Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another School Exposes Private Information

Posted by CowboyNeal on from the open-door-admissions dept.

DutchSter writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."

14 of 298 comments (clear)

  1. Who are they hiring? by FatalChaos · · Score: 3, Insightful

    Who are these ppl hiring as web admins??? Why are these files even on servers connected the net?? and hopefully first post

    1. Re:Who are they hiring? by 1000101 · · Score: 2, Insightful

      The University that I attended has all of this information online. It was accessed on the same site we used to register for classes. I can log in right now and view my overall transcript, GPA, etc. I don't think that just because it is sensitive data that it shouldn't be connected to the internet. I use online banking, investment management, etc. The issue here is the University's security, not whether or not that information should or shouldn't be online.

    2. Re:Who are they hiring? by FatalChaos · · Score: 3, Insightful

      GPA, transcript, i can see. But social security number? I mean how many times are u gonna need to know ur social security number and pull out a laptop and look it up online?

    3. Re:Who are they hiring? by globalar · · Score: 5, Insightful

      A lot of times it is not administrators who are directly doing this (i.e. its much bigger than one person or they have no real way of knowing). Information security is far more than simply one person's job. Everyone who has access to information - even the poor grad student who does backups on Sunday nights - should be responsible in some way for security.

      It takes a lot of work to make strong, accountable policies and carefully define simple, but narrow ways of accessing information (i.e. not just dumping the student records excel file in the share folder). For example, everyone on campus has network access which is most often directly linked to online access. If one person screws up and misuses their data access priveleges by opening up information over the network, it is very hard to tell unless you have accountability in place. And how many places do security reviews?

      When it becomes part of people's jobs to protect information, it will become a responsibilty. Right now, blaming one or two people is rarely a good solution. It's like someone who blames an outsourced medical transcripts worker in Pakistan for leaking information. Sure, it is there fault but the problem is much larger than one low-paid worker. Executive or peon, security is a group responsibility in information-rich, networked environments.

  2. Private information by Zouden · · Score: 5, Insightful

    I know this is a major breach of privacy/security, but I'm curious about what kinds of malicious things one could do with this information.
    It seems to me that the only useful thing is the names/SSN combination.
    Unless you could blackmail some poorly-achieving students by threatening to tell their parents their real marks?

    --
    "A week in the lab saves an hour in the library"
  3. Easily solved with software by Andrew+Lenahan · · Score: 2, Insightful

    This got me thinking. Email spammers and other naughty types run web bots to scour web sites for email addresses and similar personal information. How hard could it be to write software to search one's own web server for lists of SSNs or whatever, and alert a webmaster so it can be quickly taken down? Doesn't sound like it would be particularly difficult at all. A quick search untility to parse publicly-accessable pages could save a lot of bad publicity later, as happened in this case.

    --
    Andrew Lenahan http://www.starblind.com/
  4. Just say 'No' to giving schools the SSN by schwit1 · · Score: 5, Insightful

    No school needs an SSN. For that matter just say no to giving it to anybody but the IRS and your financial institutions. Your doctor doesn't need it. The gas company doesn't need it. Cingular and Earthlink don't need it.

    1. Re:Just say 'No' to giving schools the SSN by steelfood · · Score: 4, Insightful

      I think it has something to do with financial aid, work study, etc.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  5. That fits with my experience by rsheridan6 · · Score: 3, Insightful

    Anything computer-related done by either government or schools tends to be incompetently executed and annoying, probably because when you need to deal with them, you need to deal with them - you're not a customer and if you don't like the way they do things, you can go fuck yourself. There's no reason for them to care about you, and it would be irrational for them to spend much money on giving you a better experience (well, up until the point that they get in trouble for leaking your private info on the web, that is). At least that's my theory to explain my experiences.

    --
    Don't drop the soap, Tommy!
  6. Re:now that they've had their data exposed... by iansmith · · Score: 2, Insightful

    From a customer standpoint, "give everyone a free year" sounds great.

    But that would put almost any business OUT of business.

    I have no idea what the profit margin for them is.. but even if 25% of their income is pure profit, giving out a free year means they will make zero profit for four years.

    What would be more realistic is to give back everyone a years PROFIT on their tuition. That way the schools expenses are covered, teachers get paid, ect.

  7. Get used to it by Ogemaniac · · Score: 3, Insightful

    In constrast to most /. types, I have pretty much given up on "privacy" in this sense. We live in a world that is becoming more and more connected and wired every day. Within that context, it becomes more and more possible for people to obtain information about one another. Perhaps we should be thinking more about how to embrace this reality rather than fruitlessly attempting to resist it. Just a thought...

  8. The Question is... by Nikkos · · Score: 2, Insightful


    How many schools have info like this (or worse) posted on some forgotten webpage?

    Maybe the IT departments of schools should look into hiring quality people for their systems instead of leaving it up to educators with no real-life experience or student staff that rotate every semester.

  9. Re:Wow by ashooner · · Score: 3, Insightful

    To SW ohio's defense:

    Carmen elektra and Sarah jessica parker are from there i think.

    and Miami girls are just an example of what happens when 3 or 4 generations of rich people marry the most beutiful women they can afford. Standard upper class breeding.

    --
    They Are Night Zombies!! They Are Neighbors!! They Have Come Back from the Dead!! Ahhhh!
  10. The University should be commended by solman · · Score: 2, Insightful

    There is no evidence that anybody ever used this information for unauthorized purposes. Some professor left the grade report in an exposed directory on a web server. Instead of taking the server down and forgeting about the incident (like 9 out of 10 IT departments would have) the University sent letters to all of the potentially affected parties. I don't even believe that OH has a CA style law requiring such disclosure. I commend them for their honesty.

    The suggestion that the University should have refunded $20K to all of its 2002 students because its theoretically possible that somebody might have gotten their information is positively bizzare.