Slashdot Mirror
Another School Exposes Private Information
DutchSter writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."
The space where the data was hosted was in a public space. The problem was that the ex-chair put the private files in public space. Since then, the IT dept. responsible for the business dept. (not our central IT Services) has since made all of those files unavailable to unauthenticated users.
We were here first :P
Binghamton University in NY, just announced this week that 404 student names and ss numbers, as long as other sensative data was unsecured for months, it was only after a relative of a student pointed it out was the problem fixed...just in case you guys didn't know
The city in Florida sprung up at the end of the 1800s, and adopted the name because they thought it meant something vaguely pleasant regarding water.
So if anybody's ignorant, it's actually the clowns in Florida.
Just a bit northwest of Cincinnati.
I got some inside information on the real story...
Apparantly there's this list of all the students academic info that's sent out to all the Deans each semester. One of the Deans gave it to another professor for whatever reason and that professor accidently puts it on a public drive and forgets about it for 3 years.
Nice. Real nice.
I am a sophomore at Miami (and yes we were a university before Florida was a state). Frankly it doesn't come as a surprise, IT around here is nothing to brag about. Although making /. that's what really got me...
A campus wide email was sent out...looking a bit like this:
"Dear Miami student,
Miami University is notifying all members of the University community today that a report containing the names, grades, and social security numbers of all students who were enrolled at Miami in Fall 2002 was inadvertently placed in a file accessible through the Internet. At this point we have no evidence of illegal use of this information, but we are concerned and deeply regret that because of this action private and confidential student information was exposed.
You will find below the press release we are sending out that will give you more information about this incident.
I want to repeat that this affects only students attending Miami in Fall 2002. There is no threat to current students who were not on campus in Fall 2002. If you were on campus in Fall 2002, you will receive by early next week from Reid Christenberry, vice president for information technology, an email message providing you with a toll-free phone number, which will be staffed by trained investigators who are experienced in dealing with privacy issues. Later you will receive similar, written notification from Miami with the toll-free phone number and additional information about actions you can take if you are concerned about possible identity theft.
Again, we deeply regret that this information was made accessible. We will keep you informed of the actions we are taking to protect current students and alumni.
Richard Nault
Vice President for Student Affairs"
Over the Summer, my school's district replaced their old SIS (Student Information System) with "SchoolMAX", designed by Maximus. After talking to a guidance counselor regarding schedule modifications, I noticed her log in to the new system - I noticed it required 4 credentials, one which the counselor left blank, and I made a mental note to Google the name of the system for more info on it for curiosity sake. The counselor printed me my new schedule, right from the web page. Sweet, thanks for doing the work for me - the URL was on the bottom of the sheet. I got home, hopped on the web, and keyed in the URL. The credentials required were school district, operator ID, password, and screen ID. Screen ID was what the counselor had left blank, so I was down to 3. I figured school district would be available online - a quick Google search confirmed this, and I was down to 2 fields remaining. There doesn't seem to be any real security on the site, and I predict a simple brute force or something more practical such as social engineering would enable anyone to an entire district worth of information.
Before you start blaming every CS student maybe you should read the full explanation on their site, which among other things says:
"On Monday, September 12, 2005, Miami University became aware that a grade report from the Fall 2002 semester had been unwittingly placed by a now-retired faculty member into a file that was accessible via the Internet.
Note the 'retired faculty member'. Not a student or a hacker.
This seems like a common problem, how does one protect again appending sensitive information from a protected document into an ordinary text or non-sensitive file? Is there a technology out there that can mark the data so it can not be copied into another file even though it is accessible to some. Apparently the 'now retired faculty member' had access to the file. Probably used cut and paste to imbed it into a file he/she could access from home/laptop etc. We had lots of problems like this at government locations I worked at
I understand your anger but this does not seem to be a malicious act, it appears to be an honest screw up and is not like the stupidity of Citibank sending their files via un-encrypted tapes by UPS.
The school seems to be handling this OK.
Yep, and they switched way before 2002, but they still took students SSN's. In fact, the Banner ID's are generated from peoples SSN's. If that file had both SSN's and Banner ID's, then everyones SSN's could be at risk. The Banner ID's are used for everything. If you have 21,000 SSN's and 21,000 Banner ID's, then you (ok maybe not you, but I) can easily figure out the algo that is used to generate them. Or, if you have a job as a student working at the lab that does the schools web system, you may have access to that algo. Anyway, once you have the alog, you can find the Banner ID's any and every where. Put two and two togeather, and you know what happens.
It's named after the Miami tribe of Native Americans who used to live in the area. I go there, and yeah it's a joke. I'm just there because it's somewhere close while I decide where I want to really go. Wasn't always like that though, and to all the Miami Flordia people, Miami U was a school before Flordia was a state.
Peace
P.S.
yay, my first post!!
I don't care what youre doing so much as the idiotic way you're doing it.
From TFA: In 2002 Miami still used Social Security numbers in some cases as an identifier for students, but it abandoned that practice soon thereafter.
You must give your SSN to Federal, State, and Local governments only when there is a law that requires it. The act also says the government agency MUST inform you at the time of collection whether giving your SSN is required or optional, cite the law that requires it, and explain what happens if you don't give it.
If you do not see a privacy act notice on government paperwork, then don't give your SSN. It's hard to say no, and many govt workers are completely ignorant of the law, but you've got to take a stand.
Non-government entities can ask you for your SSN for any reason or no reason, but you don't have to give it to them. If a company says they have to have it, be prepared to take your business elsewhere.
So, is Miami of Ohio a government entity? Many universities are because they are state funded or created by an act of state law or consitution. If so, demand that privacy act notice. If not, take your money somewhere else.
I doubt any school would deny you admission because you refuse to give your ssn. What do they do for the foreign students?
You'll never know what you can do without giving out (your SSN) until you stop giving in.
Things I've done without giving out my SSN: got real phone service, got satelite TV, been to the doctor/hospital, got medical insurance, got internet service, got married. Yeah sure, I wasn't able to get that extra 10% off at Pier One by signing up for a credit card. So what!
Um, what? Just because you've never heard of us, doesn't mean we're not more respected than the other Miamis (and most schools in general). I don't have the numbers (although I'm sure someone else will quote them), but we're in the 60's as far as rank in the US, and the low twenties as far as rank among only public schools (i.e., schools in our general price range).
(Not that I care, because I don't necessarily agree with those rankings.)
Plus, we just last year had a large strike of Miami Staff, which our student body largely ignored as they rode by in their BMWs; that was one of the last steps that was keeping us from competing with the Ivy Leagues. Expect our rank to increase.
Dear Miami student,
Miami University is notifying all members of the University community today that a report containing the names, grades, and social security numbers of all students who were enrolled at Miami in Fall 2002 was inadvertently placed in a file accessible through the Internet. At this point we have no evidence of illegal use of this information, but we are concerned and deeply regret that because of this action private and confidential student information was exposed.
You will find below the press release we are sending out that will give you more information about this incident.
I want to repeat that this affects only students attending Miami in Fall 2002. There is no threat to current students who were not on campus in Fall 2002. If you were on campus in Fall 2002, you will receive by early next week from Reid Christenberry, vice president for information technology, an email message providing you with a toll-free phone number, which will be staffed by trained investigators who are experienced in dealing with privacy issues. Later you will receive similar, written notification from Miami with the toll-free phone number and additional information about actions you can take if you are concerned about possible identity theft.
If you were on campus in Fall 2002 and do not receive an email early next week, please let us know by emailing us at <<removed>>
Again, we deeply regret that this information was made accessible. We will keep you informed of the actions we are taking to protect current students and alumni.
Richard Nault
Vice President for Student Affairs
Yeah, that makes me feel better.
My university uses social security numbers as student IDs. So to view my GPA and such, I would log in with my social security number. This goes as far as writing the last 4, 6, or all digits of the SSN on exams.
You can request a random ID to be issued to you, but by the time incoming students realize that their SSN is their campuswide ID, it's pretty much too late.