasn't always like that though, and to all the Miami Flordia people, Miami U was a school before Flordia was a state.

Peace

P.S.
yay, my first post!!

Re:My SSN is stolen - I can't party anymore!

Or maybe you're just bitter because our business school kicks ass.

Re:My SSN is stolen - I can't party anymore!

[drgonzo59]

I am not bitter at all. I am sorry your personal info was given way by an ex-chair of your university. You are the one who should be bitter...

Re:My SSN is stolen - I can't party anymore!

[mikes.song]

It's the 66th best school in the nation. That is the 23ed best public school in the nation. And, no, the parties there suck.

Re:My SSN is stolen - I can't party anymore!

[bladesjester]

Yes, you just have to love J Crew U, home of some of the most obnoxious college students that I have ever met.

Re:My SSN is stolen - I can't party anymore!

Business school? HAHAHAHAHAHAHAHAHAHAHAHAH *wipes a tear from my eye* Arguing about which business school is better is like arguing which tastes better, dog shit, or cat shit.

Re:My SSN is stolen - I can't party anymore!

[djtannir]

Interesting, that you know so much about the school's reputation as a "party school" yet don't know anything about namesake tribes and rivers of the school. The school is not top-tier, but often listed as a best value by Kiplinger's. Something I wouldn't expect spoiled rich kids or their parents to care about.

http://www.kiplinger.com/personalfinance/tools/col leges/pubcollege.php?sortby=INRANK03&orderby=flip& states%5B%5D=OH&myschool%5B%5D=Miami+University&ou tputby=table

Re:My SSN is stolen - I can't party anymore!

[drgonzo59]

The point was that the name is a little confusing. Anyone who is not from the area and hears about "I go to Miami, Oxford" always replies with "Huh? Is that Florida or England?".

Yes, Miami was a name of a local tribe and Oxford, well, I hope you know where they got that one...

Re:My SSN is stolen - I can't party anymore!

[djtannir]

I have a sneaking suspicion we know each other. Did you attend Miami? Did I ram you with a stick scooter jousting? If so, look me up. I still got the old IM. I'm now at Iowa too if you want to find my email there. Interestingly enough, if this is you, I tried to look you up but your real name is so damn common there's no way I could find you.

Re:My SSN is stolen - I can't party anymore!

[drgonzo59]

Sorry, I don't think we know each other. I know about Miami because I live in the area and have many friends that go and went to Miami. I have been on campus probably more than 10 times - I do like the ice-cream shop there, it is very good! But never been scooter jousting, which sounds like fun.

Yeah, there are plenty of dr. gonzo's out there, you can thank the late H.S. Thomson that ...

Re:My SSN is stolen - I can't party anymore!

[manual_overide]

It's in the Great Miami River valley, and named after the Miami indian tribe. The sports mascot used to be called the 'Redskins', but they changed to the 'Redhawks' because they were scared of a lawsuit, even though they had the full endorsement of the Miami indian tribe to use 'Redskins'

They call themselves the Harvard of Ohio (hahaha) and try to put off a stuffy private school image, even though they are a public school. My younger brother is studying Zoology there, but thankfully he makes fun of the J Crew pink polo with a popped collar type.

Re:My SSN is stolen - I can't party anymore!

[lowrydr310]

The first thing I thought when I read the headline is WTF is Miami University of Oxford, OH? I thought it was one of those silly "buy your degree online" schools until I read more of the /. discussion and realized it is a real, legitimate college and to be honest I was surprised to see so many slashdot readers who have attended or at least know a lot about it.

That's nothing though - there's a California University of Pennsylvaia located in the wonderful town of California, Pennsylvania. It is a legitimate college, however the name is very misleading. They're neither California University nor the University of Pennsylvania.

I think the biggest joke has to be the University of Maryland University College. It's not named after a city in another state, but is it a University or a College? Is it affiliated with the University of Maryland? Why does 'University' appear twice in it's name?

"Where did you go to school?"

"I went to the Stanford College University of Arizona University College of Texas University College, in Montana"

Re:My SSN is stolen - I can't party anymore!

[PhilipMckrack]

They did produce Big Ben Roethlisberger, the current Steelers quarterback.

Re:My SSN is stolen - I can't party anymore!

[Gonarat]

That's okay. You can transfer from California University (of Pennsylvania) to Indiana University (of Pennsylvania) and never leave the state of Pennsylvania. You can also go to Notre Dame and never visit Indiana -- Notre Dame College of Ohio that is. Pennsylvania and Ohio love to give their Colleges and Universities confusing names.

Re:My SSN is stolen - I can't party anymore!

[StudlyDego73]

You can transfer from California University (of Pennsylvania) to Indiana University (of Pennsylvania) and never leave the state of Pennsylvania.

That's because us Pennsylvanian's rule! I'd say 1/4 to half of my graduating high school class went to IUP(not me though, thank God). But then again, what does my town know? They worship a groundhog every February 2nd.

Re:My SSN is stolen - I can't party anymore!

[PsiPsiStar]

It's been said before, but I'll say it again.

"Miami was a college before Florida was a state."

The college's name wasn't confusing when the name was given.

Miami, Florida is named after the Miami river valley in Ohio, which is also Miami University of Ohio's namesake.

Re:My SSN is stolen - I can't party anymore!

[kundor]

Ok, as a Miami student, I have to say that the business school is everything that's wrong with this place.

The CS department actually isn't too bad, faculty-wise; the student body is much less informed than at, say, Case Western, but the professors are knowledgeable and the classes are offered. I have no problems with the CS department - but it is annoying when other, completely worthless departments like business take all the funding and impose dumbed-down classes on us when they send their students into our department.

Re:My SSN is stolen - I can't party anymore!

[ebichete]

Miami University in Oxford, Ohio (Amusing ...)

We all love to pour scorn (or other suitable liquid) on Floridians, but I just have to point out that
Oxford was a university *before the colonies rebelled*

"Europe. Yeah, Europe. Where the history comes from."

Re:My SSN is stolen - I can't party anymore!

[Merin]

Miami is also famous for somehow stumbling across a genius and actually hiring him: William Holmes McGuffey author of the McGuffey Readers.

It was nice to receive an email today telling me that I'm one of the lucky ones to possibly be affected by this. They tell me that I can be advised as to what to do and how I can check to see if I've been damaged. My thought is this: It's been 3 years. If someone copied my information then they have my information for good and nothing short of changing my name, SSN, address, and family relationships will do much to change that.

But it's nice to know the campus who charges you $50 for misinterpreting their parking pass zones can make large mistakes and hope you'll forgive them.

Or at least the person who is pretending to be you is willing to let bygones be bygones.

*waves to Kundor*

Re:Yeah, well what were the permissions on that fi

[mikes.song]

Yeah, well what were the permissions on that file

chmod 777 ssnFile

Simple Solution

[Kizzle]

Sue the hell out of the person who discovered the security hole. That will show em.

In the end, can be a good thing too

[powerline22]

Last year, UConn, my college, had a privacy breach where lots of SSN's were leaked. This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible.

Last year, a student's ID was their SSN. Now, it's an ID assigned by our peoplesoft system. If i forget my ID at, oh say, the campus book store *shudder*, they can't look it up w/ my social. Like I said, good things can sometimes come out of these events.

Re:In the end, can be a good thing too

[Adam9]

Yep, Miami also switched a few years ago. We use Banner IDs from our SCT Banner system.

Re:In the end, can be a good thing too

This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible.

It only takes ONE to be breached. Of course, the more there are, one could assume the more that could be breached. Of course the root of the problem is not using SSNs but the misuse of the place where they are and unless you can fix that, any place with a list of SSns is a problem. People are recognizing that lists of SSNs can be hacked and the answer seems to be to not use them instead of protecting the ones that do use them. Makes sense but then comes back my circular reference to it only takes one place to be hacked. So is it really that effective to reduce the use or should you completely remove the use of SSNs on a network reachable by the public.

Re:In the end, can be a good thing too

[mikes.song]

Yep, and they switched way before 2002, but they still took students SSN's. In fact, the Banner ID's are generated from peoples SSN's. If that file had both SSN's and Banner ID's, then everyones SSN's could be at risk. The Banner ID's are used for everything. If you have 21,000 SSN's and 21,000 Banner ID's, then you (ok maybe not you, but I) can easily figure out the algo that is used to generate them. Or, if you have a job as a student working at the lab that does the schools web system, you may have access to that algo. Anyway, once you have the alog, you can find the Banner ID's any and every where. Put two and two togeather, and you know what happens.

Re:In the end, can be a good thing too

[Ironsides]

Last year, UConn, my college, had a privacy breach where lots of SSN's were leaked. This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible. Last year, a student's ID was their SSN. Now, it's an ID assigned by our peoplesoft system. If i forget my ID at, oh say, the campus book store *shudder*, they can't look it up w/ my social. Like I said, good things can sometimes come out of these event

At UHA (uni of hartford, right near you guys), where I went to undergrad, changed 2 years ago over to a random id. what took you guys?

Side note, housing assignment lottery numbers were posted on a wall in one large list. With it sorted by SSN# (yes, they publically showed the SSN, but no name or anything else, still stupid). Did you guys have anything like that?

Re:In the end, can be a good thing too

[zuzzabuzz]

four?

Re:In the end, can be a good thing too

[ToadMan8]

No. According to the office of the Registrar the numbers are sequential by class. When a new batch of first-year students (Freshman and transfers and the like) enroll they get one number after the last. It'd be stupid to connect them to SSNs. Why would you think that?

Re:In the end, can be a good thing too

[mikes.song]

Why would you think that?

Because people familar with the system, durning my Junior year there, told me that's how it works. It was the professor that, without giving out his ID, it was a professor that I though would have direct knowledge.

It seems that if they used sequential numbers, they could've done that from the start.

It seems that a reason for generating them from SSN's would so that everyone in every school would have unique ID's. And, if they ever had to reconstruct that data, it would be easy.

If you have all these databases, different ones in different depts, each with SSN's in them, and you want to make them all Banner Id's, then you would want to have some algo that would take one number and pop out the other.

Well, after some work online, I found some stuff of interest.

This Excell sheet shows every data field in the banner system an MU, and (well the new alum system they are building, but it shows which ones relate)this powerpoint slide show gives some insight. The PIDM seems to be the number that is generated from the SSN. A quote from the slide show is "When an institution has a student originally built in DARS, and also existing in Banner, the institution can write a script to populate the PIDM in stu_master," and I guess that is what my professor was talking about. I think that PIDM might be your plus id, or banner id, but who knows...

The person in the registrars office might be correct, but some ID is generated by the SSN to tie the two togeather. My source knew all the right people to have the information that I gave on here, but oh, how the stories will change. Anyway, I was able to find way to much info on the Miami websites.

People should realize that when the put something in the www or htdocs folder, that it will be public.

Re:Yeah, well what were the permissions on that fi

[Assassin+bug]

Color me sudo...

3 years ?!

[E8086]

Just because it was on a webserver doesn't mean it was easy to find. Unless your a concerned student who searches for your name and the first group or two of your SSN.

Restrict what's in your webspace!
What I'd be concerned about is did the "now retired faculty member" know the directory where they put the file was on a public server or was the file put there and then someone did a chmod 755 on the dir, possibly after they retired by the replacement who didn't know any better. The school I'm at has school.edu/dept/whatevertheywant I know some departments use it for public and private storage, yes bad idea, with password protected files&dirs. If the same happened there it's possible someone made a location public without checking the contents of all the sub dirs. I've heard of this happening too many times, schools need to have clearly labeled dedicated internal network storage and separate webspace. Once they start getting mixed up there's the chance a file will accidentally get copied or moved to the wrong place for all to see. The problem is "public" and "private" are too close when listed alphabetically. If those labels are used it's too easy for someone using a windows interface to accidentally drag&drop something to the wrong location when it looks like:
~admissions_office
lunch_menus
office_supplies
private
public
schedules
warez(maybe not)

Re:3 years ?!

[Adam9]

The server where the file was stored was meant to be public. It ended up on that server instead of the private one by mistake.

Re:3 years ?!

[E8086]

or so the cover story says

Re:3 years ?!

[Otter]

The part that seems absurd to me is that a single professor had access to data for every student. You can't fully control what an individual does with a file, but why on earth should he have had such broad access in the first place?

Wow

[XMetal2001]

Alright, My school is famous now! Quite a suprise when I saw Miami on Slashdot. Sadly its just an embarrassment. But yea, we are a relatively big school considering that alot of people haven't heard of us. Basically from what I heard prior to coming here we are known for being extremely preppy and having an endless supply of beautiful ladies :)

Re:Wow

[arthax0r]

In ohio? Are you kidding me? The armpit of the mid-west? The only hot things there are the coney-dogs and asphalt.

Re:Wow

[mattwarden]

No, actually he's right. I know that I don't even realize how beautiful the women are here until I leave MU for a while (e.g., the summers) and come back. We're pretty spoiled, but I'm okay with it.

Re:Wow

[ashooner]

To SW ohio's defense:

Carmen elektra and Sarah jessica parker are from there i think.

and Miami girls are just an example of what happens when 3 or 4 generations of rich people marry the most beutiful women they can afford. Standard upper class breeding.

Re:Wow

Carmen Electra would be hot if it weren't for those goddamned plastic tits.

Oh, and it would help if she didn't apply her makeup with a trowel.

Re:Wow

...and justin's mom. HOTNESS.

M.A.R.S... it's where were going...

SchoolMAX SchoolHAX

[niteskunk]

Over the Summer, my school's district replaced their old SIS (Student Information System) with "SchoolMAX", designed by Maximus. After talking to a guidance counselor regarding schedule modifications, I noticed her log in to the new system - I noticed it required 4 credentials, one which the counselor left blank, and I made a mental note to Google the name of the system for more info on it for curiosity sake. The counselor printed me my new schedule, right from the web page. Sweet, thanks for doing the work for me - the URL was on the bottom of the sheet. I got home, hopped on the web, and keyed in the URL. The credentials required were school district, operator ID, password, and screen ID. Screen ID was what the counselor had left blank, so I was down to 3. I figured school district would be available online - a quick Google search confirmed this, and I was down to 2 fields remaining. There doesn't seem to be any real security on the site, and I predict a simple brute force or something more practical such as social engineering would enable anyone to an entire district worth of information.

Re:SchoolMAX SchoolHAX

[Suchetha]

By posting this information you have violated the Digital Millennium Copyright Act (DMCA). Please stand outside your house and the Copyright Enforcement Agents will be there to pick you up.

Thank you
SchoolMAX

Yup

A former student googled for his/her name and it found the file.

Re:Yup

[djmurdoch]

I wonder if it's still there in the Google cache? What about all the other search engines? What about the Wayback Machine?

A little background on MU.

[hardcorey]

Interesting to know. I've got many friends that go to Miami University up in Oxford, OH. For those not in the know, it is a division 1 school, and just a little bith north of Cincinnati, OH. The city Oxford, OH is just a college city. Lovely campus, though the students have a general stigma of being uptight and preppy. I'd say 90% or more are upper-middle class white kids. Their official website, is www.muohio.edu.

Re:A little background on MU.

and this is pertinent to the article how?

Miami University is in

[SaDan]

Oxford, OH.

Strangely enough, I grew up not far from Oxford, OH. Funny to see this place mentioned on Slashdot. Even more hilarious to see it on Slashdot due to the actions of some irresponsible people!

business opportunity?

[nielkosh]

It seems to me that there is an opening in the market here for a reliable intermediate service that attracts clients (universities, hospitals, firms) by outsourcing the privacy issue and attracts users (students, patients, et cetera) by putting a high premium on security. Coupled with lobbying for legislation on this issue, and there is a possible business opportunity. Certainly as a user I would prefer ONE widely respected (and carefully monitored) service to have my information, and allow other vendors only to know the id number of my account with the respected service (and validate that authorization by letting the service know to whom I had granted this information). Or, is there something like this?

Why does everyone tag everything with your SSN?

I understand that it is the easy thing to do but with all the compromises of data recently it seems that the inconveinience of unique numbers for different institutions would be a valid approach. Data theft is like gambling. In Vegas you can't lose what you don't bet. On the web you can't have data compromised if you don't put it on the network.

Get used to it

[Ogemaniac]

In constrast to most /. types, I have pretty much given up on "privacy" in this sense. We live in a world that is becoming more and more connected and wired every day. Within that context, it becomes more and more possible for people to obtain information about one another. Perhaps we should be thinking more about how to embrace this reality rather than fruitlessly attempting to resist it. Just a thought...

Re:Get used to it

[All+Names+Have+Been]

I agree 100%. Just send me your name, last three addresses, your SSN, date of birth and your mother's maiden name. Then I'll do the same.

Re:Get used to it

One strategy would be to have more information about yourself than anybody else. Sounds simple but how many people are alerted every time their credit is checked (or a credit line opened in their name)?

Re:Get used to it

Ditto, I'm sure this kind of thing happens all the time where I work. It's sort of like the file sharing thing. The genie is out of the bottle and has been for a long time. You can spend all your time trying to squeeze the genie back into the bottle, an impossible task, or you can work on ways to minimize the damage the genie can cause while potentially asking for a wish or two.

Re:Get used to it

[cr0sh]

I will "get used to it", as you say, when I see the personal and private information of some high ranking government officials announced to the world (that, or they get their credit and life f'd up so bad from identity theft) - and they simply go "meh, what can be done?" and they bear it like all of us.

Fat lot of that ever happenning. If that ever happenned, shit would change so fast it would make your head spin. Actually, I wonder if it hasn't already happenned, but to preserve status-quo for those with the power, they just hunted down the forger and had him/her killed and dumped in the ocean.

The problem isn't so much privacy or lack of privacy - it is privacy or lack of privacy only for the vast majority of people, but for those at "the top" of the ladder, they don't get bothered. This isn't right, this isn't how a democratic representative government is supposed to behave (if that is what we are anymore - something tells me that is a sham being fed to the public piecemeal to keep them happy, and we are actually in a corporate oligarchy that has taken over quietly using the government as a puppet regime and figurehead for the populace)...

The Question is...

[Nikkos]

How many schools have info like this (or worse) posted on some forgotten webpage?

Maybe the IT departments of schools should look into hiring quality people for their systems instead of leaving it up to educators with no real-life experience or student staff that rotate every semester.

Re:The Question is...

obviously you've never tried to tell a faculty or grizzled staff member at a small liberal arts university that.

educators treat IT like any other service-oriented department on campus. we're the info custodians there to clean their messes and fix things when they break, not to give them, who hold "Phds", advice. especially if it means "taking away" unrestricted access to things like web servers.

seriously. we've told our faculty/staff that there are major security issues that could be easily corrected by making small adjustments like instituting best practices with web server permissions and password policies and they don't even want to hear it.

Re:The Question is...

[REBloomfield]

Yes, hire IT people to trawl through every file in a University's webspace, and check whether it should be there or not.... Do you have any idea how big the average Uni's web space is? And how little of it actually means anything to the average IT guy? Quantum physics isn't my thing....

Bloody kneejerk slashbot morons....

Re:The Question is...

[Darth_Burrito]

The fundamental problem is that faculty and staff are the ones who actually need access to the data, not IT personnel. Once this group gets access to the data, the cat is out of the bag. There is no controlling what they do with it and this is not a tech savy or data responsible group of people.

Re:The Question is...

[Nikkos]

Sorry sir, you're the kneejerker.

I didn't say anything about trawling through the webspace. Although I'd wager that if you knew YOUR personal info was on some forgotten webpage, you'd want it found. My post was about the quality of help to begin with.

And it's doesn't take a fucking rocket scientist to tell the difference between a list of names/SSNs and a term paper about holographic theory.

Stupid slashdot boob, RTFP!

Re:The Question is...

[Nikkos]

The professors and students don't need access to the Universitie's compilation of Names, grades, and SSNs.The Profs have their own lists for the classes they teach, and the students don't need to see eachother's grades.

Sure, Let them have their webspace, just have a couple of experienced IT guys around to work for the main offices.

Re:The Question is...

just have a couple of experienced IT guys around to work for the main offices.

I am unsure what you mean by this. Are you saying that there should be just a few people per department? Maybe 2 techs for ever 3 profs?

The answer to this is that in places like this, there already are a "few" but these people are usually under paid and busy chasing/fixing other messes that are constantly being created by people who should be smart enough to figure these things out on their own. I mean, don't these people "value education" above all else? Why not take a few freaking classes on using the technology that they use as part of their job? Lets also talk about the funding that technology gets and where it goes. Does the limited budget go to trying to upgrade servers and infrastructure or to internet babysitters?

Actually it is in Missouri

[with_him]

You know their motto ... it is the "Show Me" state!

Why humiliate them?

[CyricZ]

I agree, perhaps public humiliation would be best in this case. While it won't physically harm the individual(s) responsible for this lapse, it will discipline them and it will provide an example for others. Perhaps the best form of humiliation would be genital exposure. Make these people walk around the campus for a day, penis hanging out.

Re:Why humiliate them?

[bladesjester]

That wouldn't be a punishment at Miami Oxford. He'd most likely get a stack of phone numbers...

Re:Why humiliate them?

[Perl-Pusher]

Remember Columbine? So what happens when the student kills themself or others because of intense humiliation and the resulting bullying?,p. While it won't physically harm the individual(s) responsible for this lapse, it will discipline them and it will provide an example for others.

Sounds exactly like something the coach in my high school would say. He was convicted of abusing his son.

Re:Why humiliate them?

[CyricZ]

As a Brit, I know very little about your American party schools. Are you suggesting that this fellow would have his penis pulled on by young male students, that is, were he to be punished by the public exhibition of his genitalia?

Re:Why humiliate them?

[CyricZ]

You obviously failed to read the article. It was not a student who did this. It was a retired professor. I'd hardly believe that a retired professor would pull a Columbine-style stunt.

And I'm sorry that your father abused you, if that is what you were suggesting.

Re:Why humiliate them?

[bladesjester]

No, I'm saying that the female students there tend to be *really* easy...

Re:Why humiliate them?

[CyricZ]

Are some of them even willing to take three to four cocks up the anus concurrently?

Re:Why humiliate them?

[PakProtector]

Are some of them even willing to take three to four cocks up the anus concurrently?

I say, sirruh, we Americans may on average be large assholes, but that is a bit much, don't you think?

Re:Why humiliate them?

[CyricZ]

No, I'm serious. Can these women drink 15 or 16 litres of sperm in a single night?

Re:Why humiliate them?

[lloydtesterman]

no, this is America! We don't have litres.....

Re:Why humiliate them?

[CyricZ]

Well, then convert litres to hogshead or whatever your American unit of volume is. Can the girls at that school gulp that much man pudding?

Re:Why humiliate them?

CyricZ, you seem intent on an answer to this question, so let's put it this way: American college women can drink approximately 50% of the volume of human male ejaculate that your mom can consume.

A staggering amount, to be sure. If you need more quantifiable data, please feel free to consult your mom.

Re:Why humiliate them?

[Perl-Pusher]

I wasn't suggesting that, I knew had the teacher, his arrest was not surprising.

I'd hardly believe that a retired professor would pull a Columbine-style stunt.

It happens in work environments too. It's called fragging in the military. It's also called going postal. Public humiliation is a stupid way of discipline whether it's a student or a professor shouldn't be an issue, they are both people.

Re:Why humiliate them?

[CyricZ]

My mom died in 1964. So unless you've measured her semen consumption abilities by fucking her rotted carcass, I would have to assume that she can no longer gulp man spunk. As it would appear, American women are quite inept at cum guzzling, assuming your statistics are correct.

probably happens all the time

[Chris+Snook]

A lot of universities have not-well-advertised public ftp servers that are used for transferring large files, generally with scripts that scrub things that have been around for more than a day to avoid turning into warez servers. I know of one multi-campus institution where an employee at one campus and their counterpart at another campus agreed to use this method to transfer a list of all currently enrolled students at one of the campuses. This included phone numbers, addresses, and student ID numbers, which were mostly SSNs, because that was the default and most students didn't know to ask for a different ID number. Once the transfer was complete and they discovered they could not delete files from this server, they called support, and it was gone in under 5 minutes. They'd already had it drilled into their heads how bad it would be if such a list got out, but no procedure for securely transferring very large files had been established, and they did not have the technical expertise to establish one themselves.

I imagine this happens a lot, especially at research institutions whose scientists need to be able to receive large amounts of data from collaborators without having to set up accounts for them.

Re:probably happens all the time

At my university, there are literally hundreds, maybe more than a thousand, people who have access to this kind of information. A large chunk of them are barely-know-how-to-use-access types. An even larger chunk of them use web based reports and are barely-know-how-to-use-a-web-browser types. Still even more people have access to the same data via an ancient (until recently telnet) command line application. The only difference is that it is quite a bit harder to get lots and lots of records. Still others have human-proxy access to it (make me a report with...).

Anyway, with so many people having access, I'm fairly certain that my university is constantly hemoraging private data.

Re:probably happens all the time

Well, yes, it does happen all the time, or at any rate it happened at my university. Hi, I'm your security nightmare, a dippy humanities academic working in a job that requires me to do some admin work as well -- maintaining our department's web site, among other things. My sole qualification for this is knowing a little html, and my university, like many others, is riddled with people like me. We're reasonably smart, but what we know about computer security could be fit neatly onto half a postage stamp.

This spring there was a big scandal when enterprising students discovered sensitive data on the college server -- put there by an administrator who didn't know better -- and access to the server was shut down while IT decided what to do. Eventually all the web site maintainers had to reapply for access under new security regulations -- but I was surprised when all I had to do was read over a security policy and click an "I agree" button. The security policy, like a lot of security policies, was a mass of technical language that I understood (I think) because I lurk on Slashdot, but that would be incomprehensible to someone who, for example, knows four or five ancient languages but nothing about computers. (Yes, such people exist: at universities we are hired for the ancient-languages thing and do web sites on the side, figuring things out as we go.)

Under ideal circumstances, I suppose people like me wouldn't have access to public servers at all, but since we do, it's a little surprising that even after the scandal there was no provision for training whatsoever. Everything I know about computer security I've learned here.

The pyramid in my school...

[Browzer]

The computer-illiterate bureaucrat who runs the show hires IT consultants to design and implement any major projects, an old-school geek is the senior sysadmin, and recent college graduates do the dirty work.

Free identity theft monitoring

[GAATTC]

For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.

1974 Privacy Act

You must give your SSN to Federal, State, and Local governments only when there is a law that requires it. The act also says the government agency MUST inform you at the time of collection whether giving your SSN is required or optional, cite the law that requires it, and explain what happens if you don't give it.

If you do not see a privacy act notice on government paperwork, then don't give your SSN. It's hard to say no, and many govt workers are completely ignorant of the law, but you've got to take a stand.

Non-government entities can ask you for your SSN for any reason or no reason, but you don't have to give it to them. If a company says they have to have it, be prepared to take your business elsewhere.

So, is Miami of Ohio a government entity? Many universities are because they are state funded or created by an act of state law or consitution. If so, demand that privacy act notice. If not, take your money somewhere else.

I doubt any school would deny you admission because you refuse to give your ssn. What do they do for the foreign students?

You'll never know what you can do without giving out (your SSN) until you stop giving in.

Things I've done without giving out my SSN: got real phone service, got satelite TV, been to the doctor/hospital, got medical insurance, got internet service, got married. Yeah sure, I wasn't able to get that extra 10% off at Pier One by signing up for a credit card. So what!

Re:1974 Privacy Act

Also, universities are required by that law to allow you to change your SSN for their record-keeping purposes.

I did it at mine. The woman doing the change wasn't quite sure how to go about it -- apparently she hadn't done it for anybody in years. Just goes to show how rarely this fact is remembered...

I eventually did get it changed however, and it was a good decision given that my professors sometimes handed out attendance sheets on which we were supposed to write our names, SSNs, and our school-specific ID value.

Oh, and a TA in the math dept. the school later posted about 60 persons' records online (this did not affect me thankfully). Our instance didn't get Slashdot front-page headlines though...

Ummm.. Midwest?

Ohio is in the northeast you idiot. It's the armpit of the northeast.

Re:Ummm.. Midwest?

[kundor]

Ohio is very much in the Midwest. This terminology dates from back when the Mississippi was the western border of the nation. Past the Mississippi is just the West.

The Midwest, for future reference, consists of Ohio, Indiana, Illinois, Michigan, and Wisconsin.

They sent us an Email...

[AvoidTheNoid]

Dear Miami student,

Miami University is notifying all members of the University community today that a report containing the names, grades, and social security numbers of all students who were enrolled at Miami in Fall 2002 was inadvertently placed in a file accessible through the Internet. At this point we have no evidence of illegal use of this information, but we are concerned and deeply regret that because of this action private and confidential student information was exposed.

You will find below the press release we are sending out that will give you more information about this incident.

I want to repeat that this affects only students attending Miami in Fall 2002. There is no threat to current students who were not on campus in Fall 2002. If you were on campus in Fall 2002, you will receive by early next week from Reid Christenberry, vice president for information technology, an email message providing you with a toll-free phone number, which will be staffed by trained investigators who are experienced in dealing with privacy issues. Later you will receive similar, written notification from Miami with the toll-free phone number and additional information about actions you can take if you are concerned about possible identity theft.

If you were on campus in Fall 2002 and do not receive an email early next week, please let us know by emailing us at <<removed>>

Again, we deeply regret that this information was made accessible. We will keep you informed of the actions we are taking to protect current students and alumni.

Richard Nault
Vice President for Student Affairs

Yeah, that makes me feel better.

Re:STUPID FUCKING AMERICANS

[mattwarden]

For being French, you speak wonderful English.

The dangers of global digital access...

[(Score+5,+Flamebait)]

The funny thing about this is that it wouldn't have *mattered* 20 years ago. We live in a different world now, and it's going to take a while for people to understand it.

Think about the stereotypical absent-minded professor. Someone gives him a file of students' academic info, and like everything else, he misplaces it.

Okay -- 20 years ago, worst case scenario: the file is left out in plain view on his desk in an unlocked office, and a student nicks it. The student shows his friends, word gets out, and the student gets in trouble. Some students are upset about the privacy violation.

Now fast-forward to today, and the same innocuous, absent-minded professor can misplace a file and cause a DISASTER. Surprise, the whole world can see it! Nobody needed to break into his office, nobody needed to even enter the school, and they can get the file, just because he mixed up the X: drive (teacher fileserv) with the W: drive (public webserver), or something like that.

I'm no Luddite -- heck, I'm a web developer, and I'm the first to say that the benefits of the internet are incredible -- but it's a dangerous and powerful tool that doesn't get the respect it deserves... most users out there are kinda like teenagers learning to drive tractor trailors. Or it's like everyone's using these new ballpoint pens that also shoot out a lethal dart if you twist the handle.

Re:The dangers of global digital access...

Or it's like everyone's using these new ballpoint pens that also shoot out a lethal dart if you twist the handle.

ROTFLMAO..yeah, and they keep looking down the barrel of the pen while twisting...dumbasses...

Re:The dangers of global digital access...

[cbiltcliffe]

Nobody needed to break into his office, nobody needed to even enter the school, and they can get the file, just because he mixed up the X: drive (teacher fileserv) with the W: drive (public webserver), or something like that.

Simple solution: No regular faculty should have write access to webspace.

Re:The dangers of global digital access...

[belarm314]

As far as I'm aware, it's very common to allocate public web space to each faculty member and student at a university. I'd imagine the web space the prof. shared this on was his own. And, working in the IT deparment of a university, I can tell you with certainty that you don't want a department like mine approving all of the content you decide to post.

That said, however, regular audits of publicly available information would be a good thing. Recursive searches for patterns matching SSNs or other ID#s would be a great idea.

In fact, I think I have some code to write...

Re:The dangers of global digital access...

[Infinityis]

Yeah, especially those faculty that teach courses on web development and server administ...ummm..err...

Re:The dangers of global digital access...

[ultranova]

Simple solution: No regular faculty should have write access to webspace.

Better solution: don't collect people's SSN or other personal information if you don't really need it, and if you do, don't email it to everyone and their dog. You don't need to tape everyone's mouths shut to keep a secret, just your own.

Re:The dangers of global digital access...

[cbiltcliffe]

Yeah, especially those faculty that teach courses on web development and server administ...ummm..err...

They're not regular faculty......

I'd like to know...

[jcr]

Why does the school have the SSN's of all the students? They can't all be getting financial aid, or be employed by the school.

-jcr

Re:I'd like to know...

[joelsanda]

Why does the school have the SSN's of all the students? They can't all be getting financial aid, or be employed by the school.

Anything can happen at a school called "Miami University" located in Oxford, Ohio. Up until about 20 minutes I thought Miami University was in Florida, United States; and that Oxford was in England.

It's no damn wonder they lost files! Google maps couldn't find a Miami University in Oxford, Ohio!

Re:I'd like to know...

[Vegeta99]

ID, as usual probably. My high school printed it right on your ID. My college, PSU, just changed over last year to "PSU ID" #'s.... just another fucking number to remember.

Re:I'd like to know...

[Gonarat]

Finally. When I went to PSU in the early '80s, not only did they use your SSN as your student number, but it was published in the friggen campus phone directory. It may be another number to remember, but at least your SSN won't be plastered over every document in the future.

Re:I'd like to know...

[Vegeta99]

True, true.

But I never really got the whole SSN freak-out craze anyway. Want to get a credit card in my name? Well, you're going to have to show them ID first because of my fraud alert. Want a photo ID in my name? You're going to have to get a copy of my birth certificate. Want my military records? They're public info anyway, go to the courthouse and ask for a copy.

social security numbers???

What on earth are social security numbers doing in a school computer. Don't they know that since last year it has become illegal to use social security number for student identification? Man... I bet someone is going to sue the heck out of that school and for good reason.

Re:social security numbers???

Welcome to 2002...

BT?

[DeafByBeheading]

Anyone got the torrent?

I'm glad I was in college in the 1980s

[joelsanda]

Back then we carried around sheets of paper with our information. Some used a redundancy method known as "carbon copy" - in which the user would write once and the data would be recorded in many places.

Though I had to physically walk miles to track down professors without watches, the data was always securely stored in the back pocket of my jeans or stuffed into my backpack.

Best of all, we relied upon social engineering security and things like locked wooden file cabinets. The security team was staffed by should-have-already-retired women who hated all people and wore too-tight pastel colored polyester blouses and shirts. But nothing got past them.

My point

[Ogemaniac]

Maybe rather than trying to conceal this sort of information, we should be working to make it useless.

SSNs and Universities

I'm currently a student at the University of Maryland, and our school uses the SSN for EVERYTHING. It's absolutely sickening because the administration makes these grand claims about moving away from the SSN for student security, but to get even the most menial tasks accomplished on campus, you have to use your SSN. Worst of all, I worked with a professor on campus to inquire as to their data collection practices under the Maryland Public Information Act, and we essentially discovered that they have absolutely no data security system in place whatsoever. Our swipe cards, which are used for everyhting from getting into a building to buying a meal-- also contain our SSNs in the magnetic strip.

You'd think this would be enough information to cause a massive overhaul of a woefully insecure system, right? Wrong, the school newspaper won't even print a story about it because they don't understand the inherent risk in all of this.

http://privacyumd.blogspot.com/ to learn more about the status of this issue at UMD

Re:STUPID FUCKING AMERICANS

[mattwarden]

Score:1, Troll

Someone didn't get the 'excuse my french' joke.

That is what I do!

[drgonzo59]

What a coincidence, that is exactly what I am doing. Just send me your name, SSN, address, date of birth, mother's maiden name and I can make it all pretty useless for you ;)

But not useless for you!

[Ogemaniac]

Which is to whom I was refering!

Re:But not useless for you!

[Money+for+Nothin']

So go ahead and make *your* information worthless. Just send me your name, address, and SSN and I'll be happy to help!

Practically the same is by default in Sweden.

[Sebastian+Jansson]

In Sweden, both grades and the closest equivalent of SSN is public. Just call the school that gave out the grade and they'll tell you, just contact the right place and they'll tell you the personal number. I'd have assumed that is the case everywhere else too?

I don't see the problem with that, really. It's not like that will give you any useful information, at best you can check if a person lied about his grade. Is the problem that it's avaible on the internet?

Re:Practically the same is by default in Sweden.

[Coeurderoy]

Unfortunatelly, appart of the fact that not everybody want to make the fact that they flunked XYZ 101 public, the SSN in the US is the first element of a successful ID theft program. An excelent but somewhat dated book is "data base nation". Basically in name of convenience, and because of the federal structure of the US identity theft is quite easy. Fixing it would probably not be that hard, on the other hand why solve a problem that creates so many jobs (in the security and jail industry).

Included demographics

[Trinition]

The information released also included demographics. I've obtained the information and masked off the personally identifying information so I could show the sort of demographic information made available:

... Gender Dress ...
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through

(if you've been there, you'll understand)

Re:Included demographics

If you're attempting to describe what Miami University students look like, you've obviously never been here. Either that or it was a few decades since you've been here.

Re:Included demographics

[Trinition]

Hey, it's right up 27 from me. THe fashions may slowly change, but much like the buildings, the students almost all look the same. The people I knew who went there didn't blend in too well at first, but they eventually did.

I'm not saying its a bad thing. Conformity happens everywhere to some degree. But in colleges that are remotely located such that they are the main driving force in the local economy, there's nothing much else to do but go to class, drink at the local bars and frat houses, and, if you're lucky, find someone to take you "Cincinnati!!!".

The only question is..

Where's the torrent?

What are the chances

[kilodelta]

What are the odds that these schools are running SCT Banner and using IIS?

Pretty damned good. Banner in itself is an ungainly beast, an overlay on top of an Oracle database. But they host the web components on IIS which is a guaranteed point of failure.

I've loathed IIS and MS-SQL ever since I was exposed to LAMP. But universities decided their I.T. shops couldn't produce a good product so they got snowed by the SCT folks. Disgusting I tell you.

Re:What are the chances

[ToadMan8]

SCT Banner on Oracle on AIX, and it doesn't make a difference; this information came from what is basically a retired department chair's personal employee webspace, according to the article. This has nothing to do with an official information repository of any kind.

I wonder how many of these . . .

[Ph33r+th3+g(O)at]

. . . unfortunate incidents are blown out of proportion or even engineered by the IT establishment at these colleges as a ploy for more authority and better funding. Whether or not that's the case, it'll certainly be the result.

Patriot act says otherwise

[gknac]

To start out, i work in a security division of a credit card company. under the patriot act if a credit card company asks for your ssn you must give it to them to validate yourself as a citizan. If you dont give it to us, we can close your account. even if you dont give it to me, i can pull it up using FastData web or Accurent using just your address or phone number, along with anyone else that has ever lived there or had that phone number. so next time you call a credit card company at least, just give it to us, we have it anyways. stop being such a pain in my ass. and if you dont and we close your account its your own damn fault.

Re:Patriot act says otherwise

The patriot act doesn't say anything of the sort. I dare you to find where it does. Do some research before you post. Oh and SSN's don't guarantee citizenship. Aliens, legal and illegal get real SSN's all the time. You just go down to the SSA office and sign up.

Sounds like you need more training for your job.

Re:Patriot act says otherwise

The patriot act says that the secretary of the treasury must create regulations that require financial institutions to identify their customers. Look up the subsequet regulations in the federal register.

"Under the proposed definition, a bank will not necessarily need to establish whether a potential customer is a U.S. citizen. The bank will have to ask each customer for a U.S. taxpayer identification number (social security number, employer identification number, or individual taxpayer identification number). If a customer cannot provide one, the bank may then accept alternative forms of identification."

Re:Patriot act says otherwise

[gknac]

the ssn is just one of the ways we verify citizinship, people that are not real citizans have different number codes for the prefix. This is setup by the SSN admin and is very reliable and it does say that we have the authority to close the account as another comment below shows: "Under the proposed definition, a bank will not necessarily need to establish whether a potential customer is a U.S. citizen. The bank will have to ask each customer for a U.S. taxpayer identification number (social security number, employer identification number, or individual taxpayer identification number). If a customer cannot provide one, the bank may then accept alternative forms of identification." That gives us the authority to close the accounts if they are not citizans, but we do not have to. The reason we do this is to prevent people from out of the country getting access to one of our cards to pay for flight school or chemicals and then using it for some sort of attack. but its quite a bit harder to verify someone with other information as Drivers Licenses are easy to make fakes of and what other identification is there then, no SSN, a DL that is very likely fake. yeah we should definitly give you a credit card as we have no idea who you are. And in order to verify someone with a DL they have to have a card already and be at a store, and we then have additional steps to verify they are really at the store. There are so many times a day that someone calls telling me that they are at a store and hand the phone off to a clerk when really its just some guy and his buddies at a payphone outside. you should go through my training.

Re:Patriot act says otherwise

Citizenship is meaningless.

Credit cards (Visa and MC) are available from international banks. Terrorists don't need your domestic bank to pay for flight school or chemicals.

What are you going to do about people like Timothy McVeigh? He was a US citizen, had a social security number, a legitmate driver's license, and the desire to kill people. Nothing in the Patriot Act would have stopped him.

Oh and what about the London bombers? They were British citizens, presumably with real documents.

Feel safer yet?

You aren't trying to stop terrorists my friend, you are just trying to keep your company from being defrauded. Good for you, but the fraud is actually a result credit card companies giving instant credit.

What about US citizens who don't have an SSN? They do exist you know. Many religions prohibit "public insurance" and borrowing money. Obviously, they wouldn't want a credit card, but they might want a bank acount. What does your bank say to them when they want to open a no-interest savings account?

"School"?

[Maclir]

Why does everyone refer to a University as "School"?

This is what happens...

[The+Spoonman]

...when your HR department is told "all potential candidates MUST have MCSEs!" You end up with a bunch of morons who can barely SPELL "NT", let alone administer any machines.

Re:This is what happens...

[ToadMan8]

... MU is a Linux shop. In fact, we have more UNIX servers of differet flavours than we have Windows servers.

Re:This is what happens...

[The+Spoonman]

You miss my point. When used as an insult, you don't have to use Windows to be an "MCSE". :)

Wow, and endorsement by Playboy.

"It is a good school. It also was voted by Playboy a few years in a row "

Now that sounds really valuable... Not.

Wouldn't doubt it

I kind of doubt that these people would have thought of that.

Use myspace.com to search :)

[Audigy]

Go to myspace.com and look for people who attended that school during the affected year. If you come up with any firstname+lastname combos (firstname in profile, lastname in comments or something - passive social engineering by observation, my favorite kind), give the ol' search skills a whirl.

I found a few, but I think I'll leave you guys to do the detective work yourselves. >:D

Webserver Logs

[Iaughter]

As a web programmer for a large US university, I can easily see how this can happen. IT staff aren't the people with sensitive data. In a university this large, there are alot of people with a business need for enrollment information and student identifiers. It's unfortunate that ssn's are the prevalent identifiers, but many institutions are moving away from ssn's because of this type of cautionary story and press coverage.

I think it's interesting that Miami doesn't know if this data was accessed by unauthorized people.

All they'd have to do was grep through their web server access logs and look at ips. There's a small, but important, possibility that no one ever accessed this file other than the professor. Or at least, they'd know ips for those who had accessed the file.

Presumably, they're not keeping logs this long.

Re:Webserver Logs

[Darth_Burrito]

I believe they have evidence people accessed the information. The story I read indicated someone found it on google. However, they have no evidence of illegal use of the information (presumably identity theft or what not). Anyways, if they put it up on a public server, accessing it is not illegal, otherwise we'd have to arrest the google bot.

Re:Webserver Logs

[ChrisShmit]

Found this on comp.os.linux.announce: ...a free Linux/Solaris server that lets you search all your log files... search and troubleshoot all of their log files...blah...blah...Apache, Jboss... http://www.splunk.com?ac=kilroy

I've said it before, and

I'll say it again:

tar -cf - sensitivedata| \
gpg -e -r trustedadmin@theotherplace.edu| \
ssh myaccount@theotherplace.edu "cat > /path_to_place_trustedadmin_can_read/sensitivedata .tar.gpg"

Re:Yup (nope)

[ToadMan8]

It was removed and Google was informed by an automatic process to re-archive; there was no cache, but the data was searchable for the day it was found. The evening it was found it was no longer searchable. Internet Archive and the like don't archive this particular type of content.

For what it's worth...

...we here at Miami have been phasing out Social Security Numbers for some time.

Everything now works with a "Banner number," which begins with a +0, and which no one can remember.

However, the fact that the marketing department, of all people, is allowed to have access to all our information (as far as I'm concerned, +number is just as bad as ssn), just by asking for it is really, really distrubing.

Google cache?!?

[Leadhyena]

I hope they did due dilligence and removed all access through google cache and the wayback machine. I realise that the SSNs are already out in the wild, but it would do no one any good to have their SSN permanently available in a history cache somewhere.

Re:Google cache?!?

They did, it's gone. We searched long and hard for it *grin*

I've dealt with this recently...

[cr0sh]

About 10+ years ago, I signed up with a company called CheckFree to allow me to do electronic bill payments. When I signed up, I was already paranoid, so I didn't give them my SSN, just a fake one. I had to give my check account # and all of that, but they didn't need a real SSN.

Time passed, and a few years ago Quicken bought them up, and rolled their system into Quicken's bill payment system. My stuff continued to work just fine, I was happy with the service. Time passed, and I was trying to find a way to do my bills online while maintaining an electronic transaction register without requiring double entry (bad, bad thing - can cause massive problems if you screw up) - and I wanted to use this system under Linux. I looked into various products, the closest "best" product being GNUCash - but they still don't have the EFT section done (and likely never will - banks, for some reason, are loathe to help them set this up, but have no problem with large companies doing it). So, I stuck with Quicken, and it was the one reason I still had a Windows system running.

Time passed, and recently I had to get a new checking account for reasons I won't go into here - suffice to say, it was a necessary thing I had to do. I got the new account, but then when I went to set it up in Quicken, the whole process fell over. Some of my bills didn't get paid (Quicken initially covered them), I went through a long process with them. After about two weeks, here is what I found out:

They were assumming that the ID they had on file for me was my SSN. It wasn't. They queried the bank for the account number I gave them, sent the ID number as my SSN to the bank to verify, and of course, it didn't match, so the whole thing was denied. After a few rounds of this, with them scratching their heads, I finally heard from someone who was very suspicious of what was happenning - they were required by some section of the PATRIOT Act for me to give them my SSN. Mind you, this was during the same time period that many companies (like the school in the article) were have credit card accounts stolen and other ID information stolen. I told them I wasn't going to give it to them, and I had never given it to them - because oh-so-long ago I had foreseen this very situation happenning, and I was going to do everything I could to prevent it from happenning to me (for this reason, my health insurance company doesn't have my real SSN, either - and I use different IDs between my dentist and my doctor).

Furthermore, I couldn't understand why they all of a sudden didn't trust my info when I could clearly show my old account was something I had with them for so long, working just fine. I guess customer loyalty means nothing anymore - what a sad situation that is. They pleaded and wheedled with me to just give them the ID, that was all they needed...

I told them to go to hell and closed my account - I value my privacy on my ID too much. Of course, with your revelation, they probably had the means to get it anyhow (I, of course, had to give my SSN out to get my mortgage at my current address) - so how in the hell is it supposed to be secure, I don't know, if anyone with access to those systems can get it with an address. I hate this world, this world without privacy for only some (but if you have enough money and power, no one can bother you) - but couple that with the ability for nearly anyone with the time and patience to do it, and they can assume your identity and fuck your life up for years - how is this supposed to be a good thing? Grrr...

Anyhow, I am no longer with Quicken, no longer with Checkfree - I do things the old fashioned way with a checkbook and stamps. I still use my Quicken software as a check/transaction register - but one day that will be phased out and I can drop kick Windows to the curb (well, maybe I will keep it around for some game playing or something). You know something, though? It is actually better this way...

not at this school

Central IT is a strongpoint here. Users are the problem, as they are everywhere. This server was run by the department, not by central IT.

FYI Miami is a linux shop through and through. Central IT is highly trained, has upwards of 200 employees, and this is reflected by the services they offer.

I am a recent grad, was enrolled in 2002 in the Business school, and my rather unique name was not searchable (i.e. when searching for my name only a few results ever come up, none of which were at Miami (except for one for being on the waterski team.)

BTW, since sometime between 2002 and 2003 they stopped using SSNs and went to a random sequential number system to identify students, to keep things like this from happening. This just went down before it was widely taught against.

The permissions were:

[ToadMan8]

It was 755, and the file hadn't been noticed for three years; grades and records are stored in a database on secured servers somewhere. These records were a report run from that database to enable the department chair to make decisions, probably on things like class force-adds.

that exactly happened to me...

a few years ago in college (who's name you'd recognize and is generally regarded very highly technically) I was googling my name and came across a document some MBA student put in the wrong place with 100's-1000's of names and SSN's... I told them and they removed it...I think it was mainly caused by a poor understanding of which filesystems were public and which were private...

business students-- .... arithmetic underflow....

anyway it happens everywhere...

The University should be commended

[solman]

There is no evidence that anybody ever used this information for unauthorized purposes. Some professor left the grade report in an exposed directory on a web server. Instead of taking the server down and forgeting about the incident (like 9 out of 10 IT departments would have) the University sent letters to all of the potentially affected parties. I don't even believe that OH has a CA style law requiring such disclosure. I commend them for their honesty.

The suggestion that the University should have refunded $20K to all of its 2002 students because its theoretically possible that somebody might have gotten their information is positively bizzare.

Re:The University should be commended

[supersheepboy]

I agree. They were honest to say the least.

Right on!

[supersheepboy]

I believe that most of the Miami girls are beautiful with or without make-up. I left Miami for summer break and realized that I sorely missed flirting with cute women.

Hah!

[supersheepboy]

Miami is a quaint little city. Some retirees prefer to retire somewhere quiet and that's what Miami is. Just because some are rich does not imply beautiful people. The rich CAN develop a nurturing environment for kids. Just don't retire near the frats. We can be very noisy.

Why professors sometimes get this information

[Childe_Erik]

I'm on the faculty of another small liberal arts school. I don't know why SSNs were passed around in this case, but other sensitive information is routinely shared among "officers of the college" (faculty, administrators, academic staff) for some purposes. For example, when our school evaluates candidates for Phi Beta Kappa--which, incidentally, would be my guess for how this professor had the information at Miami--quite a lot of people need to see transcript information. We also produce an anonymized version of the information for student members of the chapter. We try to secure the information carefully--keeping electronic versions protected, shredding the paper. The Miami violation is clearly egregious. I mention our circumstances to explain why professors sometimes have access to this kind of information about students.